Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

How do I resolve SSL/TLS connection issues between AWS DMS endpoints and MongoDB clusters or Amazon DocumentDB endpoints?

4 minute read
1

I want to use a SSL/TLS connection from my AWS Database Migration Service (AWS DMS) endpoints and my MongoDB clusters and Amazon DocumentDB (with MongoDB compatibility) clusters.

Resolution

Make sure that you use a valid certificate to connect your source. If you use an expired or corrupt certificate, then you might experience connection failures. To resolve SSL/TLS connection issues, import the Certificate Authority (CA) certificate for your source database into AWS DMS. Then, assign the certificate to your endpoint.

Use SSL/TLS to connect to your MongoDB source

MongoDB databases use SSL/TLS certificates for MongoDB Atlas cluster nodes. To identify the CA that signed your Atlas cluster's certificate, run the following command:

openssl s_client -showcerts -connect primary_shard_endpoint:27017 -servername primary_shard_endpoint < /dev/null | openssl x509 -noout -issuer

Note: Replace primary_shard_endpoint with your primary shard endpoint.

Example output:

depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1 
verify return:1 
depth=1 C = US, O = Let's Encrypt, CN = R13 
verify return:1 
depth=0 CN = *.z0empc7.mongodb.net 
verify return:1 
DONE 
issuer= /C=US/O=Let's Encrypt/CN=R13

From the output, download both the ISRG Root X1 root CA certificate and the R13 intermediate CA certificate. Combine the files into a single .pem bundle, and then import the certificate bundle into AWS DMS.

To import the certificate bundle to AWS DMS, complete the following steps:

  1. Open the AWS DMS console.
  2. In the navigation pane, choose Certificates.
  3. Choose Import Certificate.
  4. Upload the certificate, and then enter a name for the Certificate identifier field.
  5. Choose Import certificate.
    Note: For client authentication, see Security requirements when using MongoDB as a source for AWS DMS.

Then, to assign the certificate to your endpoint, complete the following steps:

  1. Open the AWS DMS console.
  2. In the navigation pane, choose Endpoints.
  3. Choose Create endpoint.
  4. For Source engine, choose MongoDB.
  5. Specify the following required parameters for your endpoint:
    For Secure Socket Layer (SSL) mode, choose Verify-full.
    Note: If your certificate is self-signed, then choose Require.
    For CA certificate, select your certificate.
    Note: If you select an incorrect certificate, then you might receive a "TLS handshake failed" error message. To check your certificate's validity, see openssl on the OpenSSL website.
    For Test endpoint connection, choose Replication instance.
  6. Choose Run test.

Use SSL/TSL to connect to your Amazon DocumentDB endpoint

To import your CA certificate to AWS DMS, complete the following steps:

  1. Download a CA certificate bundle.
  2. Open the AWS DMS console.
  3. In the navigation pane, choose Certificates.
  4. Choose Import Certificate.
  5. Upload the certificate bundle and then enter a name for the Certificate identifier.
  6. Choose Import certificate.

Then, to assign the certificate to your endpoint, complete the following steps:

  1. Open the AWS DMS console.
  2. In the navigation pane, choose Endpoints.
  3. Choose Create endpoint.
  4. Choose your Endpoint type.
  5. For Source engine or Target engine, choose Amazon DocumentDB (with MongoDB compatibility).
  6. Specify the following required parameters for your endpoint:
    For Secure Socket Layer (SSL) mode, choose Verify-full.
    For CA certificate, select your certificate.
    Note: If you import an expired or corrupt certificate, then you receive "SYSTEM ERROR MESSAGE:.PEM encoded file should be either a valid CA or Public Key Certificate or Private Key Certificate" error message. To check whether your certificate is valid, see openssl on the OpenSSL website.
    For Test endpoint connection, choose Replication instance.
  7. Choose Run test.

Related information

Using SSL with AWS Database Migration Service

Using MongoDB as a source for AWS DMS

Using Amazon DocumentDB as a target for AWS Database Migration Service

Topics
Migration & Modernization
Tags
AWS Database Migration Service
Language
English
AWS OFFICIALUpdated 24 days ago
1 Comment

To resolve SSL/TLS connection issues between Amazon Web Services AWS Database Migration Service (AWS DMS) and MongoDB or Amazon DocumentDB endpoints, use this checklist:

  1. Verify TLS/SSL is enabled correctly

In the DMS endpoint settings: Set SSL mode to: require (recommended) or verify-full if certificate validation is needed

For Amazon DocumentDB, TLS is usually mandatory.

  1. Import the correct CA certificate

Download the correct CA bundle and upload it into AWS DMS as a certificate. For Amazon DocumentDB: Amazon DocumentDB TLS certificates guide

Then: AWS DMS Console → Certificates → Import certificate Attach the certificate to the source/target endpoint

  1. Check TLS compatibility

Older MongoDB clusters may only support outdated TLS versions. Ensure: MongoDB/DocumentDB supports TLS 1.2+ DMS replication instance is current OpenSSL/TLS settings are compatible

  1. Validate network connectivity

Security groups and firewalls must allow: DMS replication instance → MongoDB/DocumentDB port Usually: 27017 for MongoDB 27017 for DocumentDB

Also verify: VPC routing NACLs DNS resolution

  1. Use the correct endpoint hostname

For Amazon DocumentDB: Use the cluster endpoint Avoid instance endpoints unless specifically required

  1. Test certificate hostname validation

If using verify-full, the hostname in the endpoint must match the certificate CN/SAN exactly. Mismatch errors commonly appear as: SSL handshake failed certificate verify failed

replied 17 days ago

Relevant content