Updated on 2024-11-13 GMT+08:00

ALM-12055 Certificate File Is About to Expire

Alarm Description

The system checks the certificate file on 23:00 every day. This alarm is generated if the certificate file is about to expire within 30 days.

This alarm is cleared when a certificate that is not about to expire is imported and the alarm detection mechanism is triggered on the next hour.

For MRS 3.2.0 or later, the certificate file is checked at the beginning of each hour.

For versions earlier than MRS 3.2.0, the certificate file is checked on 23:00 every day.

Alarm Attributes

Alarm ID

Alarm Severity

Auto Cleared

12055

Minor (versions earlier than MRS 3.3.1)

Major (MRS 3.3.1 and later versions)

Yes

Alarm Parameters

Parameter

Description

Source

Specifies the cluster or system for which the alarm was generated.

ServiceName

Specifies the service for which the alarm was generated.

RoleName

Specifies the role for which the alarm was generated.

HostName

Specifies the host for which the alarm was generated.

Trigger Condition

Specifies the threshold for triggering the alarm.

Impact on the System

Some functions will be unavailable if the certificate expires.

Possible Causes

The remaining validity period of a system certificate (CA certificate, HA root certificate, HA user certificate, Gaussdb root certificate, or Gaussdb user certificate) is less than 30 days.

Handling Procedure

Check the alarm cause.

  1. On FusionInsight Manager, locate the target alarm in the real-time alarm list and click .

    View Additional Information to obtain the additional information about the alarm.

    • If CA Certificate is displayed in the additional alarm information, log in to the active OMS management node as user omm and go to 2.
    • If HA root Certificate is displayed in the additional information, view Location to obtain the name of the host involved in this alarm. Then, log in to the host as user omm and go to 3.
    • If HA server Certificate is displayed in the additional information, view Location to obtain the name of the host involved in this alarm. Then, log in to the host as user omm and go to 4.

Check the validity period of the certificate files in the system.

  1. Check whether the remaining validity period of the CA certificate is smaller than the alarm threshold.

    Run the bash ${CONTROLLER_HOME}/security/cert/conf/querycertvalidity.sh command to check the effective time and due time of the CA root certificate.

    • If yes, go to 5.
    • If no, go to 7.

  2. Check whether the remaining validity period of the HA root certificate is smaller than the alarm threshold.

    Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/root-ca.crt command to check the effective time and due time of the HA root certificate.

    • If yes, go to 6.
    • If no, go to 7.

  3. Check whether the remaining validity period of the HA user certificate is smaller than the alarm threshold.

    Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/server.crt command to check the effective time and due time of the HA user certificate.

    • If yes, go to 6.
    • If no, go to 7.

The following is an example of the effective time and due time of a CA or HA certificate:
Certificate: 
    Data: 
        Version: 3 (0x2) 
        Serial Number: 
            97:d5:0e:84:af:ec:34:d8 
        Signature Algorithm: sha256WithRSAEncryption 
        Issuer: C=CN, ST=xxx, L=yyy, O=zzz, OU=IT, CN=HADOOP.COM 
        Validity 
            Not Before: Dec 13 06:38:26 2016 GMT             // Effective time
            Not After : Dec 11 06:38:26 2026 GMT             // Due time

Import certificate files.

  1. Import a new CA certificate file.

    Apply for or generate a new CA certificate file and import it. For details, see Replacing the CA Certificate. Manually clear the alarm and check whether this alarm is generated again during periodic check.

    • If yes, go to 7.
    • If no, no further action is required.

  2. Import a new HA certificate file.

    Apply for or generate a new HA certificate file and import it. For details, see Replacing HA Certificates. Manually clear the alarm and check whether this alarm is generated again during periodic check.

    • If yes, go to 7.
    • If no, no further action is required.

Collect fault information.

  1. On FusionInsight Manager, choose O&M. In the navigation pane on the left, choose Log > Download.
  2. In the Services area, select Controller, OmmServer, OmmCore, and Tomcat, and click OK.
  3. Click in the upper right corner, and set Start Date and End Date for log collection to 10 minutes ahead of and after the alarm generation time, respectively. Then, click Download.
  4. Contact O&M personnel and provide the collected logs.

Alarm Clearance

This alarm is automatically cleared after the fault is rectified.

Related Information

None