You can call the DescribeDBInstanceSSL operation to query the SSL encryption settings of an ApsaraDB RDS instance.

Note This operation is supported only when the instance runs MySQL 5.6, MySQL 5.7 on RDS High-availability Edition with local SSDs, MySQL 8.0 on RDS High-availability Edition with local SSDs, SQL Server, or PostgreSQL with standard or enhanced SSDs.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeDBInstanceSSL

The operation that you want to perform. Set the value to DescribeDBInstanceSSL.

DBInstanceId String Yes rm-uf6wjk5xxxxxxx

The ID of the instance.

Response parameters

Parameter Type Example Description
ConnectionString String rm-uf6wjk5xxxxxx.mysql.rds.aliyuncs.com

The endpoint that is protected by SSL encryption.

SSLExpireTime String 2022-05-08T08:14:16Z

The time when the server certificate expires. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC.

RequireUpdate String Yes

Indicates whether the server certificate needs to be updated.

  • Valid values for ApsaraDB RDS for MySQL and ApsaraDB RDS for SQL Server:
    • No
    • Yes
  • Valid values for ApsaraDB RDS for PostgreSQL:
    • 0: no
    • 1: yes
ACL String cert

The method that is used to verify the identities of clients. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)
CAType String aliyun

The type of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. Valid values:

  • aliyun: a cloud certificate
  • custom: a custom certificate
ClientCACert String -----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----

The public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

ClientCACertExpireTime String -

The time when the public key of the CA that issues client certificates expires. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC. This parameter is not supported now.

ClientCertRevocationList String -----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----

The certificate revocation list (CRL) that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

LastModifyStatus String setting

The status of the SSL link. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. Valid values:

  • success
  • setting
  • failed
ModifyStatusReason String Modify DB Instance SSL Config.

The reason why the SSL link stays in the current state. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

ReplicationACL String cert

The method that is used to verify the replication permission. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)
RequestId String 1AD222E9-E606-4A42-BF6D-8A4442913CEF

The ID of the request.

RequireUpdateItem String -

The server certificate that needs to be updated. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

RequireUpdateReason String -

The reason why the server certificate needs to be updated. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

SSLCreateTime String -

The time when the server certificate was created. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. In addition, this parameter is valid only when the CAType parameter is set to aliyun.

SSLEnabled String on

Indicates whether SSL encryption is enabled. Valid values:

  • on: enabled
  • off: disabled
ServerCAUrl String -

The URL of the CA that issues the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

ServerCert String -----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----

The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

ServerKey String -----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----

The private key of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=DescribeDBInstanceSSL
&DBInstanceId=rm-uf6wjk5xxxxxxx
&<Common request parameters>

Sample success responses

XML format

<ClientCertRevocationList>-----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----</ClientCertRevocationList>
<RequestId>1AD222E9-E606-4A42-BF6D-8A4442913CEF</RequestId>
<RequireUpdateItem>-</RequireUpdateItem>
<CAType>aliyun</CAType>
<LastModifyStatus>setting</LastModifyStatus>
<ACL>cert</ACL>
<RequireUpdate>Yes</RequireUpdate>
<ModifyStatusReason>Modify DB Instance SSL Config.</ModifyStatusReason>
<ClientCACertExpireTime>-</ClientCACertExpireTime>
<ServerKey>-----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----</ServerKey>
<SSLExpireTime>2022-05-08T08:14:16Z</SSLExpireTime>
<SSLCreateTime>-</SSLCreateTime>
<ServerCert>-----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----</ServerCert>
<SSLEnabled>on</SSLEnabled>
<ClientCACert>-----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----</ClientCACert>
<ReplicationACL>cert</ReplicationACL>
<RequireUpdateReason>-</RequireUpdateReason>
<ConnectionString>rm-uf6wjk5xxxxxx.mysql.rds.aliyuncs.com</ConnectionString>
<ServerCAUrl>-</ServerCAUrl>

JSON format

{
    "ClientCertRevocationList": "-----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----",
    "RequestId": "1AD222E9-E606-4A42-BF6D-8A4442913CEF",
    "RequireUpdateItem": "-",
    "CAType": "aliyun",
    "LastModifyStatus": "setting",
    "ACL": "cert",
    "RequireUpdate": "Yes",
    "ModifyStatusReason": "Modify DB Instance SSL Config.",
    "ClientCACertExpireTime": "-",
    "ServerKey": "-----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----",
    "SSLExpireTime": "2022-05-08T08:14:16Z",
    "SSLCreateTime": "-",
    "ServerCert": "-----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----",
    "SSLEnabled": "on",
    "ClientCACert": "-----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----",
    "ReplicationACL": "cert",
    "RequireUpdateReason": "-",
    "ConnectionString": "rm-uf6wjk5xxxxxx.mysql.rds.aliyuncs.com",
    "ServerCAUrl": "-"
}

Error codes

HTTP status code Error code Error message Description
403 OperationDenied.DBInstanceType The operation is not permitted due to type of the instance. The error message returned because the operation is not supported by the role of the instance. Check whether the instance is a read-only instance. A read-only instance cannot be cloned.
404 InvalidDBInstanceId.NotFound The specified instance is not found. The error message returned because the instance cannot be found. Verify that the instance is created within your Alibaba Cloud account and is not deleted.
400 InvaildEngineInRegion.ValueNotSupported The engine is not supported in the region. The error message returned because the database engine that is run on the instance is not supported in the specified region.
403 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the operation is not supported by the lock mode of the instance.

For a list of error codes, visit the API Error Center.