AT
Apache TinkerPop3mo ago
danielcraig23

ERR_TLS_CERT_ALTNAME_INVALID when using @aws-sdk/client-neptunedata in Bun application

Hi, I'm the creator and maintainer of queryblast; https://github.com/SouthwestAir/queryblast which is a babashka pod for submitting opencypher queries to Neptune Queryblast is a babashka pod, and it runs in a process of its own, while a user script interacts with it.
Queryblast uses @aws-sdk/client-neptunedata, and it's built for darwin using Bun OK here's my question: I'm seeing the following error message when I get on my corporate VPN and submit a query to Neptune: 
Error: ERR_TLS_CERT_ALTNAME_INVALID fetching "https://redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com:XXXX/opencypher". For more information, pass `verbose: true` in the second argument to fetch()
Error: ERR_TLS_CERT_ALTNAME_INVALID fetching "https://redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com:XXXX/opencypher". For more information, pass `verbose: true` in the second argument to fetch()
How can I resolve this error?
GitHub
GitHub - SouthwestAir/queryblast: Enable openCypher queries to AWS ...
Enable openCypher queries to AWS Neptune graph databases from Babashka or YAMLscript projects - SouthwestAir/queryblast
7 Replies
danielcraig23
danielcraig23OP3mo ago
I tried adding 
import { WebSocket as WS } from 'ws';
(globalThis as any).WebSocket = WS;
import { WebSocket as WS } from 'ws';
(globalThis as any).WebSocket = WS;
https://issues.apache.org/jira/browse/TINKERPOP-3160 mentioned this as a fix for a different issue, so I thought I would try it. It did not resolve the issue
Andrea
Andrea3mo ago
Are you able to view the SSL cert for your neptune cluster from the machine that is executing the query? Can use curl: curl -vvv https://redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com:XXXX/status Then look for the subjectAltName value in the output The error itself is indicating that the request's hostname isn't matching the neptune cluster's SSL cert alternative names
danielcraig23
danielcraig23OP3mo ago
Sorry, I meant to redact parts of that cluster URL, would you mind editing your curl command to curl -vvv https://redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com:XXXX/status please and thank you
danielcraig23
danielcraig23OP3mo ago
danielcraig23
danielcraig23OP3mo ago
This is the result of running curl -vvv https://redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com:XXXX/status for subjectAltName I see * subjectAltName: host "redacted.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com" matched cert's "*.cluster-caleeddxjuok.us-east-1.neptune.amazonaws.com"
Andrea
Andrea3mo ago
You sent that curl request while on your VPN? Check that each of the 'redacted' parts match exactly between the queryblast request, curl request, subjectAltName in the curl response?
danielcraig23
danielcraig23OP3mo ago
Thanks for your help; I'll get more time to work on this tomorrow

Did you find this page helpful?