Login/Register
Issue with custom domain and ElastiCache Redis SSL
Asked Answered
amazon-web-servicesaws-lambdaredisamazon-elasticache
F

0

6

I just created an EC Redis Replication Group supporting SSL.

This is the primary endpoint: master.dev-my-site.wmrsll.use1.cache.amazonaws.com:6379

I also created a CNAME: dev-my-site.mydomain.com to master.dev-my-site.wmrsll.use1.cache.amazonaws.com

From my machine, I can connect to redis through cli:

redis-cli -h dev-my-site.mydomain.com -p 6379 --tls

But when I'm using Lambda, I can connect with master.dev-my-site.wmrsll.use1.cache.amazonaws.com but not with the CNAME: dev-my-site.mydomain.com

When I try using the CNAME I receive the following error:

2021-08-26T19:15:27.442Z    5801f8d4-08ae-4bd0-8091-e856d95d008c    ERROR   Uncaught Exception  {"errorType":"Error","errorMessage":"Redis connection to dev-my-site.mydomain.com:6379 failed - Hostname/IP does not match certificate's altnames: Host: dev-my-site.mydomain.com. is not in the cert's altnames: DNS:*.dev-ec-my-site.wmrsll.use1.cache.amazonaws.com","trace":["Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's altnames: Host: dev-my-site. is not in the cert's altnames: DNS:*.dev-ec-my-site.wmrsll.use1.cache.amazonaws.com","    at Object.checkServerIdentity (tls.js:297:12)","    at TLSSocket.onConnectSecure (_tls_wrap.js:1524:27)","    at TLSSocket.emit (events.js:400:28)","    at TLSSocket._finishInit (_tls_wrap.js:936:8)","    at TLSWrap.ssl.onhandshakedone (_tls_wrap.js:708:12)"]}
[ERROR] [1630005327499] LAMBDA_RUNTIME Failed to post handler success response. Http response code: 400.

I don't have any clue of how I could fix this certificate issue. I will appreciate help.

Furgeson answered 26/8, 2021 at 19:23 Comment(3)
You can't fix the certificate issue. You either need to tell your Lambda function to stop validating the certificate (would need to know more about your Lambda function to provide info on how to do that), or just stop using the custom CNAME. It is more secure to simply stop using the CNAME.Rude
Thanks, @MarkB That's a boomer. If I use the primary endpoint and I make a change that requires replacement or delete and re-create the replication group, does the endpoint will always be the same? That's why I'm using the custom domain with other services, so in case of changes, the CNAME will always resolve to that service endpoint. Thanks!Furgeson
The endpoint will change if you recreate the DB. Ideally you would be making those changes through a tool like Terraform, which could pass the endpoint to the Lambda function as an environment variable. At the very least you could manually configure the endpoint as an environment variable in the Lambda function so that it is easy to update without redeploying the function.Rude

© 2022 - 2024 — McMap. All rights reserved.