AWS has announced that it will be rotating its internal CA signers at the end of this month for SSL certificates that are used to secure communications with RDS DB instances.
What does this mean ? If you use SSL between your application and RDS you MUST update your RDS instance and the trust stores of all connecting clients. If you don’t use SSL for DB communications you can ignore this ( however, you probably should be using SSL in production )
What happens if I don’t ? The signer certificates will expire on 23/3/2015 ( or 3/23/15 if you’re that way inclined ) however RDS instances will not be automatically rebooted. This means that your apps will continue to function up until you restart your databases. When they come back up, you will have connection issues that will be reflected as SSL trust problems in your logs. THIS WILL CAUSE YOU PRODUCTION PROBLEMS IF YOU DO USE SSL AND DON’T UPDATE BEFOREHAND.
How do I fix it ? AWS have released a number of broadcasts about this upcoming event and have supplied details on how to address the issue. The following link provides detailed information on how to update the various regional server side certificates:
Also, you need to update the trust stores of any apps/tools that are connecting to your RDS instance. For example, if you are using Tomcat then you need to update the cacerts file for the JDK that runs the JVM. The following blogpost from Justin Ludwig, gives a scripted example of how to do this on a Linux box. You’ll possibly need to update the location of cacerts file and keystore passwords but the theory is sound and the script works.
Cloudten Industries © is an Australian cloud practice and a recognised consulting partner of AWS. We specialise in the design, delivery and support of cloud based solutions. Don’t hesitate to contact us if you have any queries about this post or any cloud related topic.