Got a mail saying: Action Required for Azure Database for PostgreSQL – Flexible Server to update your trusted root store, if you are doing certificate pinning

Saurav 20

I just got this in the mail, our applications are asp .net core microservices, we just connect using the basic configurations in appsettings.json.

What impact does this update will have in our current setup ?

Server=hostname.postgres.database.azure.com;Port=5432;Database=our_db;User Id=our_user;Password=our_password;

1 answer

ShaktiSingh-MSFT 13,426 Reputation points Microsoft Employee

2024-04-16T05:48:44.1366667+00:00

Hi Saurav •,

Welcome to Microsoft Q&A forum.

As I understand, you want to know about the certificate email received for Azure Database for PostgreSQL Flexible Server.

For .NET (Npgsql) users on Windows, connecting to Azure Database for PostgreSQL - Flexible Servers deployed in Azure Government cloud regions (US Gov Virginia, US Gov Texas, US Gov Arizona) make sure both Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root G2 both exist in Windows Certificate Store, Trusted Root Certification Authorities. If any certificates don't exist, import the missing certificate.

For .NET (Npgsql) users on Windows, connecting to Azure Database for PostgreSQL - Flexible Servers deployed in Azure public regions worldwide make sure both Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA both exist in Windows Certificate Store, Trusted Root Certification Authorities. If any certificates don't exist, import the missing certificate.

Here is the complete MS documentation for the same:

https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-update-client-certificates-java

Hope this helps. Let us know if you have more queries.

Thanks
Please sign in to rate this answer.
Saurav 20 Reputation points

2024-04-16T06:03:35.36+00:00

Hi @ShaktiSingh-MSFT ,

Thanks for your response but this does not answer my question,

Here is the full mail that I received:

Action Required for Azure Database for PostgreSQL – Flexible Server to update your trusted root store, if you are doing certificate pinning

You're receiving this notice because you use Azure Database for PostgreSQL – Flexible Server

In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA.

If your applications take advantage of verify-ca or verify-full as value of sslmode parameter in the database client connectivity they may be affected by this change and need to follow below directions to add new certificates to certificate store to maintain connectivity.

If your connection string includes sslmode=disable, sslmode=allow, sslmode=prefer, or sslmode=require, you don’t need to update certificates. If you’re using a client that abstracts the connection string away, review the client's documentation to understand whether it verifies certificates. To understand PostgreSQL sslmode, review the SSL mode descriptions in PostgreSQL documentation.

Required action

Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:

keytool -importcert -alias PostgreSQLServerCACert -DigiCertGlobalRootCA.crt.pem -keystore truststore -storepass password -noprompt

keytool -importcert -alias PostgreSQLServerCACert2 -file D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem -keystore truststore -storepass password -noprompt

Then replace the original keystore file with the new generated one:

System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");

System.setProperty("javax.net.ssl.trustStorePassword","password");

For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSL_CERT_DIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSL_CERT_DIR. If any certificates don't exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:

-----BEGIN CERTIFICATE-----

(Root CA1: DigiCertGlobalRootCA.crt.pem)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)

-----END CERTIFICATE-----

Replace the original root CA pem file with the combined root CA file and restart your application/client.

If you’re using SSL/TLS, you don't need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required.

What is the impact if using App Service with Azure Database for PostgreSQL Flexible Server?

For Azure app services, connecting to Azure Database for PostgreSQL, we can have two possible scenarios and it depends on how on you’re using SSL with your application.

This new certificate has been added to App Service at platform level. If you’re using the SSL certificates included on App Service platform in your application, no action is needed.

If you’re explicitly including the path to SSL cert file in your code, you would then need to download the new cert and update the code to use the new cert. A good example of this scenario is when you use custom containers in App Service as shared in the App Service documentation.

What is the impact if using Azure Kubernetes Services (AKS) with Azure Database for PostgreSQL?

If you’re trying to connect to the Azure Database for PostgreSQL using Azure Kubernetes Services (AKS), access from a dedicated customers host environment. Refer to the steps here.

If I am using read replicas, do I need to perform this update only on the primary server, or the read replicas?

