[ClusterLabs] pacemaker selfsigned certificate - how to replace it
Duray Pascal
pascal.duray at equensworldline.com
Thu May 24 05:50:15 EDT 2018
Dear,
We are using pacemaker in order to configure a kvm cluster
Our security has detected that we are using on servers an invalid certificate (self signed) and has asked us to solve the problem
Can you please tell me how I can solve this problem (by issuing ourselves via our pki a certificate that will be not anymore self-signed)?
I know how to request the new certificate but I have no idea about how I can replace it
Can you help us?
Thanks
Pascal Duray
Some details
[root at bpmon0001kv pcsd]# rpm -q pcs
pcs-0.9.158-6.el7.centos.1.x86_64
[root at bpmon0001kv pcsd]# rpm -q ruby
ruby-2.0.0.648-33.el7_4.x86_64
[root at bpmon0001kv pcsd]#
[root at bpmon0001kv pcsd]# netstat -laputen | grep 2224
tcp 32 0 172.18.232.41:47488 172.18.232.42:2224 CLOSE_WAIT 0 63383048 1522/ruby
tcp 0 0 172.18.232.41:47508 172.18.232.42:2224 ESTABLISHED 0 63384499 1522/ruby
tcp 32 0 172.18.232.41:52588 172.18.232.41:2224 CLOSE_WAIT 0 63386729 1522/ruby
tcp 0 0 172.18.232.41:52604 172.18.232.41:2224 ESTABLISHED 0 63389002 1522/ruby
tcp6 0 0 :::2224 :::* LISTEN 0 27712 1522/ruby
tcp6 0 0 172.18.232.41:2224 172.18.232.41:52588 FIN_WAIT2 0 0 -
tcp6 0 0 172.18.232.41:2224 172.18.232.41:52604 ESTABLISHED 0 63386603 1522/ruby
tcp6 0 0 172.18.232.41:2224 172.18.232.42:49012 FIN_WAIT2 0 0 -
[root at bpmon0001kv pcsd]# ps -ef | grep 1522
root 1522 1 0 May15 ? 00:14:24 /usr/bin/ruby /usr/lib/pcsd/pcsd > /dev/null &
[root at bpmon0001kv pcsd]# curl -vvI https://localhost:2224
* About to connect() to localhost port 2224 (#0)
* Trying 127.0.0.1...
* Connected to localhost (127.0.0.1) port 2224 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* Server certificate:
* subject: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US
* start date: Mar 09 13:03:11 2017 GMT
* expire date: Mar 07 13:03:11 2027 GMT
* common name: bpmon0001kv.unix.banksys.be
* issuer: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US
* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.
************************************************************************************************
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, equensWorldline' or Worldline group's liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20180524/3d967948/attachment.html>
More information about the Users
mailing list