How do I troubleshoot Amazon RDS connection issues because of expired SSL/TLS certificates?

6 minute read
0

My Amazon Relational Database Service (Amazon RDS) database is experiencing connectivity issues because of expired SSL/TLS certificates.

Short description

The rds-ca-2019 Certificate Authority (CA) certificate for Amazon RDS and Amazon DocumentDB with MongoDB compatibility expired in August 2024. Connections to Amazon RDS databases might fail because the SSL/TLS certificates are expired. This issue affects every type of Amazon RDS DB instance.

To resolve connection issues, you must rotate the CA certificates on DB instances and client applications before they expire.

Resolution

Before you update your DB instances, update the SSL/TLS certificates for your clients and applications that are connected to your DB instances.

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.

Check whether you must restart your database

To check whether you must restart your databse to update the SSL/TLS certificates, run the describe-db-engine-versions command:

aws rds describe-db-engine-versions --region your-region --engine your-engine --engine-version your-engine-version --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion, SupportsCertificateRotationWithoutRestart:SupportsCertificateRotationWithoutRestart,SupportedCACertificateIdentifiers:SupportedCACertificateIdentifiers }'

In the command's output, check the response in the SupportsCertificateRotationWithoutRestart parameter. If the parameter is set to true, then you don't need to restart your database. If the parameter is set to false, then you must restart the database.

Amazon RDS for PostgreSQL

You might receive error messages similar to the following:

"LOG: could not accept SSL connection: sslv3 alert certificate expired"

"ERROR: The certificate of 'www.postgresql.org' has expired"

"SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)"

To confirm whether the SSL/TLS certificates are expired, complete the following steps:

  1. From your client side, check the DB connection string to find the certificate location, name, and expiry:

    psql "host=dbidentifier.555555555555.aws-region.rds.amazonaws.com sslmode=verify-full sslrootcert=/full/path/rds-ca-rsa2019-g1.pem user=your-user dbname=your-db-name"
  2. Run the following OpenSSL command to get the certificate details in the certificate chain section of the output:

    openssl -connect dbidentifier.555555555555.aws-region.rds.amazonaws.com -tls1_2 -starttls postgres -showcerts
  3. Run the describe-db-instances command to get the SSL/TLS certificate details:

    aws rds describe-db-instances --region your-region --db-instance-identifier your-postgresql-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'

    Example output:

    {
        "CACertificateIdentifier": "rds-ca-2019", 
        "DBInstanceIdentifier": "your-postgresql-db"
    }

If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use new SSL/TLS certificates to update applications to connect to PostgreSQL DB instances.

Amazon RDS for MySQL and Amazon RDS for MariaDB

You might receive error messages similar to the following:

"MySQL Error 2026 (HY000): SSL connection error: certificate verify failed"

"MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while —require_secure_transport=ON

"ERROR 2026 (HY000): TLS/SSL error: certificate has expired"

To confirm whether the SSL/TLS certificates are expired, complete the following steps:

  1. From your client side, check the DB connection string to find the certificate location, name, and expiry:

    mysql -h dbidentifier.555555555555.aws-region.rds.amazonaws.com -P 3306 —ssl-ca=/full/path/rds-ca-rsa2019-g1.pem -u your-user -p

    For more information, see Connecting from the MySQL command-line client with SSL/TLS (encrypted).

  2. Run the following OpenSSL command to get the certificate details in the certificate chain section of the output:

    openssl -connect your_db_endpoint:your_mysql-db_port -tls1_2 -starttls mysql -showcerts
  3. In options, run the describe-db-instances command to get the SSL/TLS certificate details:

    aws rds describe-db-instances --region your-region --db-instance-identifier your-mysql-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'

    Example output:

    {
        "CACertificateIdentifier": "rds-ca-2019", 
        "DBInstanceIdentifier": "your-mysql-db"
    }

If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use the new SSL/TLS certificates to update applications to connect to MariaDB instances and MySQL DB instances.

Important: If your applications run on MySQL versions 5.7.16, 5.7.17, and 5.7.19, then you can't connect to your database after certificate upgrades. Before you update your certificates, upgrade to the latest minor version of MySQL.

Amazon RDS for Oracle

You might receive error messages similar to the following:

"ORA-28860: Fatal SSL error"

"28860. 00000 - "Fatal SSL error"

To confirm whether the SSL/TLS certificates are expired, complete the following steps:

  1. Run the following command to get the type of client certificate that's used, its expiry, and location:

    prompt>orapki wallet display -wallet $ORACLE_HOME/ssl_wallet
  2. Run the AWS CLI command describe-db-instances to get the SSL/TLS certificate details:

    aws rds describe-db-instances --region your-region --db-instance-identifier your-oracle-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'

    Example output:

    {
        "CACertificateIdentifier": "rds-ca-2019", 
        "DBInstanceIdentifier": "your-oracle-db"
    }

If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, follow the steps for use new SSL/TLS certificates to update applications to connect to Oracle DB instances.

Amazon RDS for Microsoft SQL Server

You might receive errors similar to the following:

"LOG: Could not establish SSL connection: Certificate chain issued by an untrusted authority."

"ERROR: Unable to connect to SQL Server - The certificate chain was issued by an authority that is not trusted."

To confirm whether the SSL/TLS certificates are expired, complete the following steps:

  1. To get the client certificate that's used, is expiry, and location, see Trusted Root Certification Authorities certificate store on the Microsoft website.

  2. Run the describe-db-instances command to get the SSL/TLS certificate details:

    aws rds describe-db-instances --region your-region --db-instance-identifier your-sqlserver-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'

    Example output:

    {
        "CACertificateIdentifier": "rds-ca-2019", 
        "DBInstanceIdentifier": "your-sqlserver -db"
    }

If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use new SSL/TLS certificates to update applications to connect to Amazon RDS for Microsoft SQL Server DB instances.

Amazon DocumentDB

You might receive error messages similar to the following:

"SSL peer certificate validation failed: Certificate trust failure: connection rejected"

"Error: connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: "Unable to find valid certification path to requested target"

"No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed"

To confirm whether the SSL/TLS certificates are expired, complete the following steps:

  1. From your client side, check the application connection string to find the certificate location, name, and expiry:

    mongo --ssl --host dbidentifier.555555555555.aws-region.docdb.amazonaws.com:27017 --sslCAFile /full/path/rds-ca-rsa2019-g1.pem --username your-user --password
  2. Run the AWS CLI command describe-db-instances to get the SSL/TLS certificate details:

    aws docdb describe-db-instances --region your-region --db-instance-identifier your-docdb --filters Name=engine,Values=docdb --query 'DBInstances[*].{CertificateVersion:CACertificateIdentifier,InstanceID:DBInstanceIdentifier}'

If the rds-ca-2019 certificate for your database is expired, then update your application and Amazon DocumentDB cluster. Make sure that you rotate the certificates on your client and DocumentDB cluster.

Note: Amazon DocumentDB versions 4.0 and 5.0 don't require a reboot for certificate rotation.

Related information

Rotate Your SSL/TLS Certificates Now – Amazon RDS and Amazon Aurora Expire in 2024

Rotating your SSL/TLS certificate

Using SSL with a PostgreSQL DB instance

AWS OFFICIAL
AWS OFFICIALUpdated a month ago