Security Certificate Expiry Alarm

Describes the NODE_ALARM_CERTIFICATE_NEAR_EXPIRATION alarm.

UI Column

SSL Certificate Expiry

Logged As

NODE_ALARM_CERTIFICATE_NEAR_EXPIRATION

Meaning

SSL certificates are expiring within the number of days denoted by the CLDB setting cldb.ssl.cert.expiring.alarm.days. See cldb.conf for more information.

Resolution

Renew the SSL certificates. See Importing a Certificate Authority Signed (CA Signed) SSL Certificate Into a MapR Cluster for more information.

Configuration

None.

Specification

This alarm is raised when any of the first ten security certificates in /opt/mapr/conf/ssl_keystore or in /opt/mapr/conf/ssl_truststore are set to expire within the number of days denoted by the CLDB setting cldb.ssl.cert.expiring.alarm.days. Once the alarm is raised, the administrator needs to find out the certificates that are expiring, and renew them.

To find out the certificates that are expiring, use the /opt/mapr/server/getSSLExpiryCerts.py Python script. For example:

python /opt/mapr/server/getSSLExpiryCerts.py -print
            Below certificates expiring in the next 120 days
            Truststore:
            Alias: 100day valid until: Mon Jul 13 04:04:15 PDT 2020
            Alias: 65day valid until: Mon Jun 08 03:45:44 PDT 2020
            Alias: 70day valid until: Sat Jun 13 03:46:00 PDT 2020
            Alias: 80day valid until: Tue Jun 23 03:46:14 PDT 2020
            Alias: 90day valid until: Fri Jul 03 04:03:57 PDT 2020
            Keystore:
            Alias: 3daymay17 valid until: Thu May 21 04:20:26 PDT 2020