Problem during update to new SSL/TLS certificates "rds-ca-2019"

Question

As many of us we received a notification from AWS to "Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019".  
I did that on several of my Aurora MySQL Databases. The update works fine. The Problem is, after the update it appears a new "pending maintenance" of type "ca-certificate-rotation" with a apply date in the year 2024.  
If I make an "upgrade now" of the database, the "pending maintenance" gets executed and the SSL/TLS certificates are switched back to "rds-ca-2015".  
Is this intentional?  
Will this "pending maintenance" stay there until 2024 if I never do an "upgrade now"?

Accepted Answer

Hi THeyer, thanks for your post. This is not intentional and has been fixed. Please let us know if you're still experiencing issues.

Answer

Hi AWS Team,  
  
I also have a question about  how to implement the Amazon RDS SSL/TLS Certificates updates in my Aurora database instance. In the notifications that Amazon  sent today it states the following steps in order to implement the change:  
Amazon Aws Instruction  
1.Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance.  
2.Update your database applications to use the new SSL/TLS certificate.  
3.Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.  
  
MY QUESTION  
Since I am using an Amazon Aws  Aurora 5.6 database, I would like to know if in my case I have only to implement step 3. I mean in order to take effect the change I do not have to follow step 1 and step 2?  
  
Many thanks for your help.  
  
Regards,   
  
Alcides

Answer

@Alcides:  
  
you alwyas have to follow all 3 steps. I you only do step 3 you can't connect to your database anymore with SSL, because your client has an old certificate.

Problem during update to new SSL/TLS certificates "rds-ca-2019"

Relevanter Inhalt