“You need to download & install a fresh certificate, rotate the certificate authority for the instances, and then reboot the instances.”
AWS has warned users of its Aurora, DocumentDB and RDS databases that they need to download and install new SSL/TLS certificates by January 14, or risk applications that use them breaking when they fail to connect to AWS database instances.
Most users should have received console notifications: the new SSL/TLS certificates –rolled out every five years “as part of our standard maintenance and security discipline” – have been available since September 19, 2019.
But the cloud giant late Tuesday pushed out a public notice too, in a bid to remind laggards to make the “urgent and important” move, as the deadline looms – although not everyone, of course, will be using SSL/TLS to encrypt connections to DB instances.
The move has drawn howls of complaint from some users, who said they were startled that the issue was not automated on the AWS side.
AWS Certificate Update
AWS users choosing to add more nodes to an existing cluster to one of the affected databases will get the new CA-2019 certificate if one of the existing nodes already has it, AWS notes; the cert. won’t magically self-install. Otherwise, new nodes will use the CA-2015 certificate by default.
AWS’s Jeff Barr noted: “If you are taking advantage of SSL/TLS certificate validation when you connect to your database instances, you need to download & install a fresh certificate, rotate the certificate authority (CA) for the instances, and then reboot the instances. If you are not using SSL/TLS connections or certificate validation, you do not need to make any updates, but I recommend that you do so in order to be ready in case you decide to use SSL/TLS connections in the future.
He added: “In this case, you can use a new CLI option that rotates and stages the new certificates but avoids a restart.”
On Twitter and a Reddit thread confusion reigned supreme about why the manual update was necessary. As one user put it: “So ridiculous that AWS requires our interaction for updating their certs.. poor design. It’s kinda like requiring web users to do something when I rotate my ssl certs on a web box.”
It's tough. We have financial customers connecting to RDS directly who have change process that take literally months. I can redeploy my own stuff easily but working with a couple of hundred clients to update their CA bundles is time consuming and expensive.
— Jonathan Baker (@CloudKickOff) January 9, 2020
AWS’s timeline is as follows:
- January 14, 2020 – Instances created on or after this date will have the new (CA-2019) certificates. Users can temporarily revert to the old certificates if necessary.
- February 5 to March 5, 2020 – RDS will stage (install but not activate) new certificates on existing instances. Restarting the instance will activate the certificate.
- March 5, 2020 – The CA-2015 certificates will expire. Applications that use certificate validation but have not been updated will lose connectivity.
If your database client knows how to handle certificate chains, users can download the root certificate and use it for all regions. If not, they need to download a certificate that is specific to the region where their database instance resides.
All regions are affected apart from Bahrain, Hong Kong, and China (Ningxia).