[FOLIO-2331] Update Your Amazon RDS SSL/TLS Certificates Created: 28/Oct/19  Updated: 03/Jun/20  Resolved: 27/Feb/20

Status: Closed
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None

Type: Task Priority: P2
Reporter: Peter Murray Assignee: John Malconian
Resolution: Done Votes: 0
Labels: devops-backlog
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Sprint: DevOps: sprint 83
Story Points: 2
Development Team: FOLIO DevOps

 Description   

Email from AWS:

To protect your communications with RDS database instances, a Certificate Authority (CA) generates time-bound certificates that are checked by your database client software to authenticate any RDS database instance(s) before exchanging information. Following industry best practices, AWS renews the CA and creates new certificates on a routine basis to ensure RDS customer connections are properly protected for years to come. The current CA expires on March 5, 2020, requiring updates to existing RDS database instances with certificates referencing the current CA.

You are receiving this message because you have an Amazon RDS database instance(s) in the US-EAST-1 or US-EAST-2 Region(s). If your applications connect to those instances using the Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol please follow the detailed instructions in the link below to complete your update(s). If not completed, your applications will fail to connect to your DB instances using SSL/TLS after March 5, 2020.

We encourage you to test these steps within a development or staging environment before implementing them in your production environments. Beginning today, you can start testing and updating your existing RDS database instances. For detailed instructions, please visit: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

Any new RDS instances created after November 1, 2019 will default to using the new certificates. If you wish to temporarily modify new instances manually to use the old (rds-ca-2015) certificates, you can do so using the AWS console or the AWS CLI. Any instances created prior to November 1, 2019 will have the rds-ca-2015 certificates until you update them to the rds-ca-2019 version.

If you have questions or issues, please contact AWS Support at: https://aws.amazon.com/support



 Comments   
Comment by Peter Murray [ 21/Nov/19 ]

Update from AWS

We previously sent a communication in early October to update your RDS SSL/TLS certificates by October 31, 2019. We have extended the dates and now request that you act before February 5, 2020 to avoid interruption of your applications that use Secure Sockets Layer (SSL) or Transport Layer Security (TLS) to connect to your RDS and Aurora database instances. Note that this new date is only 4 weeks before the actual Certificate Authority (CA) expiration on March 5, 2020. Because our own deployments, testing, and scanning to validate all RDS instances are ready for the expiry must take place during the final 4 weeks, the February 5th date cannot be further extended.

You are receiving this message because you have an Amazon RDS database instance(s) that requires action in the US-WEST-2 Region, listed at the end of the email.

To protect your communications with RDS database instances, a CA generates time-bound certificates that are checked by your client applications that connect via SSL/TLS to authenticate RDS databases before exchanging information. AWS renews the CA and creates new root certificates every five years to ensure RDS customer connections are properly protected for years to come.

The current CA expires on March 5, 2020, requiring updates to client applications and database instances that have certificates referencing the current CA. Client applications must add new CA certificates (root and intermediate where necessary) to their trust stores, and RDS database instances must separately use new server certificates before this hard expiration date. However, we strongly recommend you complete these changes before February 5, 2020. After February 5, 2020, we will begin scheduling certificate rotations for your RDS database instances prior to the March 5, 2020 deadline. The automatic update(s) will be scheduled within your maintenance window.

Additionally, any new RDS database instances created after January 14, 2020 (previously November 1, 2019) will default to using the new certificates. If your client applications have not been updated to add the new certificates to their trust stores, these applications will fail to connect to any new instances created after this date. If you wish to temporarily modify new instances to use the old certificates, you can do so using the AWS console, the RDS API, and the AWS CLI. Any instances created prior to January 14, 2020 will have the old certificates until you update them to the rds-ca-2019 version.

If your applications connect to RDS database instances using the SSL/TLS protocol, please follow the detailed instructions in the links below. Based on your feedback, we have provided, per database engine, further instructions on 1.) how to determine whether your client applications are connecting to your RDS databases via SSL/TLS and 2.) how to update your client application trust stores to include the new CA certificates.

If your applications do not use SSL/TLS to connect, there are no required actions that you need to take. However, using SSL/TLS is a security best practice so we recommend all customers perform this upgrade so that your applications can start using SSL seamlessly. Before March 5, 2020, RDS will schedule and perform pending maintenance actions which you can view in the RDS console to ensure you have valid certificates after the current certificates expire. The automatic update(s) will be scheduled within your maintenance window.

For RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html
For Aurora: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html

We encourage you to test these steps in a development or staging environment before implementing them in your production environments. If not completed, your applications using SSL/TLS will fail to connect to your existing database instances as soon as RDS rotates your certificates on the database side prior to March 5, 2020.

If you have questions or issues, please contact AWS Support at: https://aws.amazon.com/support

Your impacted RDS instances:
okapi-preview folio-eks-oregon-1

Sincerely,
Amazon Web Services

Comment by Peter Murray [ 21/Nov/19 ]

cc: Oleksii Popov for future Core Platform sprint planning.

Comment by Oleksii Popov [ 22/Nov/19 ]

Peter Murray we will score this ticket. Then it can be taken into the work next sprint.
During this sprint, the team is already fully occupied with tasks.
FYI Jakub Skoczen

Comment by Peter Murray [ 22/Nov/19 ]

Thank you, Oleskil; next sprint should be fine. The delay was my fault for not alerting you sooner.

Comment by Peter Murray [ 15/Jan/20 ]

Got another notification about this today.

You're receiving this message because you have one or more Amazon RDS database instances that need action in the us-east-1 Region, listed in the 'Affected resources' tab in your Personal Health Dashboard.

In this notification, we provide new information about your Amazon RDS certificate authority (CA) certificate updates. We are sending this information to help make your certificate rotations simpler and to give you more control over the rotation process.

As previously communicated, the current CA expires on March 5, 2020, requiring updates to all client applications and database instances with certificates that reference the current CA. In order to avoid interruption to your applications which use SSL/TLS, we strongly recommend that you complete your updates before February 5, 2020. Client applications must add new CA certificates to their trust stores, including root and intermediate certificates where necessary. RDS database instances must separately use new server certificates before this hard expiration date. If you've missed previous communications on this subject, see this Database Blog post for more information:

https://aws.amazon.com/blogs/database/amazon-rds-customers-update-your-ssl-tls-certificates-by-february-5-2020/

Important details follow:

If your applications do not connect using SSL/TLS, you don't need to restart your database. In this case, between February 5 and March 5, 2020, RDS will stage new certificates on your database hosts without restarting your databases, to avoid interruption to your applications. As a result, the new certificates won't go into effect until your next database restart.
If you aren't sure whether your applications connect using SSL/TLS, please review the documentation below to verify whether your applications connect using SSL/TLS:

For RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

For Amazon Aurora: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html

Then complete your client application and database certificate updates to avoid potential risk of disruption.

If your client applications connect using SSL/TLS and verify the database server certificate, and you plan to complete both your client application and database certificate updates before January 14, 2020, you don't need to take further actions.

Starting on January 14, 2020, any new Aurora cluster or RDS database you create default to using the new certificates. If you haven't updated your applications, they will fail to connect to any new databases created after this date. Applications will still connect to any existing database instances created before January 14, 2020.

An API update is available so that you can set your preferences to override the default certificates for newly created database instances until February 4, 2020. If you need more time, you can set the default to the old certificates using the modify-certificates API. This override will work only until February 4, 2020. Also, please make sure you have AWS CLI version 1.17 or later to use this API, since older versions do not support this update. For more information about the modify-certificates API, see https://docs.aws.amazon.com/cli/latest/reference/rds/modify-certificates.html.

You can also revert the new database certificates back to the old certificates using the AWS console, API, or CLI.

Between February 5 and March 5, 2020, RDS will stage the new certificates on your database hosts, and the certificates will take effect at your next database restart. If you haven't updated your application trust stores, your applications will lose connectivity when your database restarts. A restart can occur because of a planned maintenance action requiring a restart or because of an unplanned restart, such as a database crash.

For detailed instructions on how to update your client application trust stores and rotate your SSL/TLS certificates, see the following documentation topics:

For RDS: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

For Amazon Aurora: https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/UsingWithRDS.SSL-certificate-rotation.html

We encourage you to test these steps in a development or staging environment before implementing them in your production environments.

If you have questions or issues, contact AWS Support at: https://aws.amazon.com/support

Generated at Thu Feb 08 23:19:53 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.