Update AWS RDS SSL certificates

[arichtman-srt]

What type of PR is this?

• Refactor

Description

Update the RDS trust with AWS's latest certificates.

How is this tested?

• Unit tests (pytest, jest)
• E2E Tests (Cypress)
• Manually
• N/A

Related Tickets & Documents

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html

Mobile & Desktop Screenshots/Recordings (if there are UI changes)

[justinclift]

Oh, this looks important. 😄

Amazon RDS Certificate Authority certificates rds-ca-2019 are set to expire in August, 2024.

[justinclift]

For that rds-combined-ca-bundle.pem file, where's it from?

I'm looking at this page, which seems to have a bunch of them:

https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html#UsingWithRDS.SSL.CertificatesAllRegions

[arichtman-srt]

I used https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem, happy to switch it but that seemed to cover all regions and use cases.

[justinclift]

Cool, yeah that looks like the right kind of thing. 😄

[justinclift]

Oh, you're located in Brisbane as well? 😄

[arichtman-srt]

Yea! Want me to come with a USB with the patch? 😂

[justinclift]

Heh Heh Heh. Not really what I was aiming for, but we can keep that as an option if it turns out to be needed. 😁

[justinclift]

Looks good, and the .pem file is binary identical to the one at the AWS url. Lets merge it. 😄

[justinclift]

Thanks for getting this done @arichtman-srt. 😄

[justinclift]

Following up on this a bit more, I threw together some Python code to split a bundle of PEM certificates into individual files then output the expiry date of each one.

The previous RDS certificate bundle had 45 certificates in it, with 24 expiring this year:

Splitting bundle file 'rds-combined-ca-bundle.pem'
Wrote 45 certificate files
 * cert0.pem expires Mar  5 09:11:31 2020 GMT
 * cert1.pem expires Mar  5 22:03:06 2020 GMT
 * cert2.pem expires Mar  5 22:03:19 2020 GMT
 * cert3.pem expires Mar  5 22:03:24 2020 GMT
 * cert4.pem expires Mar  5 22:03:31 2020 GMT
 * cert5.pem expires Mar  5 22:03:35 2020 GMT
 * cert6.pem expires Mar  5 22:03:40 2020 GMT
 * cert7.pem expires Mar  5 21:54:04 2020 GMT
 * cert8.pem expires Mar  5 22:03:45 2020 GMT
 * cert9.pem expires Mar  5 22:03:50 2020 GMT
 * cert10.pem expires Mar  5 00:05:46 2020 GMT
 * cert11.pem expires Mar  5 21:29:22 2020 GMT
 * cert12.pem expires Mar  5 19:58:45 2020 GMT
 * cert13.pem expires Mar  5 00:10:11 2020 GMT
 * cert14.pem expires Mar  5 17:44:42 2020 GMT
 * cert15.pem expires Mar  5 21:39:26 2020 GMT
 * cert16.pem expires Mar  5 00:55:42 2020 GMT
 * cert17.pem expires Mar  4 22:42:27 2020 GMT
 * cert18.pem expires Mar  5 17:34:52 2020 GMT
 * cert19.pem expires Jun  1 12:00:00 2022 GMT
 * cert20.pem expires Feb 16 02:46:11 2024 GMT
 * cert21.pem expires Jun  1 12:00:00 2025 GMT
 * cert22.pem expires May  8 21:48:27 2024 GMT
 * cert23.pem expires Aug 19 17:38:26 2024 GMT
 * cert24.pem expires Aug 19 17:38:26 2024 GMT
 * cert25.pem expires Aug 21 22:29:49 2024 GMT
 * cert26.pem expires Aug 21 22:29:49 2024 GMT
 * cert27.pem expires Aug 22 17:08:50 2024 GMT
 * cert28.pem expires Aug 22 17:08:50 2024 GMT
 * cert29.pem expires Aug 22 17:08:50 2024 GMT
 * cert30.pem expires Aug 22 17:08:50 2024 GMT
 * cert31.pem expires Aug 22 17:08:50 2024 GMT
 * cert32.pem expires Aug 22 17:08:50 2024 GMT
 * cert33.pem expires Aug 22 17:08:50 2024 GMT
 * cert34.pem expires Aug 22 17:08:50 2024 GMT
 * cert35.pem expires Aug 22 17:08:50 2024 GMT
 * cert36.pem expires Aug 22 17:08:50 2024 GMT
 * cert37.pem expires Aug 22 17:08:50 2024 GMT
 * cert38.pem expires Aug 22 17:08:50 2024 GMT
 * cert39.pem expires Aug 22 17:08:50 2024 GMT
 * cert40.pem expires Aug 22 17:08:50 2024 GMT
 * cert41.pem expires Aug 22 17:08:50 2024 GMT
 * cert42.pem expires Aug 22 17:08:50 2024 GMT
 * cert43.pem expires Aug 22 17:08:50 2024 GMT
 * cert44.pem expires Aug 22 17:08:50 2024 GMT

The new RDS certificate bundle has 121 certificates in it, and seems to include both the above older (expiring) ones as well as new replacement ones.

It looks like August 19th and 22nd have the potential to be a bad day for any RDS users who haven't updated their certificates by then.

[justinclift]

@getredash/maintainers Reckon we should create an advisory or similar on the Discussions page about the above date(s) for RDS users?

Amazon RDS is very widely used, so this is super likely to catch out anyone who hasn't updated.