Azure Database for PostgreSQL
An Azure managed PostgreSQL database service for app development and deployment.
863 questions
The recommended certificate didn't work on Azure Database for PostgreSQL Single server in China east 2 region
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(64, 87%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXL%3C/text%3E%3C/svg%3E)
Xiaoyun Liao
40
Reputation points
Hi,
I have a question about the Azure Database for PostgreSQL - Single Server (located in China East 2).
We recently noticed that there is a warning message in the Azure portal, which is "As a part of routine certificate rotation, the root certificate for the client applications/drivers enabled with SSL has changed. This change could impact your application connectivity to Azure Database for PostgreSQL Single Server if your application uses SSL/TLS and you have not applied the changes recommended in how to maintain connectivity, To mitigate the issue, please apply the recommendations detailed in this article https://learn.microsoft.com/azure/postgresql/single-server/concepts-certificate-rotation?WT.mc_id=Portal-SqlAzureExtension#what-do-i-need-to-do-to-maintain-connectivity".
I followed the instructions in the article and updated the root certificate in my service, but the service cannot connect to the database with the new certificate while the old one is working well. The error I got is “failed to write startup message (tls: failed to verify certificate: x509: certificate signed by unknown authority)”
The current root certificate is "DigiCert Global Root CA" and the new one combined "Baltimore CyberTrust Root" and "DigiCert Global Root G2".
However, I did the same update for my other same type databases in other regions (USE2, WUE), and it works well with the new certificate. Could you please help me to check if there is any issue with the new certificate in the China region?
Here is the information of the database server:
{
"sku": {
"name": "GP_Gen5_16",
"tier": "GeneralPurpose",
"family": "Gen5",
"capacity": 16
},
"properties": {
"administratorLogin": "dbaadmin",
"storageProfile": {
"storageMB": 517120,
"backupRetentionDays": 7,
"geoRedundantBackup": "Disabled",
"storageAutogrow": "Enabled"
},
"version": "11",
"sslEnforcement": "Enabled",
"minimalTlsVersion": "TLS1_2",
"userVisibleState": "Ready",
"fullyQualifiedDomainName": "xxxxxxxx.postgres.database.chinacloudapi.cn",
"earliestRestoreDate": "2024-04-11T14:54:24.6910027+00:00",
"replicationRole": "None",
"masterServerId": "",
"replicaCapacity": 5,
"byokEnforcement": "Disabled",
"privateEndpointConnections": [
],
"infrastructureEncryption": "Disabled",
"publicNetworkAccess": "Disabled"
},
"type": "Microsoft.DBforPostgreSQL/servers"
}
{count} votes
-
Oury Ba-MSFT 16,241 Reputation points Microsoft Employee2024-04-18T19:39:05.78+00:00 Thank you for reaching out.
My understanding is that you updated the root certificate in your service, but the service cannot connect to the database with the new certificate. The error message indicates a failure to verify the certificate.
The current root certificate is “DigiCert Global Root CA”, and the new one combines “Baltimore CyberTrust Root” and “DigiCert Global Root G2”.
The same update worked well for your other databases in different regions (USE2, WUE).
The BaltimoreCyberTrustRoot root certificate was replaced with the compliant DigiCertGlobalRootG2 root certificate. Please do check the changes of root certificate at Understanding the changes in the Root CA change for Azure Database for PostgreSQL Single server.
Please verify the certificate chain and ensure that the BaltimoreCyberTrustRoot is still part of the combined CA certificate.
In the meantime, I will check internally is there is any issues with China region.
Regards,
Oury
-
Xiaoyun Liao 40 Reputation points
2024-04-19T13:52:56.26+00:00 Hi @Oury Ba-MSFT thanks for your reply. Yes, the certificate chain is valid and the BaltimoreCyberTrustRoot is still part of the combined CA certificate. The same certificate works on USE2, and WEU but not China East 2
-
Oury Ba-MSFT 16,241 Reputation points Microsoft Employee
2024-04-22T22:22:50.57+00:00 Could you please open a support ticket so we can further investigate this issue.
Regards,
Oury
-
Xiaoyun Liao 40 Reputation points
2024-04-25T14:33:46.31+00:00 @Oury Ba-MSFT Sure, could you guide me on where to open a support ticket?
Sign in to comment