Redshift SSL Certificate Expiration Issue

Redshift SSL Certificate Expiration Issue


Introduction

All Matillion ETL for Amazon Redshift customers will have received an email with the subject line “Action Required: Amazon Redshift - SSL certificate expiring on October 23rd 2017”. This email is referring to a change Amazon are introducing into Redshift and AWS more generally to make use of ACM Certificates.


Who is affected

At time of writing, all Matillion customers who have environments with SSL enabled will be affected.

 


Resolution

There are two paths to resolution of this issue. Use either method:

  1. Update to the latest version of Matillion ETL 1.29 - The updated certificates will be installed as part of the update to 1.29.

  2. Update the certificates manually. If you do not wish to update at this time you can update with the following steps.

    a: Log on to the instance using putty or another ssh tool.

    b: Issue the following command. This will download the latest certificate from AWS.
    wget https://s3.amazonaws.com/redshift-downloads/redshift-ca-bundle.crt

    c: Now to import the certificate into Matillion’s trust store using:

    sudo keytool -import -keystore /usr/lib/jvm/jre/lib/security/cacerts -v -alias redshiftssl2018 -file redshift-ca-bundle.crt -trustcacerts -storepass changeit -noprompt

    d: to check the certificate you can issue the following:

    keytool -list -keystore /usr/lib/jvm/jre/lib/security/cacerts -alias redshiftssl2018 -storepass changeit -noprompt

    The fingerprint should be:

    16:2D:CE:78:83:F4:FE:58:5E:48:14:E5:58:A7:4D:D5:51:27:1F:0B

    For reference, below is the old certificate (which will remain in the keystore has the fingerprint):

    3D:55:9D:CD:5C:E0:33:6A:AD:D7:C8:8C:5A:31:72:5C:CF:A6:C3:C4