En utilisant AWS re:Post, vous acceptez les AWS re:Post Conditions d’utilisation
AWS re:Postre:Post

How to use a newer CA for the autoscaled Aurora PSQL DB?

0

Hi there.

I noticed that the Aurora reader instances that are added by the autoscaler do not use the newer CA. It always uses the default rsa-ca-2019.

Since I already updated all of my Aurora instances to use "rds-ca-rsa4096-g1", I also want to use the same one for the autoscaled ones. Unfortunately, I can't find any option to do that.

Is there a way to set the autoscaled Aurora instance to use a newer (or specific) CA automatically?

I'm worried about losing the SSL connection once the rsa-ca-2019 get expires later next year. Unexpectedly losing the DB connection is the last thing I want to experience.

Thanks a lot.

Sujets
Migration et modernisationAnalytiqueBase de données
Balises
Amazon Relational Database ServiceAurora PostgreSQLAmazon Aurora
Langue
English
Yechan
demandé il y a 4 mois154 vues
2 réponses
0

Hi,

This is something currently being addressed and at this time, there is no workaround. I went and tested this in my own environment, but at this time the Auto-Scaled instances are using the current default certificate, in which case is still 'rsa-ca-2019'.

AWS
INGÉNIEUR EN ASSISTANCE TECHNIQUE
Kyle_B
répondu il y a 4 mois
  • Yechan
    il y a 4 mois

    Hey. Thanks for the reply. It's unfortunate to hear that there's no workaround.

    If that's the case then are the autoscale-provisioned DB instances gonna automatically use a newer CA once the rsa-ca-2019 expires?

  • Kyle_B INGÉNIEUR EN ASSISTANCE TECHNIQUE
    il y a 4 mois

    Our team's are aware of the potential issue if rsa-ca-2019expires and the auto-scaled instances use these defaults. I would expect a fix before this happens.

0

To set the autoscaled Aurora reader instances to use a specific CA, you can specify the certificate identifier when creating the Aurora global database cluster.

When creating the cluster through the AWS CLI or RDS API, include the --db-cluster-parameter-group-name parameter and specify the parameter group that references the desired CA.

For existing clusters, you can modify the DB cluster parameter group to set the ssl_ca_file and ssl_ca_path parameters to the CA you want to use. Then modify the DB cluster and specify this updated parameter group.

Any new reader instances added through autoscaling will then use this specified CA.

Checking that your application is connecting to the proper reader endpoints is also important to ensure connections are using the expected CA after any upgrades or modifications to the cluster.

https://repost.aws/questions/QUlzw_0nL5SeaeE9u4fJxDiQ/problem-during-update-to-new-ssl-tls-certificates-rds-ca-2019

https://repost.aws/knowledge-center/troubleshoot-connecting-aurora

profile picture
EXPERT
Giovanni Lauria
répondu il y a un mois

Vous n'êtes pas connecté. Se connecter pour publier une réponse.

Une bonne réponse répond clairement à la question, contient des commentaires constructifs et encourage le développement professionnel de la personne qui pose la question.

Instructions pour répondre aux questions

Contenus pertinents