How do I troubleshoot Amazon RDS connection issues because of expired SSL/TLS certificates?
My Amazon Relational Database Service (Amazon RDS) database is experiencing connectivity issues because of expired SSL/TLS certificates.
Short description
The rds-ca-2019 Certificate Authority (CA) certificate for Amazon RDS and Amazon DocumentDB with MongoDB compatibility expired in August 2024. Connections to Amazon RDS databases might fail because the SSL/TLS certificates are expired. This issue affects every type of Amazon RDS DB instance.
To resolve connection issues, you must rotate the CA certificates on DB instances and client applications before they expire.
Resolution
Before you update your DB instances, update the SSL/TLS certificates for your clients and applications that are connected to your DB instances.
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
Check whether you must restart your database
To check whether you must restart your databse to update the SSL/TLS certificates, run the describe-db-engine-versions command:
aws rds describe-db-engine-versions --region your-region --engine your-engine --engine-version your-engine-version --query 'DBEngineVersions[*].{Engine:Engine,EngineVersion:EngineVersion, SupportsCertificateRotationWithoutRestart:SupportsCertificateRotationWithoutRestart,SupportedCACertificateIdentifiers:SupportedCACertificateIdentifiers }'
In the command's output, check the response in the SupportsCertificateRotationWithoutRestart parameter. If the parameter is set to true, then you don't need to restart your database. If the parameter is set to false, then you must restart the database.
Amazon RDS for PostgreSQL
You might receive error messages similar to the following:
"LOG: could not accept SSL connection: sslv3 alert certificate expired"
"ERROR: The certificate of 'www.postgresql.org' has expired"
"SSLCertVerificationError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)"
To confirm whether the SSL/TLS certificates are expired, complete the following steps:
-
From your client side, check the DB connection string to find the certificate location, name, and expiry:
psql "host=dbidentifier.555555555555.aws-region.rds.amazonaws.com sslmode=verify-full sslrootcert=/full/path/rds-ca-rsa2019-g1.pem user=your-user dbname=your-db-name"
-
Run the following OpenSSL command to get the certificate details in the certificate chain section of the output:
openssl -connect dbidentifier.555555555555.aws-region.rds.amazonaws.com -tls1_2 -starttls postgres -showcerts
-
Run the describe-db-instances command to get the SSL/TLS certificate details:
aws rds describe-db-instances --region your-region --db-instance-identifier your-postgresql-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'
Example output:
{ "CACertificateIdentifier": "rds-ca-2019", "DBInstanceIdentifier": "your-postgresql-db" }
If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use new SSL/TLS certificates to update applications to connect to PostgreSQL DB instances.
Amazon RDS for MySQL and Amazon RDS for MariaDB
You might receive error messages similar to the following:
"MySQL Error 2026 (HY000): SSL connection error: certificate verify failed"
"MySQL Error 3159 (HY000): Connections using insecure transport are prohibited while —require_secure_transport=ON
"ERROR 2026 (HY000): TLS/SSL error: certificate has expired"
To confirm whether the SSL/TLS certificates are expired, complete the following steps:
-
From your client side, check the DB connection string to find the certificate location, name, and expiry:
mysql -h dbidentifier.555555555555.aws-region.rds.amazonaws.com -P 3306 —ssl-ca=/full/path/rds-ca-rsa2019-g1.pem -u your-user -p
For more information, see Connecting from the MySQL command-line client with SSL/TLS (encrypted).
-
Run the following OpenSSL command to get the certificate details in the certificate chain section of the output:
openssl -connect your_db_endpoint:your_mysql-db_port -tls1_2 -starttls mysql -showcerts
-
In options, run the describe-db-instances command to get the SSL/TLS certificate details:
aws rds describe-db-instances --region your-region --db-instance-identifier your-mysql-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'
Example output:
{ "CACertificateIdentifier": "rds-ca-2019", "DBInstanceIdentifier": "your-mysql-db" }
If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use the new SSL/TLS certificates to update applications to connect to MariaDB instances and MySQL DB instances.
