We run our own instance of Sonarqube.I have a task to research this alert.
I found this in the Azure Portal > Kubernetes service > Configuration > SONAR_JDBC_URL
jdbc:postgresql://sonarqube-???-eastus.postgres.database.azure.com:5432/sonarqube?socketTimeout=1500
Is this update something we would do or would it be in a future SonarQuve version?
Update your trusted root store for Azure Database for PostgreSQL – Flexible Server
The activity log alert issues-sh was triggered for the Azure subscription Platform Engineering - PROD.
View in Azure Service Health > [portal.azure.com]
TRACKING ID:
WMZH-3DZ TYPE:
ActionRequired
STATUS:
Active
COMMUNICATION:
You’re receiving this notice because you use Azure Database for PostgreSQL – Flexible Server
In May 2024, we’ll begin updating Azure Database for PostgreSQL Flexible Server to use TLS certificates from Microsoft RSA Root Certificate Authority 2017 [microsoft.com]. If your apps use certificate pinning, you’ll need to update your trusted root store to accept this root CA in addition to existing DigiCert Global Root CA [cacerts.digicert.com].
• If your applications take advantage of verify-ca or verify-full as value of sslmode parameter [postgresql.org] in the database client connectivity they may be affected by this change and need to follow below directions to add new certificates to certificate store to maintain connectivity.
• If your connection string includes sslmode=disable, sslmode=allow, sslmode=prefer, or sslmode=require, you don’t need to update certificates. If you’re using a client that abstracts the connection string away, review the client’s documentation to understand whether it verifies certificates. To understand PostgreSQL sslmode, review the SSL mode descriptions [postgresql.org] in PostgreSQL documentation.
Required action
Please download Microsoft RSA Root Certificate Authority 2017 and DigiCert Global Root CA certificates from the following URI [microsoft.com]. Generate a combined CA certificate store with both DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 certificates are included. For Java (PostgreSQL JDBC) users using DefaultJavaSSLFactory, please use the following certificate:
• keytool -importcert -alias PostgreSQLServerCACert -DigiCertGlobalRootCA.crt.pem -keystore truststore -storepass password -noprompt
• keytool -importcert -alias PostgreSQLServerCACert2 -file D:\ Microsoft ECC Root Certificate Authority 2017.crt.pem -keystore truststore -storepass password -noprompt
Then, please replace the original keystore file with the new generated one:
• System.setProperty(“javax.net.ssl.trustStore”,“pathtotruststorefile”);
• System.setProperty(“javax.net.ssl.trustStorePassword”,“password”);
For .NET (Npgsql) users on Windows, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in Windows Certificate Store Trusted Root Certification Authorities. For .NET (Npgsql) users on Linux using SSLCERTDIR, make sure DigiCert Global Root CA and Microsoft RSA Root Certificate Authority 2017 both exist in the directory indicated by SSLCERTDIR. If any certificates don’t exist, please create the missing certificate file. For other PostgreSQL client users, you can merge two CA certificate files like the following format:
• -----BEGIN CERTIFICATE-----
(Root CA1: DigiCertGlobalRootCA.crt.pem)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(Root CA2: Microsoft ECC Root Certificate Authority 2017.crt.pem)
-----END CERTIFICATE-----
Replace the original root CA pem file with the combined root CA file and restart your application/client.
If you’re using SSL/TLS, you don’t need to restart the database server to start using the new root CA certificate. This is a client-side change, and the incoming client connections need to use the new certificate to ensure that they can connect to the database server. If you aren’t using SSL/TLS, you don’t need to update the root CA certificate and no further action is required.
What is the impact if using App Service with Azure Database for PostgreSQL Flexible Server?
For Azure app services, connecting to Azure Database for PostgreSQL, we can have two possible scenarios and it depends on how on you’re using SSL with your application.
• This new certificate has been added to App Service at platform level. If you’re using the SSL certificates included on App Service platform in your application, no action is needed.
• If you’re explicitly including the path to SSL cert file in your code, you would then need to download the new cert and update the code to use the new cert. A good example of this scenario is when you use custom containers in App Service as shared in the App Service documentation [learn.microsoft.com].
What is the impact if using Azure Kubernetes Services (AKS) with Azure Database for PostgreSQL?
If you’re trying to connect to the Azure Database for PostgreSQL using Azure Kubernetes Services (AKS), access from a dedicated customers host environment. Refer to the steps here [learn.microsoft.com].
If I am using read replicas, do I need to perform this update only on the primary server, or the read replicas?
Since this update is a client-side change, if the client used to read data from the replica server, you need to apply the changes for those clients as well.
How can I check the certificate that is sent by the server?
There are many tools you can use. For example, DigiCert has a handy tool [digicert.com] that shows you the certificate chain of any server name. This tool works with a publicly accessible server; it can’t connect to a server that is contained in a virtual network. Another tool you can use is OpenSSL in the command line. You can use this syntax to check certificates: openssl sclient -starttls postgres -showcerts -connect.
Help and support
If you have questions, please contact AskAzureDBforPostgreSQL@service.microsoft.com. If you have a support plan and you need technical help, create a support request [portal.azure.com]:
- For Issue type, select Technical.
- For Subscription, select your subscription.
- For Service, select My Services.
- For Service type, select Azure Database for PostgreSQL flexible server.
- For Summary, type “SSL Root CA Upgrade”.
- For Problem type, select Security.
- For Problem subtype, select Data Encryption.
Links provided herein may take you to a third-party website and are provided for convenience only. Third-party websites are subject to the third-party’s terms and privacy statements.
IMPACTED SERVICE(S) AND REGION(S)
Service Name Region
Azure Database for PostgreSQL flexible servers Australia Central
Australia East
Australia Southeast
Brazil South
Canada Central
Canada East
Central India
Central US
Central US EUAP
East Asia
East US
East US 2
East US 2 EUAP
France Central
Germany West Central
Japan East
Japan West
Jio India West
Korea Central
Korea South
North Central US
North Europe
Norway East
Qatar Central
South Africa North
South Central US
South India
Southeast Asia
Sweden Central
Switzerland North
UAE North
UK South
UK West
West Central US
West Europe
West US
West US 2
West US 3
You are receiving this alert notification from Microsoft Azure as a member of the ‘pe-prod-sh’ action group. To unsubscribe from emails directed to this action group click here. [userlinks.azns.microsofticm.com]
[facebook.com] [twitter.com] [youtube.com] [linkedin.com]
Privacy Statement [go.microsoft.com]
Microsoft Corporation, One Microsoft Way, Redmond, WA 98052