Occuring 'SSL Connection Error: ASN' if using rds-ca-2019

[ikenji]

Issue Summary

I got the error below when upgrade rds-certificate and execute query on Redash.
Error running query: SSL connection error: ASN: bad other signature confirmation

I guess that occur because using RDS with rds-ca-2019.

I fixed that add key(*1) to 'redash/redash/query_runner/files/rds-combined-ca-bundle.pem' manually.
(*1) https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

If this is right solution, may I create the pull-request?

refs:
AWS: Using SSL/TLS to Encrypt a Connection to a DB Instance
AWS: solution about SSL error

Steps to Reproduce

1. Using RDS with rds-ca-2019.
2. Executing some query on Redash console.

Technical details:

• Redash Version:Redash 5.0.2+b5486
• Browser/OS: Chrome Version 77.0.3865.120 / MacOS
• How did you install Redash: AWS EC2 AMI redash-5.0.2-b5486-build2-ap-northeast-1

[arikfr]

I guess that occur because using RDS with rds-ca-2019.

If the new certificates are optional, maybe we need to add support for both? Or is the 2019 one "backward compatible"?

[ikenji]

@arikfr Thank you for your response.
One moment please, I will check it on my AWS environment using rds-ca-2015.

[ikenji]

@arikfr

AWS support answers to me that need both of 2015 and 2019.

Please use rds-combined-ca-bundle.pem corresponding to both rds-ca-2015 and rds-ca-2019 when the DB instance settings are mixed during the transition period.
This is the same for both RDS and Aurora.

So, we should update 'rds-combined-ca-bundle.pem' from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem not adding only rds-ca-2019.

May I create the Pull-Request that updating latest rds-combined-ca-bundle.pem?

[ikenji]

Refs:

AWS announce "Rotating Your SSL/TLS Certificate"

Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

https://docs.aws.amazon.com/en_pv/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html