Strange WHM Backup and Amazon Trust Services question

adamapollobravo

Registered
Mar 24, 2020
2
1
3
Hamilton, ON
cPanel Access Level
Website Owner
Hi there,

I'm posting this question because neither Google nor our host (HostGator) seem to know the answer and I can't find it anywhere on cpanel.net.


Hello,

In 2018, AWS announced a broad migration of AWS services’ SSL/TLS certificates to our own Certificate Authority, Amazon Trust Services. Consistent with this change, and beginning March 2021, Amazon S3 and Amazon CloudFront will begin migrating the Certificate Authority for each services’ default certificate. Using our own Certificate Authority, AWS services can better manage the security practices used to handle our default certificates.

Your action may be required to ensure your applications continue normal operation after this change. If you already use other AWS services, your application most likely already trusts Amazon Trust Services as many AWS services have already migrated. Visit https://www.amazontrust.com/repository/ for more information about Amazon Trust Services.

To prepare for this migration, visit the announcement blog or review the FAQs below:
https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/

If you have additional questions, or require additional assistance, please open a case in the AWS Support Center: https://aws.amazon.com/support

Please also monitor each services’ AWS Forums page for future updates as the migration date approaches:
Amazon S3 Forum https://forums.aws.amazon.com/forum.jspa?forumID=24
Amazon CloudFront Forum https://forums.aws.amazon.com/forum.jspa?forumID=46


Frequently Asked Questions
Q1: What is changing?
The certificate authority for Amazon S3 and Amazon CloudFront’s default certificates are changing from DigiCert to Amazon Trust Services. For S3, many regions already use Amazon Trust Services including all regional endpoints for the eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1 regions. S3 will be migrating the remaining AWS regions to Amazon Trust Services as well. For CloudFront, all edge locations will be migrating to Amazon Trust Services.

This does change does not impact workloads that use HTTP only or use a custom SSL/TLS certificate.

Q2: When are these changes occurring?
The changes in Certificate Authority will begin rolling out on March 1, 2021.

Q3: What do I need to do?
Evaluate whether your applications trust Amazon Trust Services’ root certificates. If your application does not trust Amazon Trust Services, perform one of the following two actions. Resolution option 1, update your client certificate trust store to include all of Amazon Trust Services’ root certificates. Resolution option 2, change the domain name your application requests to a CloudFront Alternative Domain Name (CNAME) that uses an SSL/TLS certificate from an already trusted Certificate Authority.

Q4: How do I test if my application trust Amazon Trust Services?
Verify your application works with Amazon Trust Services issued certificates, by performing one of the following tests from within your application. Test option 1, fetch the object https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image. Test option 2, create an S3 bucket in your AWS account in any of the following regions (eu-west-3, eu-north-1, me-south-1, ap-northeast-3, ap-east-1, and us-gov-east-1) and fetch a test object.

Q5: What root certificates are part of Amazon Trust Services?
Refer to https://www.amazontrust.com/repository/ for the current list.

Q6: What happens after March 1, 2021 if my clients do not trust Amazon Trust Services’ Certificate Authorities?
All client requests made to a default Amazon S3 or Amazon CloudFront endpoint will receive a default certificate issued from Amazon Trust Services. If the client trust store does not trust the Certificate Authority, it may close the connection and report the SSL certificate as “untrusted.”

Sincerely,
Amazon Web Services

Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
What I can't figure out is what, if anything, I need to do with it. We use WHM backup to backup our sites to Amazon S3, and I would think that cPanel would update WHM to handle this and send the updates to our VPS accordingly, but I just want to make sure. We're running cPanel/WHM 86.0.16, if that helps.

Thanks in advance.
 

cPanelLauren

Product Owner
Staff member
Nov 14, 2017
13,304
1,250
313
Houston
I don't think so, the changes don't come into effect until a year from now either. We support S3 backups and their CA is recognized. A curl request from my cPanel server to amazon's server comes back with a 200 response as well:

Code:
 % curl -vvI https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg
*   Trying 52.95.154.36...
* TCP_NODELAY set
* Connected to s3-ats-migration-test.s3.eu-west-3.amazonaws.com (52.95.154.36) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.s3.eu-west-3.amazonaws.com
*  start date: Nov 15 00:00:00 2019 GMT
*  expire date: Nov 15 12:00:00 2020 GMT
*  subjectAltName: host "s3-ats-migration-test.s3.eu-west-3.amazonaws.com" matched cert's "*.s3.eu-west-3.amazonaws.com"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
> HEAD /test.jpg HTTP/1.1
> Host: s3-ats-migration-test.s3.eu-west-3.amazonaws.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< x-amz-id-2: z8zP2hTRG9gh2efNCdBFWHTj0Yogv3pJhEtALWKdjhPsJLQVIFYnzksbTRhkysqzFUeAzbH1HxY=
x-amz-id-2: z8zP2hTRG9gh2efNCdBFWHTj0Yogv3pJhEtALWKdjhPsJLQVIFYnzksbTRhkysqzFUeAzbH1HxY=
< x-amz-request-id: 9A48AA8055067BC1
x-amz-request-id: 9A48AA8055067BC1
< Date: Wed, 25 Mar 2020 16:23:54 GMT
Date: Wed, 25 Mar 2020 16:23:54 GMT
< Last-Modified: Tue, 25 Feb 2020 17:10:39 GMT
Last-Modified: Tue, 25 Feb 2020 17:10:39 GMT
< ETag: "972c901e3dc1c39f78a29230a197ab9d"
ETag: "972c901e3dc1c39f78a29230a197ab9d"
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Content-Type: image/jpeg
Content-Type: image/jpeg
< Content-Length: 113448
Content-Length: 113448
< Server: AmazonS3
Server: AmazonS3

<
* Connection #0 to host s3-ats-migration-test.s3.eu-west-3.amazonaws.com left intact
* Closing connection 0