Amazon Lightsail MySQL Database SSL/TLS Certificates
I got an email today from AWS that began with:
You are receiving this email because you have one or more MySQL databases in Amazon Lightsail with a certificate that is expiring on August 22, 2024. If you or your applications connect to these databases using Secure Sockets Layer (SSL) / Transport Layer Security (TLS), you need to take action and update the database certificates before August 22, 2024 to prevent connectivity disruptions. If you don’t currently use SSL/TLS connections, please note that database security best practices are to use SSL/TLS with certificate verification.
As far as I know, I never configured my MySQL database to use certificates (nor is there such an option when creating a new MySQL database or managing an existing database in Lightsail), so I assume this is something that "just happens" on the AWS side during creation.
I use the MySQL database for Wordpress (also in Lightsail), and also connect to it using MySQL Workbench, which uses SSL "if available" and does seem to connect with SSL when I test the connection.
It's unclear to me how to update the certificates, or if I even need to. It would seem to me that Amazon would update certificates that they installed, which are expired. What should my next steps be?
Full text of the email below:
- Newest
- Most votes
- Most comments
Hello.
If you are not hosting MySQL with a Lightsail database, I thought you could safely ignore the email.
If you are using a Lightsail database, you can update it by following the steps described in the document below.
However, as stated in the documentation, please try updating in a test environment before updating the production environment.
https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-modifying-database-to-use-a-specific-certificate.html
I had same email and still questions around Lightsail DBs. Read all docs about certificates rotation, how to update with AWS cli, etc. but it does not help or clarify completely with Lightsail.
Context: I have a couple of Lightsail instances and one Lightsail RDS, not sure if by this time if the postgre sql driver for my apps are using SSL or not, looks like not because I am not setting it in the connection options, unless takes a default one?? The PSQL seems to be using as it says SSL in the \conninfo command, but I did not configure and set no option specifically.
But there are other more interesting questions, which are not clear in the AWS docs, not clear in the email either, and as some of you say, it looks more difficult to manage Lightsail RDS than AWS standard RDS which at least you can select when to rotate from the AWS RDS console. Lightsail allows you do nothing.
My Questions would be:
-
What happens if someone starts a new RDS instance from a snapshot in Lightsail? Will that have the new certificates working automatically or not? You are staring a new instance, but at the same time is not created from scratch because you want existing data to be there.
-
What happens with Lightsail (server) instances if you create a new from a snapshot? Would that have the new CA updated or not?
If someone can guide here, thanks in advance!
Ezequiel - Though I still think that the original email was confusing at best, I can answer your questions.
In both cases (1) and (2), creating a new instance from a snapshot - at least, a new Lightsail MySQL instance - will create the new instance with the new CAs. In fact, I had the same question as you, and I wondered if a simplier solution - compared to manually updating the certificates - was to take a manual snapshot, and then create a new instance from that snapshot. Then, I could point my various clients at the new instance, with the fallback of the original (untouched) instance if things went sideways.
I can confirm that the new instance (created from a snapshot with the old certificate), did get created with the new certificates, and I've since deleted my old instance after pointing all my clients at the new instance.
Hope that helps!
Thanks "turbodb" that helps me a lot, most of my instances are newly restored from snapshots this year, so they should have the certs updated, and if have issues on august 24, I know I can just re-create them from the backup snapshots to solve it. Voted up your question!
The email does mention this -> .
Any new Lightsail databases created after January 25, 2024 use rds-ca-rsa2048-g1 by default and do not require any action.So your databases created after this date do not need any cert-updates. It applies to both from-scratch and from-snapshot databases. . Also theAffected Resourcestab in theaws.health.amazon.comlink at the bottom of the email will list exactly which databases amongst all your databases, were using the old CA at the time of the email.
Relevant content
- asked 9 months ago
- Accepted Answerasked a year ago
AWS OFFICIALUpdated 2 years ago- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 2 months ago
- AWS OFFICIALUpdated a year ago
Right, I saw the link to that guide, and read it. My question was, why do I need to do this, if I never setup the SSL certificate in the first place? Why doesn't amazon just continue to manage it, as they did when they set it up? Especially given that there's no way to manage it through Lightsail itself, and given that Lightsail deployments are sort of "dumbed down" for a less technical audience that isn't/doesn't want to be familiar with the nuances of managing a full on AWS deployment.
If your application does not connect to MySQL using SSL communication, you can safely ignore this.
When the deadline comes, AWS will update it.https://docs.aws.amazon.com/lightsail/latest/userguide/amazon-lightsail-modifying-database-to-use-a-specific-certificate.htmlI think this is an option that allows users connected via SSL to update at their own convenience. If AWS were to update automatically on the specified date, there would be cases where the user would not be able to respond in time and be unable to connect to the database. If users can update at any time, it will help prevent such accidents.
Thanks again @Riku_Kobayashi.
Some of my applications do connect with SSL - specifically, MySQL Workbench negotiates SSL "if available." Since SSL is available - as a result of the certificate that AWS installed when the Lightsail MySQL Database was created - it is used.
I think you're probably correct with your last statement here:
However, you also stated:
I'm not sure where you found this bit of information, which was sort of what I was asking when I asked if I need to do anything, or if AWS will update the certs for me. I couldn't find anything that said they would, as you have suggested. Do you have a link for that? This seems like the obvious route for these Lightsail services, given that to this point, SSL certs for them have been completely "invisible" to users..
Lightsail cannot auto-update the certificate on the Database without risking breaking active client connections to the DB. This is because, like specified in the email, the client application needs to be updated with a certificate bundle that contains both old and new certificates first and only later should Database be updated to use new certificate. . i.e. "When the deadline comes, AWS will update it." stated previously by the community member, is incorrect. .
--
Also it isn't just that SSL is used when available. It also needs the connection to have strict-SSL mode or certificate verification mandated as part of the connection. . So as an example, in MySQL Workbench for your current connections is a CERT file or a CA file specified?
--
Could you test perhaps with same/similar setup, try connecting to a new Database (which will be using the new Certificate by default) and if this fails on SSL-related errors then that would be a good indicator on the files on your client side needing update. . Another option is if you can sustain some downtime/maintenance time on your setup you can try updating the Database CA-identifier to the new one and test your connections. If they fail, you can update the Database back to the older CA-identifier until figuring out the CA/CERT file changes needed..