Redshift external schema connection fails when updating RDS certificate authority

Hello Team!

We hope you are well.

We understand that the Redshift External Schema connection fails after updating the RDS certificate authority to 'rds-ca-ecc384-g1'. This is caused by a failed SSL handshake between Redshift and RDS. This error is related to the recently updated CA: rds-ca-ecc384-g1 as Aurora Postgres DOES NOT support ECDHE-ECDSA ciphers which are required for ECC-based certificates i.e Redshift External Schema connections.

You can refer to the following documentation for more information: [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL

Internally, we are working on adding support for this in a future release.

To remediate this issue temporarily, we suggest you to consider switching to a different certificate such as "rds-ca-rsa4096-g1" or "rds-ca-rsa2048-g1" and reboot the RDS cluster. Once the instances are rebooted, reattempt connections through Redshift federated query.

[+] Using SSL/TLS to encrypt a connection to a DB cluster - Certificate authorities - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities

If the issue persists after changing to a different certificate, please raise a Support Case with the AWS team with the timestamp of the error, Redshift logs, as well as the exact error message received when attempting federated query connections through Redshift.

If a support case has already been created, please be assured that we will get back to you and assist you in the best way possible. [+] Creating support cases and case management - https://docs.aws.amazon.com/awssupport/latest/user/case-management.html