DescribeDBInstanceSSL - ApsaraDB RDS - Alibaba Cloud Documentation Center

Queries the SSL encryption settings of an instance.

Operation Description

Before you call this operation, make sure that your instance is one of the following instances:

ApsaraDB RDS for MySQL instances that do not run RDS Basic Edition
ApsaraDB RDS for SQL Server instances
ApsaraDB RDS for PostgreSQL instances that use cloud disks

Authorization information

The following table shows the authorization information corresponding to the API. The authorization information can be used in the Action policy element to grant a RAM user or RAM role the permissions to call this API operation. Description:

Operation: the value that you can use in the Action element to specify the operation on a resource.
Access level: the access level of each operation. The levels are read, write, and list.
Resource type: the type of the resource on which you can authorize the RAM user or the RAM role to perform the operation. Take note of the following items:
- The required resource types are displayed in bold characters.
- If the permissions cannot be granted at the resource level, All Resources is used in the Resource type column of the operation.
Condition Key: the condition key that is defined by the cloud service.
Associated operation: other operations that the RAM user or the RAM role must have permissions to perform to complete the operation. To complete the operation, the RAM user or the RAM role must have the permissions to perform the associated operations.

Operation	Access level	Resource type	Condition key	Associated operation
rds:DescribeDBInstanceSSL	READ	RDS acs:rds:{#regionId}:{#accountId}:dbinstance/{#dbinstanceId}	rds:ResourceTag	none

Request parameters

Parameter	Type	Required	Description	Example
DBInstanceId	string	Yes	The ID of the instance.	rm-bp162dfr55g47****

Response parameters

Parameter	Type	Description	Example
	object
ServerCert	string	The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----
ClientCACertExpireTime	string	The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC. This parameter is not supported now.	-
RequireUpdateItem	string	The server certificate that needs to be updated. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-
ServerCAUrl	string	The URL of the certificate that is used to issue the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-
RequireUpdate	string	Indicates whether the server certificate needs to be updated. Valid values for ApsaraDB RDS for MySQL instances and ApsaraDB RDS for SQL Server instances: No Yes Valid values for ApsaraDB RDS for PostgreSQL instances: 0: no 1: yes	Yes
ClientCertRevocationList	string	The certificate revocation list (CRL) that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----
SSLExpireTime	string	The time when the server certificate expires. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC.	2022-10-11T08:16:43Z
CAType	string	The type of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks. Valid values: aliyun: a cloud certificate custom: a custom certificate	aliyun
SSLCreateTime	string	The time when the server certificate was created. This parameter is supported only when the instance runs PostgreSQL with cloud disks. In addition, this parameter is valid only when CAType is set to aliyun.	-
ReplicationACL	string	The method that is used to verify the replication permission. This parameter is supported only when the instance runs PostgreSQL with cloud disks. Valid values: cert perfer verify-ca verify-full (supported only when the instance runs PostgreSQL 12 or later)	cert
ACL	string	The method that is used to verify the identities of clients. This parameter is supported only when the instance runs PostgreSQL with cloud disks. Valid values: cert perfer verify-ca verify-full (supported only when the instance runs PostgreSQL 12 or later)	cert
RequestId	string	The ID of the request.	7705151C-E242-55AF-9929-2A3C39D979D2
LastModifyStatus	string	The status of the SSL link. This parameter is supported only when the instance runs PostgreSQL with cloud disks. Valid values: success setting failed	setting
SSLEnabled	string	Indicates whether SSL encryption is enabled. Valid values for ApsaraDB RDS for MySQL instances and ApsaraDB RDS for SQL Server instances: Yes No Valid values for ApsaraDB RDS for PostgreSQL instances: on: enabled off: disabled	Yes
ConnectionString	string	The endpoint that is protected by SSL encryption.	rm-bp162dfr55g47****.mysql.rds.aliyuncs.com
RequireUpdateReason	string	The reason why the server certificate needs to be updated. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-
ClientCACert	string	The public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----
ServerKey	string	The private key of the server certificate. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	-----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----
ModifyStatusReason	string	The reason why the SSL link stays in the current state. This parameter is supported only when the instance runs PostgreSQL with cloud disks.	Modify DB Instance SSL Config.

Examples

Sample success responses

JSONformat

{
  "ServerCert": "-----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----",
  "ClientCACertExpireTime": "-",
  "RequireUpdateItem": "-",
  "ServerCAUrl": "-",
  "RequireUpdate": "Yes",
  "ClientCertRevocationList": "-----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----",
  "SSLExpireTime": "2022-10-11T08:16:43Z",
  "CAType": "aliyun",
  "SSLCreateTime": "-",
  "ReplicationACL": "cert",
  "ACL": "cert",
  "RequestId": "7705151C-E242-55AF-9929-2A3C39D979D2",
  "LastModifyStatus": "setting",
  "SSLEnabled": "Yes",
  "ConnectionString": "rm-bp162dfr55g47****.mysql.rds.aliyuncs.com",
  "RequireUpdateReason": "-",
  "ClientCACert": "-----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----",
  "ServerKey": "-----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----",
  "ModifyStatusReason": "Modify DB Instance SSL Config."
}

Error codes

HTTP status code	Error code	Error message	Description
400	InvaildEngineInRegion.ValueNotSupported	The engine is not supported in the region.	The database engine version is invalid.
400	InvalideStatus.Format	Specified Status is not valid.	-
403	OperationDenied.DBInstanceType	The operation is not permitted due to type of the instance.	The current instance type does not support this operation.
403	InstanceEngineType.NotSupport	The instance engine and type does not support operations	The operation failed. The operation is not supported for the database engine that is run on the RDS instance.
403	IncorrectEngineVersion	Current engine version does not support operations.	The operation failed. The operation is not supported for the version of the database engine that is run on the RDS instance.
403	IncorrectDBInstanceState	Current DB instance state does not support this operation.	-
403	IncorrectDBInstanceType	Current DB instance type does not support this operation.	The operation failed. The RDS instance is not in a ready state.
403	IncorrectDBInstanceLockMode	Current DB instance lock mode does not support this operation.	The operation failed. The RDS instance is locked.
403	ConnectionStringLengthExceeded	Connection String is too long.	The endpoint is exceedingly long. Modify the endpoint and try again.
404	InvalidDBInstanceId.NotFound	The specified instance is not found.	The RDS instance cannot be found. Check whether the RDS instance is created within the logged-on account.
404	EnabledSSLNotSupport	Specified region does not support enable ssl.	SSL encryption is not supported in the region.
404	InvalidConnectionString.NotFound	Specified connection string or net type is not found.	The endpoint cannot be found. Check the endpoint.

For a list of error codes, visit the Service error codes.

Change history

Change time

Summary of changes

Operation

2022-06-23

API Description Update,The error codes of the API operation change.

Change item	Change content
API Description	API Description Update
Error Codes	The error codes of the API operation change.
	delete Error Codes: 400
	delete Error Codes: 403
	delete Error Codes: 404