Important: If your applications run on MySQL versions 5.7.16, 5.7.17, and 5.7.19, then you can't connect to your database after certificate upgrades. Before you update your certificates, upgrade to the latest minor version of MySQL.
Amazon RDS for Oracle
You might receive error messages similar to the following:
"ORA-28860: Fatal SSL error"
"28860. 00000 - "Fatal SSL error"
To confirm whether the SSL/TLS certificates are expired, complete the following steps:
-
Run the following command to get the type of client certificate that's used, its expiry, and location:
prompt>orapki wallet display -wallet $ORACLE_HOME/ssl_wallet
-
Run the AWS CLI command describe-db-instances to get the SSL/TLS certificate details:
aws rds describe-db-instances --region your-region --db-instance-identifier your-oracle-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'
Example output:
{ "CACertificateIdentifier": "rds-ca-2019", "DBInstanceIdentifier": "your-oracle-db" }
If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, follow the steps for use new SSL/TLS certificates to update applications to connect to Oracle DB instances.
Amazon RDS for Microsoft SQL Server
You might receive errors similar to the following:
"LOG: Could not establish SSL connection: Certificate chain issued by an untrusted authority."
"ERROR: Unable to connect to SQL Server - The certificate chain was issued by an authority that is not trusted."
To confirm whether the SSL/TLS certificates are expired, complete the following steps:
-
To get the client certificate that's used, is expiry, and location, see Trusted Root Certification Authorities certificate store on the Microsoft website.
-
Run the describe-db-instances command to get the SSL/TLS certificate details:
aws rds describe-db-instances --region your-region --db-instance-identifier your-sqlserver-db --query 'DBInstances[0].{DBInstanceIdentifier:DBInstanceIdentifier,CACertificateIdentifier:CACertificateIdentifier}'
Example output:
{ "CACertificateIdentifier": "rds-ca-2019", "DBInstanceIdentifier": "your-sqlserver -db" }
If the rds-ca-2019 certificate for your database is expired, then first modify your DB instance or cluster to update your CA certificate. Then, use new SSL/TLS certificates to update applications to connect to Amazon RDS for Microsoft SQL Server DB instances.
Amazon DocumentDB
You might receive error messages similar to the following:
"SSL peer certificate validation failed: Certificate trust failure: connection rejected"
"Error: connection attempt failed: SSLHandshakeFailed: SSL peer certificate validation failed: Certificate trust failure: "Unable to find valid certification path to requested target"
"No suitable servers found (`serverSelectionTryOnce` set): [TLS handshake failed: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed"
To confirm whether the SSL/TLS certificates are expired, complete the following steps:
-
From your client side, check the application connection string to find the certificate location, name, and expiry:
mongo --ssl --host dbidentifier.555555555555.aws-region.docdb.amazonaws.com:27017 --sslCAFile /full/path/rds-ca-rsa2019-g1.pem --username your-user --password
-
Run the AWS CLI command describe-db-instances to get the SSL/TLS certificate details:
aws docdb describe-db-instances --region your-region --db-instance-identifier your-docdb --filters Name=engine,Values=docdb --query 'DBInstances[*].{CertificateVersion:CACertificateIdentifier,InstanceID:DBInstanceIdentifier}'
If the rds-ca-2019 certificate for your database is expired, then update your application and Amazon DocumentDB cluster. Make sure that you rotate the certificates on your client and DocumentDB cluster.
Note: Amazon DocumentDB versions 4.0 and 5.0 don't require a reboot for certificate rotation.
Related information
Rotate Your SSL/TLS Certificates Now – Amazon RDS and Amazon Aurora Expire in 2024
Relevant content
- asked a year agolg...
- asked 8 months agolg...
- asked 10 months agolg...
- asked 2 months agolg...
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 7 months ago