RDS SSL Certificate rotation?

[evdevdev]

I recently received an email from AWS explaining that my RDS SSL certificate will be rotated.

However, since my RDS connection is managed by OpsWorks, I was wondering if this would automatically be handled by your recipes?

The original email is pasted below:

Dear Amazon RDS Customer,

This message provides specific instructions for you to perform in order to avoid interruption to your database connectivity if your applications are using SSL to connect to your RDS instances. If you have already rotated your SSL certificates, you do not need to take any further action.

As part of AWS’s standard maintenance and security best practices for RDS, SSL certificates for your RDS instance will be rotated on Mon, 23 Mar 2015 20:00:00 GMT. If your application uses SSL to connect to your RDS instance, you MUST follow the steps below to use the new certificate bundle BEFORE Mon, 23 Mar 2015 20:00:00 GMT; otherwise, your applications may fail to connect to your RDS instances after that time. We strongly encourage you to test these steps within a development/staging environment before following them for your production environments.

Step 1: Download the new certificates from the files linked in the RDS SSL documentation here: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html

Step 2: Use the certificate you downloaded in Step 1 to update your database clients/applications appropriately.

Step 3: Use the “Modify” operation for your RDS instance on the AWS Management Console and change the Certificate Authority from rds-ca-2010 to rds-ca-2015. Specify the “Apply Immediately” option. > This step will rotate the SSL certificate on the database instance and initiate a reboot operation to have the certificate take effect. Note that the reboot operation typically takes less than two minutes to complete. In some cases such as when there are a large number of tables in a database, it could take longer. Refer to Amazon RDS best practices to learn more: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractices.html

Sincerely, The Amazon RDS Team

[fredrik]

@earnold, you mention that your RDS connection is managed by OpsWorks. Are you definitely using SSL? As far as I can tell from the docs, one must enable SSL by appending sslmode=require to the connection string.

In my case I am not connecting using SSL, so the steps I followed were simply to modify my RDS instance to use rds-ca-2015 as the Certificate Authority. If you don't apply immediately this will take effect during the next maintenance window, which is what I did.

Hope that helps!

[evdevdev]

@fredrikmollerstrand That is an interesting thing that I have not been able to diagnose.

We're using Rails 3.2, which ultimate connects via the pg gem. The sslmode open is not reflected in the ActiveRecord adaptor, so I suspect it is handled in an underlying thing.

This suggests that there might be SSL going on under the hood.

Likewise, when I use rails dbconsole it connects via ssl without me specifying it should. But this could be a side effect of psql?