ALM-12054 Invalid Certificate File
Alarm Description
The system checks whether the certificate file is invalid (has expired or is not valid yet) on 23:00 every day. This alarm is generated when the certificate file is invalid.
This alarm is cleared when a valid certificate is imported and the alarm detection mechanism is triggered on the next hour.
For MRS 3.2.0 or later, the certificate file is checked at the beginning of each hour.
For versions earlier than MRS 3.2.0, the certificate file is checked on 23:00 every day.
Alarm Attributes
Alarm ID |
Alarm Severity |
Auto Cleared |
---|---|---|
12054 |
Major (versions earlier than MRS 3.3.1) Critical (MRS 3.3.1 and later versions) |
Yes |
Alarm Parameters
Parameter |
Description |
---|---|
Source |
Specifies the cluster or system for which the alarm was generated. |
ServiceName |
Specifies the service for which the alarm was generated. |
RoleName |
Specifies the role for which the alarm was generated. |
HostName |
Specifies the host for which the alarm was generated. |
Trigger Condition |
Specifies the threshold for triggering the alarm. |
Impact on the System
The functions of the related modules cannot be used.
Possible Causes
No certificate (CA certificate, HA root certificate, HA user certificate, Gaussdb root certificate, or Gaussdb user certificate) is imported to the system, the certificate fails to be imported, or the certificate file is invalid.
Handling Procedure
Check the alarm cause.
- On FusionInsight Manager, locate the target alarm in the real-time alarm list and click .
View Additional Information to obtain the additional information about the alarm.
- If CA Certificate is displayed in the additional alarm information, log in to the active OMS management node as user omm and go to 2.
- If HA root Certificate is displayed in the additional information, view Location to obtain the name of the host involved in this alarm. Then, log in to the host as user omm and go to 3.
- If HA server Certificate is displayed in the additional information, view Location to obtain the name of the host involved in this alarm. Then, log in to the host as user omm and go to 4.
- If Certificate has expired is displayed in the additional information, view Location to obtain the name of the host for which the alarm is generated. Then, log in to the host as user omm and perform 2 to 4 in sequence to check whether the certificates have expired. If these certificates have not expired, check whether other certificates have been imported. If yes, import the certificate files again.
Check the validity period of the certificate files in the system.
- Check whether the current system time is in the validity period of the CA certificate.
Run the bash ${CONTROLLER_HOME}/security/cert/conf/querycertvalidity.sh command to check the effective time and due time of the CA root certificate.
- Check whether the current system time is in the validity period of the HA root certificate.
Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/root-ca.crt command to check the effective time and due time of the HA root certificate.
- Check whether the current system time is in the validity period of the HA user certificate.
Run the openssl x509 -noout -text -in ${CONTROLLER_HOME}/security/certHA/server.crt command to check the effective time and due time of the HA user certificate.
Certificate: Data: Version: 3 (0x2) Serial Number: 97:d5:0e:84:af:ec:34:d8 Signature Algorithm: sha256WithRSAEncryption Issuer: C=CN, ST=xxx, L=yyy, O=zzz, OU=IT, CN=HADOOP.COM Validity Not Before: Dec 13 06:38:26 2016 GMT // Effective time Not After : Dec 11 06:38:26 2026 GMT // Due time
Import certificate files.
- Import a new CA certificate file.
Apply for or generate a new CA certificate file and import it. For details, see Replacing the CA Certificate. The alarm is automatically cleared after the CA certificate is imported. Check whether this alarm is reported again during periodic check.
- If yes, go to 7.
- If no, no further action is required.
- Import a new HA certificate file.
Apply for or generate a new HA certificate file and import it. For details, see Replacing HA Certificates. The alarm is automatically cleared after the CA certificate is imported. Check whether this alarm is reported again during periodic check.
- If yes, go to 7.
- If no, no further action is required.
Collect fault information.
- On FusionInsight Manager, choose O&M. In the navigation pane on the left, choose Log > Download.
- In the Services area, select Controller, OmmServer, OmmCore, and Tomcat, and click OK.
- Click in the upper right corner, and set Start Date and End Date for log collection to 10 minutes ahead of and after the alarm generation time, respectively. Then, click Download.
- Contact O&M personnel and provide the collected logs.
Alarm Clearance
This alarm is automatically cleared after the fault is rectified.
Related Information
For details about how to handle an expired OBS certificate, see OBS Certificate in a Cluster Expired.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot