Fixing SSL Certificate Issues During AWS RDS Minor Upgrade

By /

Performing a minor upgrade on an AWS RDS PostgreSQL instance is typically a smooth process that doesn’t disrupt production environments. However, during one such upgrade from PostgreSQL 14.12 to 14.17, I encountered an unexpected issue that caused SSL connection failures. Specifically, the database threw an error stating that the SSL certificate was not found.SSL certificates are critical for encrypting communication between PostgreSQL databases and applications, ensuring sensitive data is transmitted securely. When SSL certificates are either misconfigured or expired, it can lead to serious disruptions.In this post, I will walk you through the entire process I followed during the upgrade and how I resolved the SSL issue, including the steps to properly handle SSL certificates during minor upgrades.

Why Perform a Minor Upgrade?

AWS RDS minor upgrades allow you to upgrade an RDS instance to a newer version within the same major version of PostgreSQL (in this case, from 14.12 to 14.17). This type of upgrade offers several important benefits:

  • Bug fixes: Minor releases fix various bugs that could affect database performance or functionality.
  • Performance improvements: These upgrades often include optimizations that improve the database’s efficiency.
  • Security patches: Minor upgrades typically address security vulnerabilities, such as CVE-2025-1094, that could otherwise put your system at risk.

In our case, we were upgrading from 14.12 to 14.17, and there was an issue with the SSL certificate that led to the upgrade process failing.

SSL Certificate Issue: Expired Certificates

Our environment was using the rsa-ca-2019 SSL certificate, which was expired in August 2024. This expired certificate was not updated in the production environment, which caused disruptions during the upgrade process.

In the middle of the minor upgrade, we encountered the following error:

This error stopped the process, as the RDS instance could not complete the upgrade due to the expired SSL certificate.

The Upgrading Process (Standard Approach)

Typically, the AWS RDS minor upgrade process follows these steps:

  1. Stop application traffic: Temporarily disable traffic to ensure no database writes occur during the upgrade.
  2. Take a snapshot: Create a backup of the current database instance to avoid data loss in case something goes wrong during the upgrade.
  3. Modify the RDS instance:
    • Go to the AWS RDS dashboard, select your instance, and click the Modify button.
    • Choose the latest minor version (e.g., 14.17) and review any other configurations that need modification.
  4. Apply changes immediately: Select Apply Immediately to begin the upgrade process.
  5. Verify the upgrade: Once the upgrade is complete, do a sanity check from the application side and also a high-level data validation to ensure the upgrade was successful.
  6. Restart application traffic: After verifying the upgrade, restart your application to allow normal operations.

Normally, this process would go smoothly. However, in our case, because the SSL certificate was expired, we ran into an issue that prevented the upgrade from completing successfully.

Handling SSL Certificate Issues During the Upgrade

When an expired or misconfigured SSL certificate is preventing the minor upgrade from completing, you need to address the SSL certificate issue first before proceeding with the upgrade. Here’s how I solved the problem:

Step 1: Modify the SSL Certificate

Before attempting the minor upgrade, I changed the SSL certificate from rsa-ca-2019 (the expired certificate) to rds-ca-rsa2048-g1, which is the updated and valid certificate.

  • Navigate to the AWS RDS dashboard for your instance.
  • Select Modify for your instance.
  • Under the Certificate Authority section, update the certificate from rsa-ca-2019 to rds-ca-rsa2048-g1.
  • Apply the changes immediately without modifying the version of PostgreSQL (keep it at 14.12 for now).
  • Wait for the changes to be applied. This step should resolve the SSL certificate issue.

Step 2: Verify the SSL Certificate Update

After applying the certificate change:

  • Go back to the RDS dashboard and check the certificate under the Configuration section to ensure that the SSL certificate is correctly updated to rds-ca-rsa2048-g1.
  • Confirm that the change is reflected, and there are no more SSL-related errors in the logs.

Step 3: Proceed with the Minor Upgrade

Once the SSL certificate is updated and there are no errors, you can proceed with the original upgrade from 14.12 to 14.17:

  1. Go back to the Modify section of your instance in the AWS RDS dashboard.
  2. Now, select the minor version upgrade to 14.17 and apply the changes.
  3. Choose Apply Immediately and allow the upgrade process to complete.

Step 4: Validate the Upgrade

Once the minor upgrade completes:

  • Verify the upgrade status on the RDS dashboard.
  • Test your applications to ensure that SSL connections are functioning correctly and the database is accessible.
  • Check for any remaining SSL errors or issues related to the upgrade.

Conclusion

In summary, while performing a minor upgrade of your AWS RDS PostgreSQL instance, you might run into issues related to expired SSL certificates, which can prevent the upgrade from completing. The key to resolving this issue is:

  1. Updating the SSL certificate before starting the upgrade.
  2. Verifying that the correct SSL certificate is in place (e.g., rds-ca-rsa2048-g1).
  3. Proceeding with the upgrade only once the SSL issue is resolved.

By following these steps, you can ensure that your minor upgrade goes smoothly, avoiding SSL connection errors and keeping your PostgreSQL instance secure and up-to-date.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top