Redshift external schema connection fails when updating RDS certificate authority

0

Hello, We have several RDS databases connected to our Redshift cluster using external schemas that have been working well for several months. A few days ago, I updated the certificate authority on our MySQL Community (8.0.28) from "rds-ca-2019" to ""rds-ca-ecc384-g1" as recommended by the RDS console and the external schema connection immediately broke (it showed zero tables). Once I reverted the certificate back, the connection started working again. Updating the certificate in my Postgres databases did not break their external schemas, only the MySQL one. I don't see any configuration or options that may help with this, but maybe I missed something. Anybody else have similar experiences or potential solutions?

thanks!

1 Answer
0
Accepted Answer

Hello Team!

We hope you are well.

We understand that the Redshift External Schema connection fails after updating the RDS certificate authority to 'rds-ca-ecc384-g1'. This is caused by a failed SSL handshake between Redshift and RDS. This error is related to the recently updated CA: rds-ca-ecc384-g1 as Aurora Postgres DOES NOT support ECDHE-ECDSA ciphers which are required for ECC-based certificates i.e Redshift External Schema connections.

You can refer to the following documentation for more information: [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL

Internally, we are working on adding support for this in a future release.

To remediate this issue temporarily, we suggest you to consider switching to a different certificate such as "rds-ca-rsa4096-g1" or "rds-ca-rsa2048-g1" and reboot the RDS cluster. Once the instances are rebooted, reattempt connections through Redshift federated query.

[+] Using SSL/TLS to encrypt a connection to a DB cluster - Certificate authorities - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities

If the issue persists after changing to a different certificate, please raise a Support Case with the AWS team with the timestamp of the error, Redshift logs, as well as the exact error message received when attempting federated query connections through Redshift.

If a support case has already been created, please be assured that we will get back to you and assist you in the best way possible. [+] Creating support cases and case management - https://docs.aws.amazon.com/awssupport/latest/user/case-management.html

AWS
answered 8 months ago
profile pictureAWS
EXPERT
reviewed 7 months ago
  • Thanks for the response! Just for clarity, the RDS database is not an Aurora Postgres instance. It is a MySQL RDS database. I'm assuming it's still the same issue though. Thanks!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions