By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Glue job failing with An error occurred while calling o96.getDynamicFrame. SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certif

2

I had a AWS Glue connection and job working fine with Postgres RDS. Now after following https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html article I upgraded my RDS's CA certificate from rds-ca-2019 to rds-ca-rsa2048-g1 as rds-ca-2019 is expiring soon.

After this change in CA certificate my glue jobs started failing with this error:

An error occurred while calling o96.getDynamicFrame. SSL error: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target

Jobs run was successful after reverting RDS CA certificate to rds-ca-2019

Topics
DatabaseAnalytics
Tags
PostgreSQLAWS Glue
Language
English
bansalakhil
asked 7 months ago1023 views
3 Answers
2

I found a solution.

I extracted the related/required certificate from the certificate bundle mentioned in https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html doc.

Uploaded this extracted certificate to s3 and modified the connection to use a custom certificate from s3. It worked with this change.

bansalakhil
answered 6 months ago
  • Gonzalo Herreros EXPERT
    6 months ago

    Happy to hear that, which certificate you extracted from the bundle (e.g. intermediate server) and how did you pass it to the connection?, I don't see why the root CA that the Glue job should have is not enough.

  • Gonzalo Herreros EXPERT
    6 months ago

    Also, I never have to do that using standard configuration, what did you do special about the server certificates (e.g. which intermediate CA did you choose, etc). thanks

0

Sound like that certificate is not generated by the right CA.
In the meanwhile if you do need to upgrade urgently, you can temporarily disable the CA check on the JDBC url parameters by setting sslmode=require

profile pictureAWS
EXPERT
Gonzalo Herreros
answered 7 months ago
  • bansalakhil
    7 months ago

    For now I have reverted the ca certificate change for RDS.

    This is unfortunate that Glue is not compatible with the newly issued CA Certificates for RDS

  • Gonzalo Herreros EXPERT
    7 months ago

    It's not really a compatibility thing, Glue runs on AmazonLinux2 and uses the CA that it provides, if that certificate is not signed by a valid public CA you will have issues with any client.

  • bansalakhil
    7 months ago

    Then what is the solution. If RDS existing certificates are expiring in 2024 and we have to replace with new certificates then Glue jobs will fail. AWS should have fixed it

  • Gonzalo Herreros EXPERT
    7 months ago

    I would test if other tools (e.g. an ec2 instance or your own computer) can use the cert correctly. If they do open a ticket so the Glue team can investigate if the cacert on the instance is out of date (that would cause lots of issues and nobody else has complained AFAIK). Are you using Glue 3 or 4?

  • bansalakhil
    7 months ago

    Using Glue3. Tried Glue 4 too. Same issue

0

Thank you for your post. I followed the exact same procedure (ie updated the certificate via RDS directly) to upgrade to rds-ca-rsa2048-g1 and now my glue job fails as well. Thank you for the solution, I'll implement it. But I believe it would be nice to update the certificates available to glue directly as well, or at least make them easily choosable when creating the Glue Connection.

Sacha L
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content