Trading Fish The blog of Hector Castro

Updating the Amazon RDS Certificate Bundle

On March 23rd, 2015 20:00 UTC, Amazon plans to update the SSL certificate for RDS instances. This means that applications attempting to establish secure connections to Amazon RDS databases from servers without an updated RDS certificate bundle may begin to fail. In order to prevent connection failures to Amazon RDS databases, an updated certificate bundle can be installed on client servers in advance.

Test Connections to Amazon RDS

First, I recommend starting a new Amazon RDS database with the rds-ca-2015 certificate authority configured. For this example, I’m going to use a PostgreSQL Amazon RDS database.

Using the psql command, execute the following steps from a server intended to communicate securely with Amazon RDS:

$ export PGSSLROOTCERT="/etc/ssl/certs/ca-certificates.crt"
$ export PGSSLMODE="verify-full"
$ psql -h test.cvg4pxyrtpes.us-east-1.rds.amazonaws.com -U test

If you are met with the following message, then you need to install the updated certificate bundle:

psql: SSL error: certificate verify failed

Updating the Certificate Bundle

On a Ubuntu server, the update-ca-certificates command can be used to update the local CA certificates. First, we need to download the updated Amazon RDS combined CA bundle, then we need to put it in a place where update-ca-certificates knows to pick it up:

$ wget http://s3.amazonaws.com/rds-downloads/rds-combined-ca-bundle.pem
$ sudo mv rds-combined-ca-bundle.pem \
    /usr/local/share/ca-certificates/rds-combined-ca-bundle.crt
$ sudo update-ca-certificates

Note: The file extension for rds-combined-ca-bundle changes from .pem to .crt.

Now, if we run the test above once more on the same machine, you should be met with a password prompt, and a successfully established secure connection to the Amazon RDS PostgreSQL database.

Lastly, if you use Ansible for configuration management, take a look at the azavea.rds-ca-bundle role to help automate updating the Amazon RDS certificate bundle on client servers.