Login/Register
Update Amazon RDS SSL/TLS Certificates - Elastic Beanstalk
Asked Answered
Solved ruby-on-railsamazon-web-servicesssl-certificateamazon-elastic-beanstalkrds
S

2

15

AWS recently announced the need to:

Update Your Amazon RDS SSL/TLS Certificates by October 31, 2019

I have a Rails application hosted with a classic Elastic Beanstalk load balancer, which connects to a Postgres DB using RDS.

The required steps according to Amazon are:

  1. Download the new SSL/TLS certificate from Using SSL/TLS to Encrypt a Connection to a DB Instance.
  2. Update your database applications to use the new SSL/TLS certificate.
  3. Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

(https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html)

Since I have my load balancers set up like this (connecting to my EC2 instances via HTTP port 80 (not SSL), does this mean I don't need to follow steps 1 and 2? And only follow step 3?

LoadBalancerListeners

Or do I have to download the updated certificates and install/add them to my Load balancer or EC instances manually? Not sure how to do that.

Studner answered 18/10, 2019 at 6:30 Comment(2)
what did you have to do in the end? im not clear what the final solution was.Swallowtailed
@weber, the main thing I needed to determine was if the EC2 instances behind an Elastic Beanstalk load balancer with a tied RDS connection would automatically trust the upgraded 2019 certificate or not. I wasn't sure if I'd need to manually trust them via SSH'ing to them, or e.g. using .ebextensions. In the end after testing it, I could confirm that they did automatically trust the new RDS connection. If the RDS DB instance was decoupled from the EB environment as described here https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.RDS.html, then I'm not sure of the outcome.Studner
R
8

Step 1 & 2 only required if your application connection with MySQL is TLS encrypted.

Do not change LB TLS setting it can break your application, LB TLS is something else, where RDS TLS is something else.

If your application just creation plain connection you are safe to perform directly the step 3.

Modify the DB instance to change the CA from rds-ca-2015 to rds-ca-2019.

Normally practice for DB, DB should be in private subnet and it should not accessible from the public, TLS is helpfull when your Database and Backend connection is on the internet, not within VPC.

With an unencrypted connection between the MySQL client and the server, someone with access to the network could watch all your traffic and inspect the data being sent or received between client and server.

Rare answered 18/10, 2019 at 7:27 Comment(7)
Thanks @Adiii. Are you sure? Here docs.aws.amazon.com/AmazonRDS/latest/UserGuide/… it describes how to see if your DB connection is using SSL. When I eb ssh to my server, connect from there to the DB via psql, and then run select ssl_is_used(), it returns true! My RDS instance is tied to my EB environment as described here docs.aws.amazon.com/elasticbeanstalk/latest/dg/…. Since EB is auto-connected to RDS, I'm concerned based on the above that changing the CA will break the generated connection.Studner
I am talking in general, it depend on the application how it create connection but the code suggested by link it palin connection. var mysql = require('mysql'); var connection = mysql.createConnection({ host : process.env.RDS_HOSTNAME, user : process.env.RDS_USERNAME, password : process.env.RDS_PASSWORD, port : process.env.RDS_PORT }); connection.connect(function(err) { if (err) { console.error('Database connection failed: ' + err.stack); return; } console.log('Connected to database.'); }); connection.end();Rare
Thanks @Adii. Fyi I use Postgres, not MySQL.The good news is I took a snapshot and just tried step 3 just now. Everything still works as expected. Even when re-connecting to the DB from the application server, it still reports that it's using SSL so I assume ElasticBeanstalk handles the trusting of the certificate automatically when the RDS instance is tied to the EB environment. Thanks again.Studner
So how u create connection? Did specify SSL in connection string?Rare
I have a Rails app, so the connection info is defined in database.yml which calls out to ENV variables like RDS_DB_NAME, RDS_USERNAME etc. It doesn't specify to require SSL there (even though it could). Although I think the default setting on EB must be something like allow, prefer, or require, configured via an environment variable or something. c.f: postgresql.org/docs/current/…. It's definitely not one of the other 3 because disable would turn SSL off, and the other verify options failed when I tested them on the CLI.Studner
The best way to is to capture the traffic packet to confirm if you are not sure about application internal connection. liferay.dev/blogs/-/blogs/… check this to link to capture packet if you can read packets then it not encrypted.Rare
Let us continue this discussion in chat.Rare
P
2

There is a much easier answer to the question:

You do not need to install anything in your Beanstalk environment if you upgrade the CA Certificate used by the RDS attached to it. https://mcmap.net/q/825685/-aws-rds-certificate-authority-update

Just follow point 3 and ignore 1 and 2.

(Yes I wrote that answer myself).

Pipit answered 14/1, 2020 at 21:42 Comment(1)
i think the jump answer is down-voted because most production environments do NOT use RDS within elastic beanstalk. using RDS from within elastic beanstalk is potentially dangerous because if you terminate your elastic beanstalk instance, your database is terminated too, which is no good for data retention purposes. So in general people are asking about elastic beanstalk environments where the RDS instance is separate.Anglesite

© 2022 - 2024 — McMap. All rights reserved.