Help Center > > User Guide> FusionInsight Manager Operation Guide> Alarm Reference (Applicable to MRS 3.x)> ALM-12055 Certificate File About to Expire

ALM-12055 Certificate File About to Expire

Updated at: Mar 25, 2021 GMT+08:00

Description

The system checks the certificate file on 23:00 every day. This alarm is generated if the time left before the certificate file expires is shorter than the threshold. In this case, the certificate file is about to expire.

This alarm is cleared if the status of the newly imported certificate is valid.

Attribute

Alarm ID

Alarm Severity

Auto Clear

12055

Minor

Yes

Parameters

Name

Meaning

Source

Specifies the cluster or system for which the alarm is generated.

ServiceName

Specifies the service for which the alarm is generated.

RoleName

Specifies the role for which the alarm is generated.

HostName

Specifies the host for which the alarm is generated.

Trigger Condition

Specifies the threshold triggering the alarm. If the current indicator value exceeds this threshold, the alarm is generated.

Impact on the System

The system reminds users that the certificate file is about to expire. If the certificate file expires, some functions are restricted and cannot be used properly.

Possible Causes

The remaining validity period of the CA certificate, HA root certificate (root-ca.crt), or HA user certificate (server.crt) is smaller than the alarm threshold.

Procedure

Locate the alarm cause.

  1. On the FusionInsight Manager portal, click in the row where the alarm is located in the real-time alarm list and locate the target alarm.

    In the alarm detail area, view the Additional Information about the alarm.

    • If CA Certificate is displayed in the additional information, log in to the active OMS management node as user omm and go to 2.

    • If HA root Certificate is displayed in the additional information, check Location to obtain the name of the host involved in this alarm. Then log in to the host as user omm and go to 3.
    • If HA server Certificate is displayed in the additional information, check Location to obtain the name of the host involved in this alarm. Then log in to the host as user omm and go to 4.

Check the validity period of the certificate file.

  1. Check whether the remaining validity period of the CA certificate is smaller than the alarm threshold.

    Run the bash ${CONTROLLER_HOME}/security/cert/conf/querycertvalidity.sh command to check the effective time and due time of the CA certificate.

    • If yes, go to 5.
    • If no, go to 7.

  2. Check whether the remaining validity period of the HA root certificate is smaller than the alarm threshold.

    Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/root-ca.crt command to check the effective time and due time of the HA root certificate.

    • If yes, go to 6.
    • If no, go to 7.

  3. Check whether the remaining validity period of the HA user certificate is smaller than the alarm threshold.

    Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/server.crt command to check the effective time and expiration time of the HA user certificate.

    • If yes, go to 6.
    • If no, go to 7.

      The example of the effective time and expiration time of the HA/CA certificate:

      Certificate: 
          Data: 
              Version: 3 (0x2) 
              Serial Number: 
                  97:d5:0e:84:af:ec:34:d8 
              Signature Algorithm: sha256WithRSAEncryption 
              Issuer: C=CN, ST=xxx, L=yyy, O=zzz, OU=IT, CN=HADOOP.COM 
              Validity 
                  Not Before: Dec 13 06:38:26 2016 GMT             //The effective time. 
                  Not After : Dec 11 06:38:26 2026 GMT             //The expiration time.

Import the certificate file.

  1. Import a new CA certificate file.

    Apply for or generate a CA certificate file and import it to the system. Manually clear the alarm and check whether this alarm is generated again during periodic check.

    • If yes, go to 7.
    • If no, no further action is required.

  2. Import a new HA certificate file.

    Apply for or generate an HA certificate file and import it to the system. Manually clear the alarm and check whether this alarm is generated again during periodic check.

    • If yes, go to 7.
    • If no, no further action is required.

Collect fault information.

  1. On the FusionInsight Manager portal, choose O&M > Log > Download.
  2. Select Controller, OmmServer, OmmCore and Tomcat from the Service and click OK.
  3. Click in the upper right corner, and set Start Date and End Date for log collection to 10 minutes ahead of and after the alarm generation time, respectively. Then, click Download.
  4. Contact the O&M personnel and send the collected log information.

Alarm Clearing

After the fault is rectified, the system automatically clears this alarm.

Related Information

None

Did you find this page helpful?

Submit successfully!

Thank you for your feedback. Your feedback helps make our documentation better.

Failed to submit the feedback. Please try again later.

Which of the following issues have you encountered?







Please complete at least one feedback item.

Content most length 200 character

Content is empty.

OK Cancel