0

I currently need to update the CA certificates for my AWS RDS instance, and as far as I am aware there are two ways to do this: by modifying my DB instance or by applying DB instance maintenance (source: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html).

Does it matter which method I choose? Is one way particularly better than the other/better in some circumstances?

user11508332
  • 537
  • 1
  • 11
  • 28

2 Answers2

1

In both methods, it is given that the RDS instance needs a reboot (read as outage!).

In our case, the RDS client application (java-based) had troubles re-establishing JDBC/SSL connection with the rebooted RDS instance (after CA upgrade), so we had to manually trigger a restart of RDS client application to bring the situation to normalcy. Hence, we need to exactly know at what point RDS CA upgrade was complete.

Hence, the workflow would be like this:

1/ Add CA (2019) to your client application's trust store first!
2/ On the RDS side, use 'Apply Immediately' option in lower environments (in Production, we also used 'Apply Immediately' but executed it during the approved maintenance window).
3/ Wait for a few minutes for AWS to apply CA and reboot the RDS instance.
4/ Go and perform post-actions like restart your client application (if needed) and regression tests.

In this way, we were able to limit the outage to a couple of minutes.

Alert: If we would have chosen 'Apply during maintenance window' option, we would not have been 'in control' of at what point AWS would upgrade RDS (CA) because AWS may choose any point in time during the maintenance window specified to perform the upgrade, it is not guaranteed to be at the start of maintenance window.

Hope this helps!

Ram Grandhi
  • 901
  • 7
  • 9
  • just clarifying this reboot takes just a few minutes, and shouldn't really have much of an impact on using the application? – user11508332 Mar 02 '20 at 10:51
  • 1
    @user11508332 - in my case, the client application had troubles in re-establishing JDBC/SSL connection after RDS instance reboot. Hence, an explicit restart of client application was also needed (after RDS restart) to bring things to normalcy. It is different for every client application, so best way is to test! – Ram Grandhi Mar 02 '20 at 11:45
  • Sorry one more question - how do you actually add the certificate to the truststore after downloading it? is there a way to do this without command lines (possibly through AWS console/mysql workbench??) – user11508332 Mar 03 '20 at 11:38
  • 1
    @user11508332 - truststore resides on client application side, not on AWS/RDS. You can use openssl utility to add the 2019 RDS CA certificates to your client app's trust store. One doubt: I anticipate that you are not using JDBC-over-SSL to connect to RDS. Please check that first, if you are using JDBC (without SSL), then you need to use ```--no-certificate-rotation-restart``` option while applying CA upgrade via CLI -- it does not restart RDS. More on it [here](https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html). – Ram Grandhi Mar 03 '20 at 11:53
  • You're right, I'm using mysql and a node.js ec2 instance application. By client application side are you referring to ec2 instance or rds instance? I'm using mysql workbench to connect to rds - would you know what to do? – user11508332 Mar 03 '20 at 12:16
  • 1
    @user11508332 - Client app is your node.js implementation running on EC2. With MySQL Workbench (being another client app) might or might not be using SSL to connect with RDS -- check this [answer](https://superuser.com/questions/325670/mysql-workbench-and-ssl-support). ps: if the above answers helped you, go ahead and vote for it by clicking the UP ARROW, for others to benefit. – Ram Grandhi Mar 03 '20 at 15:05
  • I have confirmed it uses SSL connection, so assuming now I need to update the trust store of the node.js client application, how would I go about doing so? – user11508332 Mar 03 '20 at 19:31
  • @user11508332 - Tip: Use google when in doubt. Here is how you can do it with keytool command :: https://access.redhat.com/documentation/en-us/red_hat_jboss_data_virtualization/6.2/html/security_guide/add_a_certificate_to_a_truststore_using_keytool – Ram Grandhi Mar 03 '20 at 21:06
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/208944/discussion-between-ram-grandhi-and-user11508332). – Ram Grandhi Mar 03 '20 at 21:09
0

I like to test the update manually by modifying the DB instance in a test environment. Then I confirm any dependent software, and make sure that everything is working.

Then in production I let it modify during the maintenance window update. Since this change requires a reboot, I let it apply during my 3 a.m. Sunday maintenance window.

So both methods are handy depending on your needs. The end result is identical.

Rodrigo Murillo
  • 13,080
  • 2
  • 29
  • 50