***This issue is fixed in versions 2.9.4, 2.10 and 2.11**

When running errand push-usage-service, the errand fails to connect to external data-base AWS/RDS and fails with a certificate error similar to the following output: 

2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR rake aborted!
2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR Mysql2::Error: SSL connection error: unable to get local issuer certificate
2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR /home/vcap/deps/0/vendor_bundle/ruby/2.6.0/gems/mysql2-0.4.10/lib/mysql2/client.rb:89:in `connect'
2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR /home/vcap/deps/0/vendor_bundle/ruby/2.6.0/gems/mysql2-0.4.10/lib/mysql2/client.rb:89:in `initialize'
2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR /home/vcap/deps/0/vendor_bundle/ruby/2.6.0/gems/activerecord-5.2.4.3/lib/active_record/connection_adapters/mysql2_adapter.rb:22:in `new'
2020-08-20T18:38:04.47+0000 [APP/TASK/48ee9bdd/0] ERR /home/vcap/deps/0/vendor_bundle/ruby/2.6.0/gems/activerecord-5.2.4.3/lib/active_record/connection_adapters/mysql2_adapter.rb:22:in `mysql2_connection'

 

Product Version: 2.9

There were changes introduced recently to make sure the service respected the properties.system_database.external.validate_hostname.value in p-runtime, but in doing so it seems there were some un-intended consequences such as this issue here.

There are 2 ways in which you can resolve this issue:

1. Uncheck "Enable hostname validation" in the PAS tile under "Databases" and apply changes to the PAS tile.
 
2. For AWS RDS database you can add the AWS/RDS Root CA bundle to the Bosh -> Security section of the BOSH tile.

The AWS/RDS Root CA bundle can be found here: AWS SSL/TLS