Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
RDSのSSL/TLS証明書の更新
Search
Yamamoto Kazuhisa
January 25, 2020
Technology
450
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
RDSのSSL/TLS証明書の更新
第28回 中国地方DB勉強会の発表内容です。
Yamamoto Kazuhisa
January 25, 2020
More Decks by Yamamoto Kazuhisa
See All by Yamamoto Kazuhisa
Railsプロジェクトキャッチアップのコツ
kazuhisa
0
120
IoTで農家を守れ! LTE-M Button Plusを利用した 箱罠動作検知システム
kazuhisa
1
5.2k
RDSのPostgreSQL9.3を がんばってバージョンアップしてみた
kazuhisa
0
1.1k
AWS Lambdaについて
kazuhisa
1
430
Other Decks in Technology
See All in Technology
AIレビューはどこまで任せられるのか?自動化と人が背負うレビューの境界
sansantech
PRO
2
260
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.7k
ヘルスケア領域における AI 活用と その安全性担保のための取り組み (Leveraging AI in Healthcare and Our Efforts to Ensure Its Safety) - Google I/O Extended Tokyo 2026, July 11, 2026
zettaittenani
0
250
依頼文化をやめる日 EM視点で語るPlatform EngineeringとInclusive SRE / Discussing Platform Engineering and Inclusive SRE from an EM's Perspective
shin1988
4
5k
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
2
3.2k
スタートアップにおけるアジャイルの実践について #shibuyagile
murabayashi
3
2.2k
はじめてのWDM
miyukichi_ospf
1
140
あなたの『Site』はどこですか? — xREという考え方
miyamu
0
1.2k
生成AI活用によるODC欠陥分析の分類高速化の実践と導入効果 / 20260703 Suguru Ishii
shift_evolve
PRO
2
120
AI駆動開発におけるQAエンジニアの役割事例 〜AI駆動開発の現場から〜
kobayashiyorimitsu
0
470
ruby.wasmとPicoRuby.wasmに対応した仮想DOMライブラリを作ってる話 #kaigieffect_kaigi
sue445
PRO
0
120
最適な自走を最小限の支援で — M&Aで拡大する組織で少人数SREが挑んだ1年 / SRE NEXT 2026
genda
0
900
Featured
See All Featured
How Fast Is Fast Enough? [PerfNow 2025]
tammyeverts
3
650
Code Reviewing Like a Champion
maltzj
528
40k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
31
2.8k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
49
3.5k
The innovator’s Mindset - Leading Through an Era of Exponential Change - McGill University 2025
jdejongh
PRO
1
220
Building a Scalable Design System with Sketch
