SSL root certificate problem - can't load any looks in redshift


(Mark Jensen) #1

anyone else getting this? seems related to yesterday’s upgrade? can’t load any looks on redshift.

The Amazon Redshift database encountered an error while running this query.

Could not open SSL root certificate file /home/lookerops/.postgresql/root.crt.

(Mark Jensen) #2

turning off “verify cert” in the redshift connection did the trick.

(Izzy) #3

Nice job on the quick workaround! This was indeed related to yesterday’s upgrade, we’ve identified the issue and have dedicated resources pushing out a fix for it-- I’ll post here with any updates.

(Izzy) #5

Mark (and other onLookers [hehe]),

We’ve identified + patched the issue causing this problem-- During the standard maintenance window tonight (9-5pm PST), hosted customers who had already updated to 6.4 will be updated to the patched version. On-premise customers who have already updated will receive a patched .jar to install.

Happy to field any further questions about this one, but hopefully all will be well after tonights patch.

(Mark Jensen) #6

great news thanks, i’ll put verify cert flag back tomorrow.

(Mark Jensen) #7

@izzy getting this now:

Cannot connect: connection refused: Java::OrgPostgresqlUtil::PSQLException: The hostname localhost could not be verified by hostnameverifier PgjdbcHostnameVerifier.

JDBC string: jdbc:postgresql://localhost:5439/dev?tcpKeepAlive=true&socketTimeout=28800&ssl=true&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory

(Izzy) #8

Hey Mark-- Saw you hopped on chat about this one too.

I’m going to let that well-oiled machine take over the troubleshooting on this one, but will circle back to provide the solution for anyone else who runs into this in the future.

(Izzy) #9

Okay, so it looks like this error is being thrown as the result of improved error messaging on our part. Previously, there may have been some cases where a warning should have been shown, and was not.

In this particular case, since you’re using an SSH tunnel, you wouldn’t need to verify SSL since you’re connecting to localhost:5439, which has no certificate.

(Mark Jensen) #10

@izzy thanks,