- Newest
- Most votes
- Most comments
Hello Team!
We hope you are well.
We understand that the Redshift External Schema connection fails after updating the RDS certificate authority to 'rds-ca-ecc384-g1'. This is caused by a failed SSL handshake between Redshift and RDS. This error is related to the recently updated CA: rds-ca-ecc384-g1 as Aurora Postgres DOES NOT support ECDHE-ECDSA ciphers which are required for ECC-based certificates i.e Redshift External Schema connections.
You can refer to the following documentation for more information: [+] https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/AuroraPostgreSQL.Security.html#AuroraPostgreSQL.Security.SSL
Internally, we are working on adding support for this in a future release.
To remediate this issue temporarily, we suggest you to consider switching to a different certificate such as "rds-ca-rsa4096-g1" or "rds-ca-rsa2048-g1" and reboot the RDS cluster. Once the instances are rebooted, reattempt connections through Redshift federated query.
[+] Using SSL/TLS to encrypt a connection to a DB cluster - Certificate authorities - https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.RegionCertificateAuthorities
If the issue persists after changing to a different certificate, please raise a Support Case with the AWS team with the timestamp of the error, Redshift logs, as well as the exact error message received when attempting federated query connections through Redshift.
If a support case has already been created, please be assured that we will get back to you and assist you in the best way possible. [+] Creating support cases and case management - https://docs.aws.amazon.com/awssupport/latest/user/case-management.html
Relevant content
- asked 2 years ago
- asked 8 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a month ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 9 months ago
Thanks for the response! Just for clarity, the RDS database is not an Aurora Postgres instance. It is a MySQL RDS database. I'm assuming it's still the same issue though. Thanks!