lauravandoore
463
34k
Un-Boring Meetings
codingconduct
0
340
B2B Lead Gen: Tactics, Traps & Triumph
marketingsoph
0
170
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
6k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
333
23k
Testing 201, or: Great Expectations
jmmastey
46
8.2k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
390
Transcript
3%4ͷ44-5-4ূ໌ॻͷ ߋ৽ ୈճதࠃํ%#ษڧձJOԬࢁ ࢁຊٱ
ࣗݾհ w גࣜձࣾϦκʔϜ w ࢁຊٱ w Ϛωʔδϟʔ w ࠷ۙͷؔ৺ΞδϟΠϧ։ൃ
ࠓ͢͜ͱ w 3%4ͷ1PTUHSF42-ͷ44-5-4ূ໌ॻʹ͍ͭͯ
44-5-4ূ໌ॻ w 3%4ͷ1PTUHSF42-σϑΥϧτͰ44-ଓͰ͢ɻ w SETDB݄ʹར༻Ͱ͖ͳ͘ͳΓ·͢ɻ w ظݶ͕དྷΔͱ3%4ࣗಈతʹ࠶ىಈ͕͔͔Γ·͢ɻ w ظ·Ͱʹαʔόʔͷূ໌ॻΛೖΕସ͑ɺଓݩͷূ໌ॻ ߋ৽͢Δඞཁ͕͋Γ·͢ɻ
https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate- rotation.html ͋ͨΓʹॻ͔Ε͍ͯ·͢ɻ
44-ଓ w &$ͷ"NB[PO-JOVY͔ΒQTRMίϚϯυͰ%#ʹଓ͢Δ ͱ࣍ͷΑ͏ʹදࣔ͞Ε·͢ <CPOEHBUF!JQDVSSFOU>QTRMIPHFITUBHJOHEFBECFBGBQ OPSUIFBTUSETBNB[POBXTDPN QTRM 44-DPOOFDUJPO
QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎ 5ZQFIFMQGPSIFMQ IPHF w 44-ଓ͞Ε͍ͯΔͷͰ"84ͷΞφϯε௨Γଓݩͷ ূ໌ॻߋ৽͢Δඞཁ͕͋Γ·͢ΑͶʁ
ূ໌ॻ ೖΕͨهԱ͕ ແ͍ ɾྸʹΑΔهԱྗͷԼ ɾτϦοΩʔͳ"OTJCMFͷςΫχοΫͰઃఆ͞Εͨʁ ɾ༯ਫ਼ͷۀʁ
ٙ w ΞΫηεݩʹূ໌ॻΛೖΕͨهԱ͕ͳ͍ͷʹɺͳͥ44- ଓͰ͖Δͷ͔ʁ
૾ w &$ʹॳΊ͔Βূ໌ॻ͕ηοτ͞Ε͍ͯͨͷ͔ͳʁ w ୳ͯ͠ΈΔ͚Ͳݟ͔ͭΒͳ͍ɻ w ݕূڥͰ3%4ͷূ໌ॻΛSETDBʹߋ৽ͯ͠ΈΔɻ w ˠͳ͔ͥଓͰ͖Δɻ w
ˠҙຯ͕Θ͔Βͳ͍
"84ͷαϙʔτʹฉ͍ͯΈͨ ͓ੈʹͳΓ·͢ɻ ΫϥΠΞϯτͷSSL/TLS ূ໌ॻߋ৽ͷඞཁੑʹ͍࣭͕ͭͯ͋Γ·͢ɻ DBͷଓݩΫϥΠΞϯτEC2(AmazonLinux)ͰRDSPostgreSQLΛར༻͍ͯ͠·͢ɻ ࣍ͷΑ͏ʹpsql ίϚϯυͰDBʹଓ͢ΔͱʮSSL connectionʯͱදࣔ͞ΕΔͨΊɺݱࡏSSLଓ͍ͯ͠ΔͣͰ͢ɻ --------------------------------------------------------------------------- [bondgate@ip-10-2-0-13
~]$ psql hoge -h staging.deadbeaf.ap-northeast-1.rds.amazonaws.com psql (9.5.15) SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off) Type "help" for help. hoge=> --------------------------------------------------------------------------- https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL-certificate-rotation.html ͪ͜ΒͷΞφϯε௨Γɺ20202݄5·ͰʹRDSͷূ໌ॻΛrds-ca-2015͔Βrds-ca-2019ʹมߋ͢Δඞཁ͕͋Δ͜ͱཧղͰ͖·ͨ͠ɻ ݕূ༻RDSͰূ໌ॻΛrds-ca-2019ʹมߋͨ͠ͱ͜Ζɺrds-ca-2015ͷ࣌ͱಉ͡Α͏ʹΫϥΠΞϯτ͔Βଓ͢Δ͜ͱ͕Ͱ͖·ͨ͠ɻ ࢿྉΛಡΉͱΫϥΠΞϯτͷSSL/TLS ূ໌ॻߋ৽͢Δඞཁ͕͋Δͱॻ͔Ε͍ͯΔͷͰ͕͢ɺ͜ΕෆཁͳͷͰ͠ΐ͏͔ʁ ͦΕͱɺݱࡏͷEC2ʹrds-ca-2019ʹରԠ͢Δূ໌ॻ͕͢ͰʹΠϯετʔϧ͞Ε͍ͯΔͱ͍͏͜ͱͰ͠ΐ͏͔ʁ RDS্ͷSSL/TLSূ໌ॻͱΫϥΠΞϯτͷূ໌ॻͷ͕ؔ͏·͘ཧղͰ͖͍ͯͳ͍ͷͰ͕͢ɺ͝આ໌͍͚ͨͩΕ͍Ͱ͢ɻ ΑΖ͓͘͠Ͷ͕͍͠·͢ɻ DB Πϯελϯε:
