OBS Certificate in a Cluster Expired
Issue
The certificate has expired when a user attempts to access OBS from an MRS cluster.
Symptom
ALM-12054 Invalid Certificate File or ALM-12055 Certificate File About to Expire is generated for the MRS cluster, and the certificate that triggers the alarm in the alarm details is the OBS certificate.
Cause Analysis
The certificate generated by OBS has a validity period. After the validity period expires, the certificate file becomes invalid, and an alarm is generated.
Procedure
- Query the OBS certificate information of the MRS cluster.
Log in to the active OMS node of the MRS cluster as user root and run the following command to check whether an OBS certificate exists:
keytool -v -list -keystore ${JAVA_HOME}/jre/lib/security/cacerts -protected 2> /dev/null|grep -E "Alias name*|Valid from*" | grep obs
An OBS certificate exists if information similar to the following is returned:
Alias name: obs.example.com
- If no certificate exists, no further action is required. Wait until the alarm is cleared.
- If a certificate exists, go to 2.
- ${java_home} indicates the JDK directory of the cluster. In MRS 3.x, replace it with /opt/Bigdata/common/runtime0/jdk1.8*. In versions earlier than MRS 3.x, replace it with /opt/Bigdata/jdk.
- In MRS 3.x, if the certificate expiration alarm persists even after you perform the operations provided in this section, replace ${JAVA_HOME} with Client installation directory/JDK/jdk and perform the operations again.
- Delete the OBS certificate.
On the active OMS node, run the following commands to delete the OBS certificate queried in 1:
obs_url=$(keytool -v -list -keystore ${JAVA_HOME}/jre/lib/security/cacerts -protected 2> /dev/null|grep -E "Alias name*|Valid from*" | grep obs | cut -d ':' -f 2 | awk '$1=$1')
jdk_cacert="${JAVA_HOME}/jre/lib/security/cacerts"
keytool -delete -alias ${obs_url} -keystore ${jdk_cacert} -storepass changeit
- Run the following command to check that the OBS certificate does not exist. If the certificate still exists, go to 2.
keytool -v -list -keystore ${JAVA_HOME}/jre/lib/security/cacerts -protected 2> /dev/null|grep -E "Alias name*|Valid from*" | grep obs
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot