Reputation: 3558
RDS Certificate Rotating
I received an email from AWS, which looks as follows:
https://i.sstatic.net/BP9Zp.png
This part is the most noteworthy:
If your applications connect to those instances using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol please follow the detailed instructions in the link below to complete your update(s). If not completed, your applications will fail to connect to your DB instances using SSL/TLS after March 5, 2020.
I'm a little confused on what I need to do, and wanted to see if anyone else got this email, and/or what the recommended steps are.
I connect to our database in two ways:
- Via Sequel Pro, I ssh into our EC2 instance, and from there, connect to our RDS instance
- Via our app, I use PHP to connect to a MySQ database using the new mysqli syntax.
I don't believe either of those cases count towards what I quoted above. But I also don't fully understand it.
Would appreciate any feedback from anyone who's in the same situation.
Thanks!
Upvotes: 2
Views: 2605
Answers (2)
Reputation: 11
AWS strongly recommends anyone using SSL/TLS (and checking certificates) with RDS/Aurora/DocumentDB update their applications’ and services' CA certificates with the bundle that has both the old and the new 2019 certificates by February 5. At that time, AWS will begin staging the new CA certificate on the database instances. The database instances do not support more than one certificate at a time. This means that any DB instance restart after the certificate is staged, either planned or unplanned will invoke the new certificate on the RDS/Aurora/DocumentDB instance. As a result, applications and services using SSL/TLS (and checking certificates) that have not taken action to update with the new certificate bundle will NOT be able to connect to the DB instance. Good info here: https://aws.amazon.com/blogs/aws/urgent-important-rotate-your-amazon-rds-aurora-and-documentdb-certificates/
Upvotes: 1
Reputation: 59906
This is an open announcement from AWS, one of the RDS certificate (rds-ca-2015) that uses against RDS is going to expire.
I'm a little confused on what I need to do and wanted to see if anyone else got this email, and/or what the recommended steps are.
- First, verify the SSL certificate against your RDS
- RDS -> cluster -> DB instance -> Connetivy & Secuirty
- Check value of Certificate authority (If this rds-ca-2015) then you need to upgrade your SSL, as it going to expire Mar 6th, 2020
All you need update the SSL,
RDS -> cluster -> Select -> modify -> Certificate authorityem
Important
This operation reboots your DB instance.
I don't believe either of those cases count towards what I quoted above. But I also don't fully understand it.
You verify this thing at your end, but better to upgrade to latest TLS for the sake of security, normally the connection is not TLS encrypted with RDS.
As per Sequel Pro
Standard Connection
A standard connection is an unencrypted connection using TCP/IP. Such a connection is usually made over the network or over the internet to a remote server.
But again I will recommend upgrading to the latest SSL.
Upvotes: 3
Related Questions
- AWS RDS Certificate Authority update
- Rotating RDS secrets in AWS with open connections
- AWS Secrets Manager rotation for RDS credentials
- Which method to use for updating CA certificates for AWS RDS
- Update Amazon RDS SSL/TLS certificates in non ssl using client application
- Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk
- AWS, Rotating SSL/TLS certificates for RDS
- Update AWS RDS SSL/TLS Certificate from rds-ca-2015 to rds-ca-2019
- Preparing for renewal of AWS RDS public certificate in 2020 (Postgres)
- Why does Amazon RDS show a certificate authority when I'm not connecting via SSL/TLS?