ERR_TLS_CERT_ALTNAME_INVALID

[joaolcorreia]

Hi,

Redshift Lambda Loader has been working forever, on the past Nov 18th starting erroring out with:

error: Cluster Load Failure Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: localhost. is not in the cert's altnames: DNS:*.cqhnzqunicma.us-west-2.redshift.amazonaws.com on Cluster 10.0.0.54

I noticed Redshift had a maintenance window on the same day. Any ideas?

Thanks
Joao Correia

[IanMeyers]

I would recommend that you open a case with AWS Support, who should be able to help you troubleshoot the CA information and determine where this issue is coming from.

[IanMeyers]

If you’ve not been able to raise a case, can you please try setting a lambda environment variable NODE_TLS_REJECT_UNAUTHORIZED=0 which may provide a workaround?

[IanMeyers]

More information:

Starting on November 12, Lambda released a security update to the nodejs12.x and nodejs14.x runtimes. These updates included changes to the behavior of TLS connections where rejectUnauthorized is by default set to true unless explicitly set to false. To mitigate impact from this change Lambda automatically sets a default value for the environment variable NODE_EXTRA_CA_CERTS=/etc/pki/tls/certs/ca-bundle.crt if not otherwise set by the customer. If a customers sets this this environment variable explicitly and/or have a mis-configuration in their SSL connection parameters or setup, they may see impact if connecting to unauthorized resources.

As a fast workaround customers can either update their function configuration to set the environment variable NODE_TLS_REJECT_UNAUTHORIZED='0' or rejectUnauthorized: false in their TLS connection to revert back to the old behavior. While this provides a short-term mitigation, we recommend customers update their code to use valid certificates that will not be rejected by the new defaults.