- 최신
- 최다 투표
- 가장 많은 댓글
I found a solution.
I extracted the related/required certificate from the certificate bundle mentioned in https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html doc.
Uploaded this extracted certificate to s3 and modified the connection to use a custom certificate from s3. It worked with this change.
Sound like that certificate is not generated by the right CA.
In the meanwhile if you do need to upgrade urgently, you can temporarily disable the CA check on the JDBC url parameters by setting sslmode=require
For now I have reverted the ca certificate change for RDS.
This is unfortunate that Glue is not compatible with the newly issued CA Certificates for RDS
It's not really a compatibility thing, Glue runs on AmazonLinux2 and uses the CA that it provides, if that certificate is not signed by a valid public CA you will have issues with any client.
Then what is the solution. If RDS existing certificates are expiring in 2024 and we have to replace with new certificates then Glue jobs will fail. AWS should have fixed it
I would test if other tools (e.g. an ec2 instance or your own computer) can use the cert correctly. If they do open a ticket so the Glue team can investigate if the cacert on the instance is out of date (that would cause lots of issues and nobody else has complained AFAIK). Are you using Glue 3 or 4?
Using Glue3. Tried Glue 4 too. Same issue
Thank you for your post. I followed the exact same procedure (ie updated the certificate via RDS directly) to upgrade to rds-ca-rsa2048-g1 and now my glue job fails as well. Thank you for the solution, I'll implement it. But I believe it would be nice to update the certificates available to glue directly as well, or at least make them easily choosable when creating the Glue Connection.
관련 콘텐츠
- AWS 공식업데이트됨 2년 전
Happy to hear that, which certificate you extracted from the bundle (e.g. intermediate server) and how did you pass it to the connection?, I don't see why the root CA that the Glue job should have is not enough.
Also, I never have to do that using standard configuration, what did you do special about the server certificates (e.g. which intermediate CA did you choose, etc). thanks