AWS RDS Certificate Update

Background

Amazon announced that they are replacing their SSL/TLS certificates for a variety of data services.

Impact

This issue only impacts you if you have SSL/TLS enabled for Spinnaker’s connections to Aurora. Spinnaker services that can use Aurora are Clouddriver, Orca, and Front50. The update might require restarting your Aurora instance, which causes your Spinnaker deployment to be temporarily unavailable.

During the downtime, any services that use Aurora will display errors. This is expected until the database is available again.

Updating your certificates

Aurora picks up the new certificate after a restart. You can update your certificates during planned downtime or immediately.

During planned downtime

Run the following command:

aws rds modify-db-instance --db-instance-identifier database-1 \
--ca-certificate-identifier rds-ca-2019 

During the next period of downtime, the update occurs.

Immediately

You can update the certificates immediately, which will result in downtime.

Run the following command:

aws rds modify-db-instance --db-instance-identifier database-1 \
--ca-certificate-identifier rds-ca-2019 --apply-immediately


No SSL

If you do not use SSL, you can update your certificates without restarting the database.

Run the following command:

aws rds modify-db-instance --db-instance-identifier database-1 \ 
--ca-certificate-identifier rds-ca-2019 --no-certificate-rotation-restart


AWS web UI

If you prefer, you can use the AWS web UI to update your certificates.

Step 1 AWS cert update step 1

Step 2 AWS cert update step 2

Step 3 AWS cert update step 3 «br>
Step 4 AWS cert update step 4

Step 5 AWS cert update step 5

×

Subscribe

The latest tutorials sent straight to your inbox.