Strange WHM Backup and Amazon Trust Services question
Hi there,
I'm posting this question because neither Google nor our host (HostGator) seem to know the answer and I can't find it anywhere on cpanel.net.
[QUOTE]Hello,
In 2018, AWS announced a broad migration of AWS services" SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services" default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.
Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center:
Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront"s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.
This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.
Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.
Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services" root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services" root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.
Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object for the current list.
Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services" Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as "untrusted."
Sincerely,
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
What I can't figure out is what, if anything, I need to do with it. We use WHM backup to backup our sites to Amazon S3, and I would think that cPanel would update WHM to handle this and send the updates to our VPS accordingly, but I just want to make sure. We're running cPanel/WHM 86.0.16, if that helps. Thanks in advance.
What I can't figure out is what, if anything, I need to do with it. We use WHM backup to backup our sites to Amazon S3, and I would think that cPanel would update WHM to handle this and send the updates to our VPS accordingly, but I just want to make sure. We're running cPanel/WHM 86.0.16, if that helps. Thanks in advance.
-
I don't think so, the changes don't come into effect until a year from now either. We support S3 backups and their CA is recognized. A curl request from my cPanel server to amazon's server comes back with a 200 response as well: % curl -vvI https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg * Trying 52.95.154.36... * TCP_NODELAY set * Connected to s3-ats-migration-test.s3.eu-west-3.amazonaws.com (52.95.154.36) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ssl/cert.pem CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 * ALPN, server did not agree to a protocol * Server certificate: * subject: CN=*.s3.eu-west-3.amazonaws.com * start date: Nov 15 00:00:00 2019 GMT * expire date: Nov 15 12:00:00 2020 GMT * subjectAltName: host "s3-ats-migration-test.s3.eu-west-3.amazonaws.com" matched cert's "*.s3.eu-west-3.amazonaws.com" * issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon * SSL certificate verify ok. > HEAD /test.jpg HTTP/1.1 > Host: s3-ats-migration-test.s3.eu-west-3.amazonaws.com > User-Agent: curl/7.64.1 > Accept: */* > < HTTP/1.1 200 OK HTTP/1.1 200 OK < x-amz-id-2: z8zP2hTRG9gh2efNCdBFWHTj0Yogv3pJhEtALWKdjhPsJLQVIFYnzksbTRhkysqzFUeAzbH1HxY= x-amz-id-2: z8zP2hTRG9gh2efNCdBFWHTj0Yogv3pJhEtALWKdjhPsJLQVIFYnzksbTRhkysqzFUeAzbH1HxY= < x-amz-request-id: 9A48AA8055067BC1 x-amz-request-id: 9A48AA8055067BC1 < Date: Wed, 25 Mar 2020 16:23:54 GMT Date: Wed, 25 Mar 2020 16:23:54 GMT < Last-Modified: Tue, 25 Feb 2020 17:10:39 GMT Last-Modified: Tue, 25 Feb 2020 17:10:39 GMT < ETag: "972c901e3dc1c39f78a29230a197ab9d" ETag: "972c901e3dc1c39f78a29230a197ab9d" < Accept-Ranges: bytes Accept-Ranges: bytes < Content-Type: image/jpeg Content-Type: image/jpeg < Content-Length: 113448 Content-Length: 113448 < Server: AmazonS3 Server: AmazonS3 < * Connection #0 to host s3-ats-migration-test.s3.eu-west-3.amazonaws.com left intact * Closing connection 00 -
Thanks, Lauren. I didn't think I did either, but I just wanted to be sure. 0
Please sign in to leave a comment.
Comments
2 comments