Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

AWS RDS PROXY connection via lambda suddenly started failing from 27th Aug 2025 00:00 in all environments

0

We use RDS proxy to connect to the database and was working with the below configuration for more than a year in dev/test/uat and prod. Suddenly it started throwing exception on SSL_HANDSHAKE.

{ type: 'mysql', host: host, port: parseInt(dbCredentials.port, 10), username: dbCredentials.username, password: dbCredentials.password, database: dbCredentials.database, ssl: 'Amazon RDS', entities: Entities, logger: new DbLogger(), timezone: 'Z' }

Error : { "message": "00CA7687FFFF0000:error:0A000417:SSL routines:ssl3_read_bytes:ssl/tls alert illegal parameter:ssl/record/rec_layer_s3.c:907:SSL alert number 47\n", "library": "SSL routines", "reason": "ssl/tls alert illegal parameter", "code": "HANDSHAKE_SSL_ERROR", "fatal": true }

Later referring to the below documentation, https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/rds-proxy.howitworks.html#rds-proxy-security.tls , I guess we do not need to pass a ca or cert to ssl but it picks from AWS Lambda for RDS proxy.

ssl : { rejectUnauthorized: true }

Unfortunately this also doesn't work. Has something changed in AWS Lambda side?? Anything stricter? or any new configurations?

Interestingly, when we pointed it to direct RDS endpoints, it works.

Topics
ServerlessComputeDatabase
Tags
AWS LambdaAmazon RDS ProxyDatabase
Language
English
asked 8 months ago243 views
1 Answer
0

The issue you're experiencing with RDS Proxy connections failing since August 27, 2025, is likely related to the expiration of the rds-ca-2019 SSL/TLS certificate, which expired in August 2024. This certificate was used for Amazon RDS and related services.

When SSL/TLS certificates expire, connections to Amazon RDS databases can fail with SSL handshake errors like the one you're seeing. To resolve this issue, you need to:

  1. Check your RDS instance's current certificate by running the AWS CLI command:
aws rds describe-db-instances --region your-region --db-instance-identifier your-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'

  1. If the output shows "rds-ca-2019" as the certificate identifier, you need to modify your DB instance or cluster to update the CA certificate.

  2. For your Lambda connection, try updating your connection configuration. Since you're using RDS Proxy, ensure that your security groups are properly configured to allow the RDS Proxy security group to access the RDS cluster security group.

  3. Also, verify that the TLS versions between your RDS cluster and RDS Proxy match. Amazon RDS for MySQL 8.4 supports TLS 1.2 and TLS 1.3 with specific cipher suites, so ensure your client application is compatible with these versions.

After updating the certificates and ensuring proper TLS configuration, your Lambda should be able to connect to the RDS Proxy again.
Sources
Troubleshoot Amazon RDS expired SSL/TLS certificate connection issues | AWS re:Post
AWS RDS Proxy stuck with PENDING_PROXY_CAPACITY | AWS re:Post
Amazon RDS for MySQL LTS version 8.4 is now generally available | AWS Database Blog

answered 8 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content