Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

aws/rds: Switch AWS RDS CA bundle to the officially documented URL #3307

Merged
merged 1 commit into from
Aug 24, 2023
Merged

aws/rds: Switch AWS RDS CA bundle to the officially documented URL #3307

merged 1 commit into from
Aug 24, 2023

Conversation

toadjaune
Copy link
Contributor

Hi folks !

AWS recently started sending out emails about the expiration of the rds-ca-2019 CA (expires in 2024), suggesting we upgrade our instance to rds-ca-rsa2048-g1, rds-ca-rsa4096-g1, or rds-ca-ecc384-g1.

The corresponding documentation is here, and includes instructions as to client configuration and where to retrieve CA information.

I'm assuming the URL used here is a former address, and that AWS has since then changed the address of the reference CA bundle, without updating the bundle at the former address.

Reproduction

Creating RDS instances with both rds-ca-2019 and rds-ca-ecc384-g1, I can confirm that the new bundle works with both, while the old one only works with rds-ca-2019. I have not, however, explicitly listed each certificate in the old bundle to see if it's present in the new one. We can double-check before merging if you wish so, I'm however assuming AWS would not remove still-valid CAs from its bundle.

I'm not using go-cloud directly however, only indirectly through https://github.com/cyrilgdn/terraform-provider-postgresql, so, I haven't been able to test this change directly.
However, using psql with sslrootcert should be a good indicator that the issue is in fact here.

@codecov
Copy link

codecov bot commented Aug 24, 2023

Codecov Report

Merging #3307 (1e92c83) into master (d6f90a4) will increase coverage by 0.05%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master    #3307      +/-   ##
==========================================
+ Coverage   77.44%   77.49%   +0.05%     
==========================================
  Files         104      104              
  Lines       13923    13923              
==========================================
+ Hits        10782    10790       +8     
+ Misses       2380     2371       -9     
- Partials      761      762       +1
Files Changed Coverage Δ
aws/rds/rds.go 0.00% <ø> (ø)

... and 1 file with indirect coverage changes

@vangent vangent merged commit 55ed7f7 into google:master Aug 24, 2023
6 checks passed
@toadjaune toadjaune deleted the switch-rds-ca branch August 25, 2023 08:56
@toadjaune
Copy link
Contributor Author

Well, that was fast, thanks a lot !

By any chance, do you have any idea about when we can expect a new release ?

I'm not sure how aggressive AWS is with its "rotate your CA" emails, but this might start affecting a lot of people pretty fast.

@vangent
Copy link
Contributor

vangent commented Aug 25, 2023

when we can expect a new release

Done

@toadjaune toadjaune mentioned this pull request Aug 28, 2023
Merged
ybourgery pushed a commit to Simprints/go-cloud that referenced this pull request Jun 17, 2024
@toadjaune @ybourgery
aws/rds: Switch AWS RDS CA bundle to the officially documented URL (g…
010bbf0 
…oogle#3307)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vangent vangent vangent approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@toadjaune @vangent