Applies to:
- Liquibase Pro
Conditions:
- DocumentDB v4
Issue Summary:
When attempting to connect to DocumentDB using SSL/TLS, Liquibase is unable to connect.
Error Message:
exception={com.mongodb.MongoSocketWriteException: Exception sending message}, caused by {javax.net.ssl.SSLHandshakeException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}, caused by {sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target}
Potential Root Causes:
This error will occur if there is an SSL/TLS certificate issue or the tunnel isn't correctly configured.
Troubleshooting:
- There are a couple of steps that are required on the AWS side. Ensure that all of the steps in a and b are completed.
- Connecting Programmatically to Amazon DocumentDB gives the instructions on how to create a keystore file and get the .pem certificate to connect to DocumentDB
- If connecting from outside of the Amazon VPC, the following link Connecting to an Amazon DocumentDB Cluster from Outside an Amazon VPC, has instructions on what is required to connect.
- Check the permissions on the certificate and keystore file
- Ensure that both the Java keystore file and the bundle.pem provided by AWS are readable.
- Use keytool to check the Java keystore file content to ensure that it does have your region that the DocumentDB cluster is in
keytool -list -v -keystore
-
When running Liquibase, make sure the keystore file is getting set via the JAVA_OPTS
-
On Linux:
export JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE/rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"
On Windows:
set JAVA_OPTS="-Djavax.net.ssl.trustStore=PATH_TO_TRUSTSTORE\\rds-truststore.jks -Djavax.net.ssl.trustStorePassword=PASSWORD"
-
Comments
0 comments
Article is closed for comments.