You can call the DescribeDBInstanceSSL operation to query the SSL encryption settings of an ApsaraDB RDS instance.

Before you call this operation, make sure that your instance is one of the following instances:

  • ApsaraDB RDS for MySQL instances that do not run RDS Basic Edition
  • ApsaraDB RDS for SQL Server instances
  • ApsaraDB RDS for PostgreSQL instances that use standard SSDs or enhanced SSDs (ESSDs)

Debugging

OpenAPI Explorer automatically calculates the signature value. For your convenience, we recommend that you call this operation in OpenAPI Explorer. OpenAPI Explorer dynamically generates the sample code of the operation for different SDKs.

Request parameters

Parameter Type Required Example Description
Action String Yes DescribeDBInstanceSSL

The operation that you want to perform. Set the value to DescribeDBInstanceSSL.

DBInstanceId String Yes rm-bp162dfr55g47****

The ID of the instance.

Response parameters

Parameter Type Example Description
ServerCert String -----BEGIN CERTIFICATE-----MIID*****QqEP-----END CERTIFICATE-----

The content of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

ClientCACertExpireTime String -

The time when the public key of the CA that issues client certificates expires. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC. This parameter is not supported now.

RequireUpdateItem String -

The server certificate that needs to be updated. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

ServerCAUrl String -

The URL of the certificate that is used to issue the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

RequireUpdate String Yes

Indicates whether the server certificate needs to be updated.

  • Valid values for ApsaraDB RDS for MySQL instances and ApsaraDB RDS for SQL Server instances:
    • No
    • Yes
  • Valid values for ApsaraDB RDS for PostgreSQL instances:
    • 0: no
    • 1: yes
ClientCertRevocationList String -----BEGIN X509 CRL-----MIIB****19mg==-----END X509 CRL-----

The certificate revocation list (CRL) that contains revoked client certificates. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

SSLExpireTime String 2022-10-11T08:16:43Z

The time when the server certificate expires. The time follows the ISO 8601 standard in the yyyy-MM-ddTHH:mm:ssZ format. The time is displayed in UTC.

CAType String aliyun

The type of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. Valid values:

  • aliyun: a cloud certificate
  • custom: a custom certificate
SSLCreateTime String -

The time when the server certificate was created. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. In addition, this parameter is valid only when the CAType parameter is set to aliyun.

ReplicationACL String cert

The method that is used to verify the replication permission. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)
ACL String cert

The method that is used to verify the identities of clients. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. Valid values:

  • cert
  • perfer
  • verify-ca
  • verify-full (supported only when the instance runs PostgreSQL 12 or later)
RequestId String 7705151C-E242-55AF-9929-2A3C39D979D2

The ID of the request.

LastModifyStatus String setting

The status of the SSL link. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs. Valid values:

  • success
  • setting
  • failed
SSLEnabled String Yes

Indicates whether SSL encryption is enabled.

  • Valid values for ApsaraDB RDS for MySQL instances and ApsaraDB RDS for SQL Server instances:
    • Yes: enabled
    • No: disabled
  • Valid values for ApsaraDB RDS for PostgreSQL instances:
    • on: enabled
    • off: disabled
ConnectionString String rm-bp162dfr55g47****.mysql.rds.aliyuncs.com

The endpoint that is protected by SSL encryption.

RequireUpdateReason String -

The reason why the server certificate needs to be updated. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

ClientCACert String -----BEGIN CERTIFICATE-----MIID*****viXk=-----END CERTIFICATE-----

The public key of the CA that issues client certificates. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

ServerKey String -----BEGIN PRIVATE KEY-----MIIE****ihfg==-----END PRIVATE KEY-----

The private key of the server certificate. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

ModifyStatusReason String Modify DB Instance SSL Config.

The reason why the SSL link stays in the current state. This parameter is supported only when the instance runs PostgreSQL with standard SSDs or ESSDs.

Examples

Sample requests

http(s)://rds.aliyuncs.com/?Action=DescribeDBInstanceSSL
&DBInstanceId=rm-bp162dfr55g47****
&<Common request parameters>

Sample success responses

XML format

HTTP/1.1 200 OK
Content-Type:application/xml

<DescribeDBInstanceSSL>
    <RequestId>7705151C-E242-55AF-9929-2A3C39D979D2</RequestId>
    <RequireUpdate>Yes</RequireUpdate>
    <SSLExpireTime>2022-10-11T08:16:43Z</SSLExpireTime>
    <SSLEnabled>Yes</SSLEnabled>
    <RequireUpdateReason/>
    <ConnectionString>rm-bp162dfr55g47****.mysql.rds.aliyuncs.com</ConnectionString>
</DescribeDBInstanceSSL>

JSON format

HTTP/1.1 200 OK
Content-Type:application/json

{
  "RequestId" : "7705151C-E242-55AF-9929-2A3C39D979D2",
  "RequireUpdate" : "Yes",
  "SSLExpireTime" : "2022-10-11T08:16:43Z",
  "SSLEnabled" : "Yes",
  "RequireUpdateReason" : "",
  "ConnectionString" : "rm-bp162dfr55g47****.mysql.rds.aliyuncs.com"
}

Error codes

HTTP status code Error code Error message Description
400 InvaildEngineInRegion.ValueNotSupported The engine is not supported in the region. The error message returned because the database engine that is run on the instance is not supported in the specified region.
403 OperationDenied.DBInstanceType The operation is not permitted due to type of the instance. The error message returned because the operation is not supported by the role of the instance. You must check whether the instance is a read-only instance. A read-only instance cannot be cloned.
403 InstanceEngineType.NotSupport The instance engine and type does not support operations The error message returned because the operation is not supported for the specified database engine and instance type.
403 IncorrectEngineVersion Current engine version does not support operations. The error message returned because this operation is not supported for the database engine version that is run on the instance.
403 IncorrectDBInstanceState Current DB instance state does not support this operation. The error message returned because this operation is not supported when the instance is in the current state.
403 IncorrectDBInstanceType Current DB instance type does not support this operation. The error message returned because this operation is not supported when the instance is in the current state.
403 IncorrectDBInstanceLockMode Current DB instance lock mode does not support this operation. The error message returned because the instance is locked.
403 ConnectionStringLengthExceeded Connection String is too long. The error message returned because the length of the specified endpoint exceeds the upper limit. You must enter a valid endpoint.
404 InvalidDBInstanceId.NotFound The specified instance is not found. The error message returned because the instance does not exist. You must check whether the instance exists in the current account.
404 EnabledSSLNotSupport Specified region does not support enable ssl. The error message returned because the SSL encryption feature is not supported in the specified region.
404 InvalidConnectionString.NotFound Specified connection string or net type is not found. The error message returned because the endpoint that you specified cannot be found. You need to check whether the specified endpoint is valid.

For a list of error codes, visit the Error Center.