Hi Guys,
I received an email from Amazon about changes with their S3 certificates (see below). I was wondering if any such changes will affect the use of an Amazon S3 bucket with EasySocial?
Any wisdom is greatly appreciated!
Maarten
____________________
Hello,
This is a reminder that Amazon Simple Storage Service (S3) and Amazon CloudFront are both migrating their services’ certificates from DigiCert to Amazon Trust Services starting March 23, 2021. If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like http://www.example.com with your CloudFront distribution, then there is no impact and you can disregard this message. If you do send HTTPS traffic directly to your S3 bucket, or use CloudFront domains covered by *.cloudfront.net, please continue reading and review the FAQ below on which certificates are migrating.
The Amazon Trust Services Certificate Authority originates from AWS’ purchase of the Starfield Services Certificate Authority which has been valid since 2005. This means you shouldn’t have to take any action to use the certificates issued by Amazon Trust Services as it is already included in common trust stores across most web browsers, operating systems, and applications. However, if you build custom certificate trust stores or use certificate pinning, you may need to alter your configurations. As a best practice, we recommend verifying Amazon Trust Services is in your trust store with one of the following tests.
[1] Visit our blog at https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/ and use the test URLs there.
[2] Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
[3] Create an S3 bucket in any of the following AWS regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.
If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error. If any of the tests fail, you must do one or more of the following actions: [A] Upgrade your operating system or browser that you are using, [B] Update your application to use CloudFront with a custom domain name and your own certificate, or [C] if you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see https://www.amazontrust.com/repository/.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center at https://aws.amazon.com/support.
Frequently Asked Questions
Q1: Which CloudFront certificate is migrating?
CloudFront’s global wildcard *.cloudfront.net
Q2: Which S3 certificates are migrating?
S3 has several regional certificates, and its global wildcard certificate, migrating in the following AWS regions:
Global wildcard *.s3.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, SA-EAST-1, US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2
Regional wildcard *.s3.region.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, CN-NORTH-1, CN-NORTHWEST-1, EU-CENTRAL-1, EU-WEST-1, EU-WEST-2, SA-EAST-1, US-EAST-1, US-EAST-2, US-GOV-WEST-1, US-WEST-1, US-WEST-2
FIPS wildcard *.s3-fips-us-gov-west-1.amazonaws.com in US-GOV-WEST-1
Sincerely,
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210
I received an email from Amazon about changes with their S3 certificates (see below). I was wondering if any such changes will affect the use of an Amazon S3 bucket with EasySocial?
Any wisdom is greatly appreciated!
Maarten
____________________
Hello,
This is a reminder that Amazon Simple Storage Service (S3) and Amazon CloudFront are both migrating their services’ certificates from DigiCert to Amazon Trust Services starting March 23, 2021. If you do not send HTTPS traffic directly to your S3 bucket, or only use custom domains like http://www.example.com with your CloudFront distribution, then there is no impact and you can disregard this message. If you do send HTTPS traffic directly to your S3 bucket, or use CloudFront domains covered by *.cloudfront.net, please continue reading and review the FAQ below on which certificates are migrating.
The Amazon Trust Services Certificate Authority originates from AWS’ purchase of the Starfield Services Certificate Authority which has been valid since 2005. This means you shouldn’t have to take any action to use the certificates issued by Amazon Trust Services as it is already included in common trust stores across most web browsers, operating systems, and applications. However, if you build custom certificate trust stores or use certificate pinning, you may need to alter your configurations. As a best practice, we recommend verifying Amazon Trust Services is in your trust store with one of the following tests.
[1] Visit our blog at https://aws.amazon.com/blogs/security/how-to-prepare-for-aws-move-to-its-own-certificate-authority/ and use the test URLs there.
[2] Fetch the object from https://s3-ats-migration-test.s3.eu-west-3.amazonaws.com/test.jpg and verify a 200 response or that you see the green check mark in the test image.
[3] Create an S3 bucket in any of the following AWS regions and confirm you can fetch a test object over HTTPS: EU-WEST-3, EU-NORTH-1, ME-SOUTH-1, AP-NORTHEAST-3, AP-EAST-1, and US-GOV-EAST-1.
If Amazon Trust Services is not in the trust store, browsers will display an error message like https://untrusted-root.badssl.com/ and applications will show an application-specific error. If any of the tests fail, you must do one or more of the following actions: [A] Upgrade your operating system or browser that you are using, [B] Update your application to use CloudFront with a custom domain name and your own certificate, or [C] if you are using custom certificate trust stores or certificate pinning, include Amazon Trust Services’ Certificate Authorities, see https://www.amazontrust.com/repository/.
If you have additional questions, or require additional assistance, please open a case in the AWS Support Center at https://aws.amazon.com/support.
Frequently Asked Questions
Q1: Which CloudFront certificate is migrating?
CloudFront’s global wildcard *.cloudfront.net
Q2: Which S3 certificates are migrating?
S3 has several regional certificates, and its global wildcard certificate, migrating in the following AWS regions:
Global wildcard *.s3.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, SA-EAST-1, US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2
Regional wildcard *.s3.region.amazonaws.com in AP-NORTHEAST-1, AP-NORTHEAST-2, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, CN-NORTH-1, CN-NORTHWEST-1, EU-CENTRAL-1, EU-WEST-1, EU-WEST-2, SA-EAST-1, US-EAST-1, US-EAST-2, US-GOV-WEST-1, US-WEST-1, US-WEST-2
FIPS wildcard *.s3-fips-us-gov-west-1.amazonaws.com in US-GOV-WEST-1
Sincerely,
Amazon Web Services
Amazon Web Services, Inc. is a subsidiary of Amazon.com, Inc. Amazon.com is a registered trademark of Amazon.com, Inc. This message was produced and distributed by Amazon Web Services Inc., 410 Terry Ave. North, Seattle, WA 98109-5210