amazon-web-servicesredash

Redash v7 on Docker can't connect to RDS MySQL: "SSL connection error: unknown error number"


My Redash v7 server can't connect to Amazon RDS MySQL 8.0.28. The error says "SSL connection error: unknown error number". How can I solve this?

The server is running on Docker. Its image is redash/redash:7.0.0.b18042.

I tried replacing ca certificates file to https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem but it didn't work.

Here's the Python script reproduces the error. Run this file on a Redash v7 container and you can see the error message.

import MySQLdb

ssl_params = {'ca': '/app/redash/query_runner/files/rds-combined-ca-bundle.pem'}

connection = MySQLdb.connect(host='<snip>',
                             user='<snip>',
                             passwd='<snip>',
                             db='<snip>',
                             port=3306,
                             charset='utf8',
                             use_unicode=True,
                             ssl=ssl_params,
                             connect_timeout=60)
cursor = connection.cursor()
cursor.execute('select count(1) from users')
data = cursor.fetchall()
print(data)
$ python example.py
Traceback (most recent call last):
  File "example.py", line 13, in <module>
    connect_timeout=60)
  File "/usr/local/lib/python2.7/dist-packages/MySQLdb/__init__.py", line 81, in Connect
    return Connection(*args, **kwargs)
  File "/usr/local/lib/python2.7/dist-packages/MySQLdb/connections.py", line 193, in __init__
    super(Connection, self).__init__(*args, **kwargs2)
_mysql_exceptions.OperationalError: (2026, 'SSL connection error: unknown error number')

This error doesn't occur on a Redash v10 container but upgrading to v10 is not an option for now.


Solution

  • I found a workaround by myself.
    Upgrading libmysqlclient20 package solved my issue.

    libmysqlclient20 package in redash/redash:7.0.0.b18042 image are statically linked to yaSSL which doesn't support TLS v1.2+.
    Upgraded libmysqlclient20 package are compiled using OpenSSL which supports TLS v1.2+.

    MySQL 8.0.28 dropped support for TLS v1.1. That's why I need the latest libmysqlclient20.

    SEE ALSO: https://dev.mysql.com/doc/refman/5.7/en/ssl-libraries.html