Does a Meteor App use "Trust Stores"?

My Meteor app is hosted on Galaxy. It uses a PostGres database on AWS.

I got this from AWS today:

To protect your communications with your database instances, a Certificate Authority (CA) generates time-bound certificates that are checked by your database client software to authenticate any database instance before exchanging information. Following industry best practices, AWS renews the CA and creates new certificates on a routine basis to ensure customer connections are properly protected for years to come. The current CA in US-EAST-1 will expire on August 22, 2024. Before this date you will need to update your DB server certificate. The general process to do this is:

First, update your application clients with the new certificate, if your application client is using trust stores then add the new CA certificates into the trust stores of your client applications. RDS provides download links to the CA certificates here [2]. For more detailed instructions on updating the trust stores on your client application see [3].

[2] Using SSL/TLS to encrypt a connection to a DB instance - Amazon Relational Database Service
[3] Rotating your SSL/TLS certificate - Amazon Relational Database Service

I searched this forum for the term “trust stores” and nothing came up. Does a Meteor app use “trust stores”?

The ‘trust store’ in this case is the list of Certificate Authority’s root certificates which come pre-loaded into whichever linux distribution the Galaxy host is using. When your app backend (hosted on Galaxy) tries to connect to your AWS database, it will validate the database SSL certificate against the root CA certificates.

I received the same Amazon email as you, and went through the process of upgrading the certificates on some AWS Postgres databases I use for a (non Meteor) app. In my case the server host was running on AWS with Ubuntu 18.04.5 and I upgraded the RDS certificates to ‘rds-ca-rsa2048-g1’ and had no issues.

Do you have a test environment or can you spin up a test environment? I upgraded the cert on my test database first and confirmed that my test app could still access the database, (even tested after a reboot just in case the SSL was cached). After that went OK, I did the same for the production app with no reboot and zero downtime. Changing the certificate on the database via AWS RDS only takes a few clicks and a few minutes and doesn’t require any down time.

1 Like

Thanks for this info. So it sounds like I don’t have to change anything on my Galaxy settings or in my app’s settings.json file – I just have to update the certificate via the AWS Console. Is that correct?

You are most probably correct, however there is a small chance that whichever linux version Galaxy is using might not include the CA root certificate for whichever new SSL certificate you select in AWS.

If thats the case, your app will suddenly stop being able to communicate with your database (maybe on next restart/reboot? I’m not sure - I’m not actually an expert on this), which would be Not Good.

That’s why I highly recommend trying it first on a test environment using the same Galaxy setup…

1 Like