App can't connect to RDS with rds-ca-rsa2048-g1

[tomcandysoft]

The new SSL/TLS version rds-ca-rsa2048-g1 is recommended by RDS. after switching to this new cert, the app stops connecting to the RDS instance. As I check, there is no way to override the JKS file used when deploying the app. Will this SSL/TLS version be supported soon?

[axelfontaine]

Thanks for bringing this up. We plan to update this in time before it becomes the new default. Until then you can include the new certificate yourself in a custom cacerts file. You can take the existing one from a recent JRE and manually add the RDS certificate. After placing the new cacerts file in the correct location it will automatically override the built-in one. See https://cloudcaptain.sh/docs/payloads/springboot#root-certificates

[axelfontaine]

You can now update cacerts to version 2024.01.20. This version comes with out-of-the-box for all the new RDS certificates (rsa2048, rsa4096, ecc384) for all AWS regions.

The next version of the client will ship with this version by default, but you can already upgrade cacerts today with the existing client.