Quite a basic question.
I have a EKS cluster with standard dotnet pods applications connecting to a MS SQL RDS database.
"Engine": "sqlserver-se" "EngineVersion": "15.00.4236.7.v1"
RDS "rds-ca-2019" certificate will expire in a few months and I need to update it to "rds-ca-rsa2048-g1".
Based on this doc
From what I can see using "aws rds describe-db-engine-versions", "SupportsCertificateRotationWithoutRestart" is false on all MS SQL engine.
- So just to be sure, there's no way to do that operation without a downtime?
- How long of a downtime is generally taking a restart operation? Would it be longer if I take the opportunity to update to the latest engine version in the same time?
The guide then mention "update any client applications that use SSL/TLS and the server certificate to connect".
There's a certificate bundle that can be downloaded and instructions on how to install it on a Linux OS, but what about kubernetes nodes? Where are the CA root used defined?
- Do they automatically have the latest AWS CA available already since they runs on AWS EC2 instances?
- Is there a command I can run to validate if the new CA would be already trusted?
I see tons of docs about signing and installing private CA certificates, but nothing about the "normal" AWS ones. I don't remember installing any special resources on my cluster in the past to support the current one.
I tried launching a new pod and running this:
awk -v cmd='openssl x509 -noout -subject' '/BEGIN/{close(cmd)};{print | cmd}' < /etc/ssl/certs/ca-certificates.crt
And I got this result:
subject=C=US, O=Amazon, CN=Amazon Root CA 1
subject=C=US, O=Amazon, CN=Amazon Root CA 2
subject=C=US, O=Amazon, CN=Amazon Root CA 3
subject=C=US, O=Amazon, CN=Amazon Root CA 4
Are those including the newest CA root mentioned above?
