You can call the ModifyDBInstanceSSL operation to modify the SSL encryption settings of an ApsaraDB RDS instance.

This operation is used to configure SSL encryption for an instance. For more information, see ~~32474~~.

Note
  • Before you call this operation, make sure that your instance is one of the following instances:
    • ApsaraDB RDS for MySQL instances that do not run RDS Basic Edition
    • ApsaraDB RDS for SQL Server instances
    • ApsaraDB RDS for PostgreSQL instances that use standard SSDs or enhanced SSDs (ESSDs)
  • SSL encryption is not supported for the connections to the read/write splitting endpoint of an instance.

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes ModifyDBInstanceSSL

The operation that you want to perform. The operation that you want to perform. Set the value to ModifyDBInstanceSSL.

DBInstanceId String Yes rm-uf6wjk5xxxxxxx

The ID of the instance.

ConnectionString String Yes rm-uf6wjk5xxxxx.mysql.rds.aliyuncs.com

The internal or public endpoint for which the server certificate needs to be created or updated.

SSLEnabled Integer No 1

Specifies whether to enable or disable SSL encryption. Valid values:

  • 1: enables SSL encryption
  • 0: disables SSL encryption
CAType String No aliyun

The type of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. If you set the SSLEnabled parameter to 1, the default value of this parameter is aliyun.

Valid values:

  • aliyun: a cloud certificate
  • custom: a custom certificate
ServerCert String No -----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----

The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. If you set the CAType parameter to custom, you must also specify this parameter.

ServerKey String No -----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----

The private key of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. If you set the CAType parameter to custom, you must also specify this parameter.

ClientCAEnabled Integer No 1

Specifies whether to enable the public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. Valid values:

  • 1: enables the public key
  • 0: disables the public key
ClientCACert String No -----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----

The public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. If you set the ClientCAEbabled parameter to 1, you must also specify this parameter.

ClientCrlEnabled Integer No 1

Specifies whether to enable a certificate revocation list (CRL) that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with standard or enhanced SSDs. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

  • 1: enables the CRL
  • 0: disables the CRL
ClientCertRevocationList String No -----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----

The CRL that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. If you set the ClientCrlEnabled parameter to 1, you must also specify this parameter.

ACL String No cert

The method that is used to verify the identities of clients. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)
ReplicationACL String No cert

The method that is used to verify the replication permission. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. In addition, this parameter is available only when the public key of the CA that issues client certificates is enabled. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)

Response parameters

Parameter Type Example Description
RequestId String 777C4593-8053-427B-99E2-105593277CAB

The ID of the request.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=ModifyDBInstanceSSL
&ConnectionString=rm-uf6wjk5xxxxx.mysql.rds.aliyuncs.com
&DBInstanceId=rm-uf6wjk5xxxxxxx
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<RequestId>777C4593-8053-427B-99E2-105593277CAB</RequestId>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "777C4593-8053-427B-99E2-105593277CAB"
}

Error codes

HTTP status code Error code Error message Description
400 InvalidServerCertOrPrivateKey Specify server certificate or private key is invalid. The error message returned because the specified server certificate or private key is invalid.
400 InvalidClientCACert Specify client ca certificate is invalid. The error message returned because the value of the ClientCACert parameter is invalid.
400 InvalidClientCrl Specify client certificate revocation list is invalid. The error message returned because the specified CRL is invalid.
400 InvalidCAType.NotFound Specify ca type is not found. The error message returned because the specified type of the server certificate is invalid.
400 InvalidACL.NotFound Specify acl is not found. The error message returned because the value of the ACL parameter is invalid.
400 InvalidSSLStatus Specify ssl status is invalid. The error message returned because the value of the SSLEnabled parameter is invalid.
403 InvalidClientCrl.Permission Client ca certificate is set first if need to set client certificate revocation list. The error message returned because you are not authorized to perform this operation. You must configure a client CA certificate before you perform this operation.
403 InvalidACL.Permission Client ca certificate is set first if need to set acl. The error message returned because the client CA certificate is not specified.

For a list of error codes, visit the Error Center.