Closed dbnicholson closed 2 weeks ago
We've been installing the RDS CA bundle from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem for years. However, the documented[1] URL is https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem. The former hasn't been updated in years and all the certificates in it are about to expire:
$ curl -sSIL https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem | grep -i ^last-modified: Last-Modified: Tue, 28 Apr 2020 15:18:37 GMT $ curl -sSIL https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem | grep -i ^last-modified: last-modified: Mon, 18 Dec 2023 20:34:46 GMT
This should have no compatibility issues as global-bundle.pem is a superset of rds-combined-ca-bundle.pem including all the soon to be expired CA certificates.
https://phabricator.endlessm.com/T35141
We've been installing the RDS CA bundle from https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem for years. However, the documented[1] URL is https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem. The former hasn't been updated in years and all the certificates in it are about to expire:
$ curl -sSIL https://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem | grep -i ^last-modified: Last-Modified: Tue, 28 Apr 2020 15:18:37 GMT $ curl -sSIL https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem | grep -i ^last-modified: last-modified: Mon, 18 Dec 2023 20:34:46 GMT
This should have no compatibility issues as global-bundle.pem is a superset of rds-combined-ca-bundle.pem including all the soon to be expired CA certificates.
https://phabricator.endlessm.com/T35141