MongoDB Atlas migration to Redshift using DMS

Question

Hello,

Will anyone know how to assist with a TLS handshake failed error when trying to establish a connection between DMS and MongoDB Atlas? More details below:

MongoDB Atlas switched to using "SRV" DNS records for clusters, and this caused the problem because AWS DMS doesn't support it and expects "A" record, and the connection fails with message "Failed to resolve". We've tried to use the primary shard directly instead of the cluster record but it failed with an SSL error:
TLS handshake failed: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error calling hello on 'ac-hh3vswm-shard-00-02.b8n6ms2.mongodb.net:27017'

We continued to test direct connection with "mongosh" and if we tried to connect to shard it automatically defined that it was direct connect and added the following parameter to the connection string: "directConnection=true", but the connection was successful only if added one more parameter: "ssl=true".

We've tried to repeat the same in DMS, and played with the SSL option: 
 * require - returned the same error;
 * verify-full - as suggested Atlas in their documentation using "ISRG-Root-X1" as CA certificate didn't help, and I got the same error.

Also, we tried to pass the following parameters to "Extra connection attributes":
"ssl=true&replicaSet=atlas-rv0cqs-shard-0&authSource=admin&retryWrites=true&w=majority&appName=Cluster0", but it only supports a specific list of parameters and doesn't allow adding custom parameters to it.

We played with SSL, authentication type, etc parameters, we tried all the options, but to no avail. All articles that we found were not actual, and the latest opened issues pointed out that DMS doesn't support Atlas Mongo from the box which we highly doubt is the case.

Answer

See the python script on this page.. https://blog.ankitsanghvi.in/migrating-from-mongodb-to-dynamodb-using-aws-dms/

It may help you obtain the A record for DMS

Answer

Thanks for your quick response. We still get the error message below:

`Test Endpoint failed: Application-Status: 1020912, Application-Message: Failed to create new client connection Failed to connect to database., Application-Detailed-Message: Error verifying connection: 'No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:14077438:SSL routines:SSL23_GET_SERVER_HELLO:tlsv1 alert internal error calling hello on 'ac-hh3vswm-shard-00-02.b8n6ms2.mongodb.net:27017']'`

If test SSL connection locally using "openssl", we can see that TLS handshake is successful nevertheless if we use CA or not. But if we try to use deprecated TLS versions, like 1.0 and 1.1 we get a very similar error to DMS endpoint error

```
openssl s_client -connect ac-hh3vswm-shard-00-02.b8n6ms2.mongodb.net:27017 -tls1_1 -CAfile /tmp/ISRG-Root-X1.pem
CONNECTED(00000003)
4087DCDC797F0000:error:0A0000BF:SSL routines:tls_setup_handshake:no protocols available:../ssl/statem/statem_lib.c:104:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 7 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
Early data was not sent
Verify return code: 0 (ok)
---
```
Based on it, we can suppose that DMS endpoint for Mongodb uses a deprecated TLS version. Based on message from DMS it's not clear `routines:SSL23_GET_SERVER_HELLO:tlsv1`

![Enter image description here](/media/postImages/original/IMGffB0RoaQuOxNKShrkx6Rw)

![Enter image description here](/media/postImages/original/IMggYIr_xuQAyPUIdKIBQ_UA)

![Enter image description here](/media/postImages/original/IMDBUX30VxTDaCs9kqzRKnVw)

![Enter image description here](/media/postImages/original/IMuul11TXUTzWEKDHzPUqNig)

MongoDB Atlas migration to Redshift using DMS

Relevant content