Amazon Web Services has an upcoming change that could impact your communication with AWS services. Please read the below communication from AWS and take appropriate actions.
If you are unsure about how or what to do in your specific case, please reach out to our support staff at support.aws.inqdo.com. We’re happy to help!
Update certificate authority
Amazon will be updating the certificate authority (CA) for the certificates used by Amazon Simple Queue Service domain(s), between March 5, 2018 to March 30, 2018. After the updates complete, the SSL/TLS certificates used by Amazon SQS will be issued by Amazon Trust Services (ATS), the same certificate authority (CA) used by AWS Certificate Manager.
The update means that customers accessing AWS SQS endpoints via HTTPS whether through browsers or programmatically, you’ll need to update the trusted CA list on your client machines. That is, unless you already support any of the following CAs:
- • “Amazon Root CA 1”
- “Starfield Services Root Certificate Authority – G2”
- “Starfield Class 2 Certification Authority”
This upgrade notice covers the following endpoints:
- http://sqs.us-east-1.amazonaws.com [http://queue.amazonaws.com]
If your clients already trust at least one of the above three CAs then they will trust our certificates and no action is required. However, if you do not already trust any of the above CAs and do not add them to your trusted CA list by 05 March 2018, HTTPS connections to the Amazon SQS APIs will not be established.
For more information about this AWS update, please visit this blog post.
For information on the Amazon root CA see: amazontrust.com.
Operating Systems With ATS Support
- Microsoft Windows versions that have January 2005 or later updates installed, Windows Vista, Windows 7, Windows Server 2008, and newer versions
- Mac OS X 10.4 with Java for Mac OS X 10.4 Release 5, Mac OS X 10.5 and newer versions
- Red Hat Enterprise Linux 5 (March 2007), Linux 6, and Linux 7 and CentOS 5, CentOS 6, and CentOS 7
- Ubuntu 8.10
- Debian 5.0
- Amazon Linux (all versions)
- Java 1.4.2_12, Java 5 update 2, and all newer versions, including Java 6, Java 7, and Java 8
Updating your Client Browser
You can update the certificate bundle in your browser simply by updating your browser. Instructions for the most common browsers can be found on the browsers websites:
- Chrome: https://support.google.com/chrome/answer/95414?hl=en
- FireFox: https://support.mozilla.org/en-US/kb/update-firefox-latest-version
- Safari: https://support.apple.com/en-us/HT204416
- Microsoft Internet Explorer: http://windows.microsoft.com/en-us/internet-explorer/which-version-am-i-using#ie=other – Certificate bundles for Internet Explorer are managed by the Windows OS, so ensure that you update the OS as well.
Testing Your Programmatic Access To SQS
If you access Amazon SQS programmatically, you will need to write a test that performs an HTTPS GET to https://aws.amazon.com and validate that the TLS handshake succeeds.
You can test your changes against the SQS Paris region (https://sqs.eu-west-3.amazonaws.com) which used Amazon Trust Services (ATS) since it was launched on December 18, 2017.
Manually Updating Your Certificate Bundle
If you cannot access https://aws.amazon.com and you need to update your certificate bundle, then you can do so by importing at least one of the required CAs. They can be found here. Instructions for importing a root CA certificate into your certificate bundle will vary so please consult the documentation that came with your software.
Need support on AWS cloud?
If you need assistance or have any questions about this, please let us know and we’ll be happy to help you.