Update the RDS root CA list

Mark-Simulacrum · Mark-Simulacrum · commit cac949815ff9 · 2024-02-13T21:14:41.000-05:00
The current root is expiring in a few months, so we need to migrate to a
new one. We'll be copying similar code to perf, but we can start with
making sure it works with triagebot.

I've checked that the new CA file contains the old certificate, so this
should keep working with our current database (i.e. doesn't need to be
synchronized deployment wise with anything).
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -32,6 +32,7 @@ chrono = { version = "0.4", features = ["serde"] }
 tokio-postgres = { version = "0.7.2", features = ["with-chrono-0_4", "with-serde_json-1", "with-uuid-0_8"] }
 postgres-native-tls = "0.5.0"
 native-tls = "0.2"
+x509-cert = { version = "0.2.5", features = ["pem"] }
 serde_path_to_error = "0.1.2"
 octocrab = "0.30.1"
 comrak = { version = "0.8.2", default-features = false }
diff --git a/src/db.rs b/src/db.rs
@@ -12,10 +12,10 @@ pub mod jobs;
 pub mod notifications;
 pub mod rustc_commits;
 
-const CERT_URL: &str = "https://s3.amazonaws.com/rds-downloads/rds-ca-2019-root.pem";
+const CERT_URL: &str = "https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem";
 
 lazy_static::lazy_static! {
-    static ref CERTIFICATE_PEM: Vec<u8> = {
+    static ref CERTIFICATE_PEMS: Vec<u8> = {
         let client = reqwest::blocking::Client::new();
         let resp = client
             .get(CERT_URL)
@@ -94,12 +94,11 @@ impl ClientPool {
 async fn make_client() -> anyhow::Result<tokio_postgres::Client> {
     let db_url = std::env::var("DATABASE_URL").expect("needs DATABASE_URL");
     if db_url.contains("rds.amazonaws.com") {
-        let cert = &CERTIFICATE_PEM[..];
-        let cert = Certificate::from_pem(&cert).context("made certificate")?;
-        let connector = TlsConnector::builder()
-            .add_root_certificate(cert)
-            .build()
-            .context("built TlsConnector")?;
+        let mut builder = TlsConnector::builder();
+        for cert in make_certificates() {
+            builder.add_root_certificate(cert);
+        }
+        let connector = builder.build().context("built TlsConnector")?;
         let connector = MakeTlsConnector::new(connector);
 
         let (db_client, connection) = match tokio_postgres::connect(&db_url, connector).await {
@@ -134,6 +133,24 @@ async fn make_client() -> anyhow::Result<tokio_postgres::Client> {
     }
 }
 
+fn make_certificates() -> Vec<Certificate> {
+    use x509_cert::der::pem::LineEnding;
+    use x509_cert::der::EncodePem;
+
+    let certs = x509_cert::Certificate::load_pem_chain(&CERTIFICATE_PEMS[..]).unwrap();
+    certs
+        .into_iter()
+        .map(|cert| Certificate::from_pem(cert.to_pem(LineEnding::LF).unwrap().as_bytes()).unwrap())
+        .collect()
+}
+
+// Makes sure we successfully parse the RDS certificates and load them into native-tls compatible
+// format.
+#[test]
+fn cert() {
+    make_certificates();
+}
+
 pub async fn run_migrations(client: &DbClient) -> anyhow::Result<()> {
     client
         .execute(
