Alert runbooks Alert runbooks alerts-rds-exporterRDSCACertificateCloseToExpiration

RDSCACertificateCloseToExpiration

Runbook: RDSCACertificateCloseToExpiration Alert

Alert Details

Alert Name: RDSCACertificateCloseToExpiration
Expression: (rds_certificate_expiry_timestamp_seconds{dbidentifier!~".*copy.*", %(clusterSelector)s} - time() ) / 3600 / 24 < 15

Description

Alert is triggered when an RDS instance is detected using a CA certificate which is going to expire in less than 15 days.

Possible Causes

cert expired

Troubleshooting Steps

1. Identify the instance(s) concerned

from alert message
using the following AWS CLI command aws rds describe-db-instances | jq ' [ .DBInstances[] | { db_instance_identifier: .DBInstanceIdentifier, ca_certificate_identifier: .CACertificateIdentifier, ca_certificate_valid_until: .CertificateDetails.ValidTill } | (now + 1296000) as $date | select ( (.ca_certificate_valid_until | split("+")[0] + "Z" | fromdate) < $date ) ]'

2. Renew your certificate for the instances retrieved above by running

aws rds modify-db-instance \ --db-instance-identifier <your_db_instance> \ --ca-certificate-identifier <your_new_certificate>

Use the –apply-immediately flag if you wish to change the certificate immediately, otherwise it will apply during your next scheduled maintenance window.

Tips

We recommend using the rds-ca-rsa2048-g1 certificate authority which:

Has the same properties as rds-ca-2019 (2048 private key, SHA256 signing alg.) so no risk of incompatibility
Is valid until 2061
Change can be done without restarting the instances