Since this update is a client-side change, if the client used to read data from the replica server, you need to apply the changes for those clients as well.

How can I check the certificate that is sent by the server?

There are many tools you can use. For example, DigiCert has a handy tool that shows you the certificate chain of any server name. This tool works with a publicly accessible server; it can’t connect to a server that is contained in a virtual network. Another tool you can use is OpenSSL in the command line. You can use this syntax to check certificates: openssl s_client -starttls postgres -showcerts -connect <your-postgresql-server-name>:5432__You're receiving this notice because you use Azure Database for PostgreSQL – Flexible Server__

In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA.

If your applications take advantage of verify-ca or verify-full as value of sslmode parameter in the database client connectivity they may be affected by this change and need to follow below directions to add new certificates to certificate store to maintain connectivity.

If your connection string includes sslmode=disable, sslmode=allow, sslmode=prefer, or sslmode=require, you don’t need to update certificates. If you’re using a client that abstracts the connection string away, review the client's documentation to understand whether it verifies certificates. To understand PostgreSQL sslmode, review the SSL mode descriptions in PostgreSQL documentation.

Required action

Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:

keytool -importcert -alias PostgreSQLServerCACert -DigiCertGlobalRootCA.crt.pem -keystore truststore -storepass password -noprompt

keytool -importcert -alias PostgreSQLServerCACert2 -file D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem -keystore truststore -storepass password -noprompt

Then replace the original keystore file with the new generated one:

System.setProperty("javax.net.ssl.trustStore","path_to_truststore_file");

System.setProperty("javax.net.ssl.trustStorePassword","password");

For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSL_CERT_DIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSL_CERT_DIR. If any certificates don't exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:

-----BEGIN CERTIFICATE-----

(Root CA1: DigiCertGlobalRootCA.crt.pem)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)

-----END CERTIFICATE-----

Replace the original root CA pem file with the combined root CA file and restart your application/client.

If you’re using SSL/TLS, you don't need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required.

What is the impact if using App Service with Azure Database for PostgreSQL Flexible Server?

For Azure app services, connecting to Azure Database for PostgreSQL, we can have two possible scenarios and it depends on how on you’re using SSL with your application.

This new certificate has been added to App Service at platform level. If you’re using the SSL certificates included on App Service platform in your application, no action is needed.

If you’re explicitly including the path to SSL cert file in your code, you would then need to download the new cert and update the code to use the new cert. A good example of this scenario is when you use custom containers in App Service as shared in the App Service documentation.

What is the impact if using Azure Kubernetes Services (AKS) with Azure Database for PostgreSQL?

If you’re trying to connect to the Azure Database for PostgreSQL using Azure Kubernetes Services (AKS), access from a dedicated customers host environment. Refer to the steps here.

If I am using read replicas, do I need to perform this update only on the primary server, or the read replicas?

Since this update is a client-side change, if the client used to read data from the replica server, you need to apply the changes for those clients as well.

How can I check the certificate that is sent by the server?

There are many tools you can use. For example, DigiCert has a handy tool that shows you the certificate chain of any server name. This tool works with a publicly accessible server; it can’t connect to a server that is contained in a virtual network. Another tool you can use is OpenSSL in the command line. You can use this syntax to check certificates: openssl s_client -starttls postgres -showcerts -connect <your-postgresql-server-name>:5432

I don't think we are using certificate pinning to connect to our azure postgres flexible server. We are using the following in appsettings.json :

"ConnectionStrings": { "DefaultConnection": "Server=my_db_server.postgres.database.azure.com;Port=5432;Database=my_db;User Id=my_user;Password=my_password", }

We do not use any certificate authentication to connect to our postgres server.

So my question is:

Does this update on certs affect me in any way and if yes what should I do ?

ShaktiSingh-MSFT 13,426 Reputation points Microsoft Employee

2024-04-16T06:08:08.1266667+00:00

Hi Saurav •,

Kindly read the standard MS documentation shared in the above answer for the steps to follow.

In case you do not get the steps, I would recommend you to please file a support ticket for further understanding of your case and solution.

Thanks
Sign in to comment