͙͢ʹฦࣄ͕ฦ͖ͬͯͨ w ཁ͢Δͱ w QTRMίϚϯυʹ͓͚Δ44-5-4ଓ࣌ͷಈ࡞ʹ͍ͭͯ TTMNPEFͱ͍͏ઃఆʹΑΓܾ·Δ w ݱࡏͷଓTTMNPEFઃఆ͞Ε͓ͯΒͣɺσϑΥϧτͷ TTMNPEFQSFGFSͱͯ͠ಈ࡞͍ͯ͠Δɻ w
TTMNPEFQSFGFSɺΫϥΠΞϯτσʔλϕʔεαʔόଆ ͕44-5-4ଓʹରԠ͍ͯ͠Δ߹ʹσʔλͷ҉߸Խ ߦ͏ͷͷɺαʔόূ໌ॻͷݕূߦΘͳ͍ಈ࡞ͱͳΔɻ
1PTUHSF42-ͷυΩϡϝϯτ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html
.*5.ࢭͱʁ w தؒऀ߈ܸ w σʔλ͕ΫϥΠΞϯτɾαʔόؒͰ͞Ε͍ͯΔ࣌ ʹɺୈࡾऀ͕ͦͷσʔλΛมߋͰ͖ΕɺαʔόΛ ͏͜ͱ͕Ͱ͖ɺैͬͯͨͱ͑҉߸Խ͞Ε͍ͯͯσʔ λΛཧղ͠มߋ͢Δ͜ͱ͕Ͱ͖·͢ɻୈࡾऀͦ͜Ͱɺ͜ͷ߈ܸ Λݕग़ෆՄೳʹ͢ΔଓใͱσʔλΛݩͷαʔόʹૹΔ͜ͱ͕Ͱ͖·͢ɻ͜ΕΛߦ͏ ڞ௨ͨ͠ഔհ%/4ϙΠζχϯάͱΞυϨεͬऔΓΛؚΈɺͦΕʹैͬͯΫϥΠΞϯ
τҙਤͨ͠αʔόͰͳ͘ҟͳͬͨαʔόʹ༠ಋ͞Ε·͢ɻಉ࣌ʹɺ͜ͷ͜ͱΛ͠ ͛Δ͍͔ͭ͘ͷҟͳͬͨ߈ܸଘࡏ͠·͢ɻ44-ΫϥΠΞϯτʹର͠αʔόΛೝূ ͢Δ͜ͱͰɺ͜ͷࢭʹূ໌ॻݕূΛ༻͠·͢ɻ https://www.postgresql.jp/document/9.5/html/libpq-ssl.html
TTMNPEFͷݕূ <CPOEHBUF!JQd>1(44-.0%&WFSJGZGVMMQTRMIPHFI TUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRMSPPUDFSUJpDBUFpMFIPNFCPOEHBUFQPTUHSFTRMSPPUDSUEPFTOPU FYJTU &JUIFSQSPWJEFUIFpMFPSDIBOHFTTMNPEFUPEJTBCMFTFSWFSDFSUJpDBUF WFSJpDBUJPO RDSͷূ໌ॻΛ2019ͷূ໌ॻʹߋ৽ɻSSL௨৴࣌ͷূ໌ॻͷ֬ೝΛڧ੍͠ ͨ߹ͷಈ͖Λݕূͨ͠ɻ 1(44-.0%&WFSJGZGVMMΛՃ͠ɺূ໌ॻͷ֬ೝΛߦͬͨɻূ໌ॻ͕ແ͍ͱࣦഊ͢
Δ͜ͱΛ֬ೝɻ
TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN QTRM44-FSSPSDFSUJpDBUFWFSJGZGBJMFE ূ໌ॻͷμϯϩʔυͪ͜Β͔Β https://docs.aws.amazon.com/ja_jp/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html 2015ͷূ໌ॻΛ~/.postgresql/root.crtʹઃஔͨ͠ɻ ূ໌ॻͷ֬ೝ͕ࣦഊͨ͠ɻ
TTMNPEFͷݕূ <CPOEHBUF!JQQPTUHSFTRM>1(44-.0%&WFSJGZGVMMQTRMIPHF ITUBHJOHEFBECFBGBQOPSUIFBTUSETBNB[POBXTDPN 44-DPOOFDUJPO QSPUPDPM5-4W DJQIFS&$%)&34""&4($. 4)" CJUT DPNQSFTTJPOP⒎
5ZQFIFMQGPSIFMQ IPHF ଓ͍ͯ2019ͷূ໌ॻΛಉ໊Ͱઃஔɻଓޭɻ
·ͱΊ w ূ໌ॻΛΫϥΠΞϯτʹઃஔ͍ͯ͠ͳ͍ͷͰ͋Ε3%4 ଆͷূ໌ॻͷߋ৽͚ͩͰ0,ɻ w தؒऀ߈ܸͷϦεΫΛߟ͑Δͱূ໌ॻΛઃஔͯ͠ɺূ໌ॻ ͷ֬ೝΛ༗ޮԽͨ͠΄͏͕ྑ͍ɻ w "84ͷαϙʔτͷਓɺ1PTUHSF42-ͷ࣭ʹ͑ͯ͘ Ε͍ͯ͢͝ʂ