Tuesday, December 17, 2019

AWS RDS - Update Your Amazon RDS SSL/TLS Certificates by February 5, 2020

If you got the mail from AWS about updating your client side certificate for RDS connection, this is a very simple explanation about what you need to do. Your first concern is functionality of your application should not be affected and everything should be working as smoothly as now.

When you connect to database, either you connect to it securely or non-securely. If you connect to database non-securely, you do not need to worry about the mail you received as it affects only those connection which are made securely. Suppose your RDS is mysql or postgres and you connect to it from php framework or Python, you need to check the database connection code and if ssl/tls parameter is defined with client certificate file, it means you are using secured method to connect to RDS. You need to download latest client side certificate file from here or here and replace with existing one.

Another way of checking it, you need to check the parameter rds.force_ssl in parameter groups settings of your RDS instance. If its value is set to 0, it means insecure RDS conenction can also be made but if its value is 1 then no insecure connection can be made. Your code must have used client side certificate file to make it working successfully.

Similarly if force ssl is on, you can not connect to database on command line without addressing client side certificate file.
Here is an example to connect Postgresql RDS server on comamnd line
psql -h testpg.cdhmuqifdpib.us-east-1.rds.amazonaws.com -p 5432 "dbname=testpg user=testuser sslrootcert=rds-ca-2015-root.pem sslmode=verify-full"

Secure Mysql connection on RDS
mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-mode=VERIFY_IDENTITY

mysql -h myinstance.c9akciq32.rds-us-east-1.amazonaws.com --ssl-ca=[full path]rds-combined-ca-bundle.pem --ssl-verify-server-cert
If you enable set rds.force_ssl and restart your instance, non-SSL connections are refused with the following message for postgresql
psql: FATAL: no pg_hba.conf entry for host "host.ip", user "someuser", database "postgres", SSL off
and similar message will be displayed for mysql and other RDS database types.

Thursday, December 12, 2019

Add Swap Space in AWS EC2 Centos or Linux AMI

Here are the steps to create swap space in AWS EC2 CentOS or Linux AMI

1. Create an EBS volume (ssd gp2) of the size you want for your swap space. Suppose it is 4G.
2. Attach the volume into your instance. Suppose attached mount point is /dev/xvdf
3. Now run
sudo mkswap /dev/xvdf

4. sudo swapon /dev/xvdf
5. Edit file /etc/fstab and add following line in /etc/fstab
/dev/xvdf none swap sw 0 0
6. Now you can verify the added swap space.
sudo swapon --show

Postfix : postdrop warning unable to look up public/pickup

Your Postfix is running successfully but it is not sending any mails. If you get above error in log, here is the solution for you.

sudo mkfifo /var/spool/postfix/public/pickup
sudo service postfix restart


After running both commands, your issue should be fixed and mails should be sent successfully.