6

I recently received an email regarding a required update to my RDS Certificate Authority. The instructions on the RDS side seems straight forward: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

However on step 4 there was an important message, "When you schedule this operation, make sure that you have updated your client-side trust store beforehand."

I cant seem to find any information about updating my server which connects to RDS for the CA update.

My Setup is EC2 instances on Beanstalk.

Does anyone know how/what I am supposed to do?
Thank you.

similar question: Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk

weber
  • 303
  • 2
  • 11

3 Answers3

2

Basically, the installation of certification is only required when you use the SSL connection from your application to the RDS server. Regardless of the SSL connection, it is recommended to update the certificate of your server but it is not necessary when you did not use the SSL connection to the RDS.

Server-side Usage

When you use the SSL connection, you should change the certificate of the RDS server as soon as possible. Go to the RDS console, then you can find the Certificate update menu from the left menu list. Find your DB cluster, check and update your SSL right now or reserve the update for the next maintenance.

Client-side Usage

The details about the SSL certificate are noted in the documentation. From here, you can download the root CA certificate of rds 2019. The link is below.

https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem

This CA certificate is used to connect the rds server, e.g.

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com
--ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

or add it to the Trusted Root CA for the client OS.

For example in Windows, you can run certmgr.msc and right-click the trusted root ca, import this certificate. In Mac, open keychain access and import this certificate. This is an option.

Lamanus
  • 8,724
  • 4
  • 11
  • 29
  • How, Where do i `add it to the "Trusted Root CA" for the client OS`? – weber Oct 17 '19 at 17:37
  • well, it is not required but you can do it. I added a bit more about that. – Lamanus Oct 18 '19 at 01:28
  • 1
    This doesn't answer the question. It's unclear from any (and not yours either) instructions what to do in Amazon Beanstalk (PaaS) when you only have uploaded a zip and used auto settings. It's not clear if you need to go to the RDS instance inside the console or not, and what to do there. Also not clear if you need to do something inside Beanstalk or your environment variables to support the new certificate. I will investigate this as I need to do it myself. – Rbbn Jan 14 '20 at 21:21
0

In order to change your CA Certificate on an Elastic Beanstalk environment by Amazon (AWS) do the following:

  1. Log in to your console (https://console.aws.amazon.com/)
  2. Click services and search for "RDS"
  3. Inside RDS (RDS is where the databases from Beanstalk lives even though they are directly attached to the Beanstalk environment) click "Certificate Update" down in the right corner (there will be a very read notification on the link)
  4. If you have any certificates to upgrade, they will show up here.
  5. Click the RDS instance name (the weird aws name of the database server) aka "DB identifier"
  6. (Well inside this you can see some more info about it under configuration), for instance your db username which could help you identify the instance if you have many and forgot to rename them.
  7. Click Actions > Upgrade now (this will reboot your instance now) OR Actions > Upgrade at next window (choose this if you have a lot of traffic and many users, so it will be less disruptive ie not stop in the middle of the day but in the night according to the maintenance schedule of your location/server)
  8. That's it. You do not need to install anything in your Beanstalk environment.
Rbbn
  • 355
  • 4
  • 10
  • 1
    i think this is down-voted because most production environments do NOT use RDS within elastic beanstalk. using RDS from within elastic beanstalk is potentially dangerous because if you terminate your elastic beanstalk instance, your database is terminated too, which is no good for data retention purposes. So in general people are asking about elastic beanstalk environments where the RDS instance is separate. – jakeatwork Jan 18 '20 at 13:24
  • We have 2 node.js apps in an a docker container on an EC2 instance. The info on mandatory upgrade to get the certs on RDS are fine, but I have no idea how to apply them in my EC2 instance running a Docker container. We are using Sequelize. Any ideas? Please help. Upgrading the RDS MySQL cert breaks everything. – Tom Condon Feb 06 '20 at 06:33
  • You can check this blog to update sequlize - https://medium.com/soluto-nashville/best-security-practices-for-amazon-rds-with-sequelize-600a8b497804, and this one to get the latest CA - https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html – Vivek Feb 20 '20 at 08:19
0

This is how we are managing SSL communication from Elastic Beanstalk to an external RDS PostgreSQL database. We add the following config file to .ebextensions (.ebextensions/rds.config):

commands:
  01-create-folder:
    command: mkdir -p /home/webapp/.postgresql
  02-download-cert:
    command: aws s3 cp s3://rds-downloads/rds-ca-2019-root.pem /home/webapp/.postgresql/root.crt
  03-change-owner:
    command: chown webapp:webapp /home/webapp/.postgresql/root.crt
  04-change-mode:
    command: chmod 400 /home/webapp/.postgresql/root.crt

The file downloads the certificate from the public S3 folder and places in the .postgresql folder as the root certificate. We are having a Java application and the JDBC driver successfully connects to RDS with SSL enabled.

kgiannakakis
  • 96,871
  • 26
  • 155
  • 191