OBS Certificate in a Cluster Expired
Issue
The certificate has expired when a user attempts to access OBS from an MRS cluster.
Symptom
ALM-12054 Invalid Certificate File is generated for the MRS cluster.
Cause Analysis
The certificate generated by OBS has a validity period. When the certificate expires, the server automatically updates the certificate, which does not affect the cluster. You can perform operations provided in Procedure to handle the alarm as needed.
Procedure
Log in to the master node of the cluster using VNC and run the following commands. For details about the region configuration, see Table 1.
${java_home}/bin/keytool -delete -storepass changeit -alias ${uds_url_old} -keystore ${java_home}/jre/lib/security/cacerts || true
echo | /usr/bin/openssl s_client -connect ${uds_url}:${uds_port} 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > /tmp/obs.pem
/usr/bin/openssl x509 -in /tmp/obs.pem -text | grep CN
yes|${java_home}/bin/keytool -import -storepass changeit -alias ${uds_url} -keystore ${java_home}/jre/lib/security/cacerts -file /tmp/obs.pem
rm -rf /tmp/obs.pem
- In MRS 3.x, replace ${java_home} with /opt/Bigdata/common/runtime0/jdk1.8.0_242. In versions earlier than MRS 3.x, replace ${java_home} with /opt/Bigdata/jdk.
- In MRS 3.x, if the certificate expiration alarm persists even after you perform the operations provided in this section, replace ${java_home} with /opt/Bigdata/client/JDK/jdk and perform the operations again.
- uds_url indicates the OBS domain name provided in Table 1, and uds_url_old indicates the OBS domain name obtained in the command below.
- To query the OBS domain name, certificate creation time, and certificate validity period, run the following command:
${java_home}/bin/keytool -list -v -storepass changeit -keystore ${java_home}/jre/lib/security/cacerts |grep -A 7 'Alias name: obs' |grep -E 'Alias|Creation|Valid'
- Log in to the master node of the cluster and search obs in /var/lib/cloud/instance/user-data.txt to obtain the OBS domain name.
- If the certificate expiration alarm persists after you perform the operations in this section, the OBS certificate has not been updated. When the certificate update is complete, MRS will push a notification to you. Upon receiving the notification, you can then perform the operations again to handle the alarm.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
