[ClusterLabs] pacemaker selfsigned certificate - how to replace it

Duray Pascal pascal.duray at equensworldline.com
Thu May 24 05:50:15 EDT 2018


We are using pacemaker in order to configure a kvm cluster

Our security has detected that we are using on servers an invalid certificate (self signed) and has asked us to solve the problem
Can you please tell me how I can solve this problem (by issuing ourselves via our pki a certificate that will be not anymore self-signed)?

I know how to request the new certificate but I have no idea about how I can replace it

Can you help us?


Pascal Duray

Some details

[root at bpmon0001kv pcsd]# rpm -q pcs
[root at bpmon0001kv pcsd]# rpm -q ruby
[root at bpmon0001kv pcsd]#

[root at bpmon0001kv pcsd]# netstat -laputen | grep 2224
tcp       32      0      CLOSE_WAIT  0          63383048   1522/ruby
tcp        0      0      ESTABLISHED 0          63384499   1522/ruby
tcp       32      0      CLOSE_WAIT  0          63386729   1522/ruby
tcp        0      0      ESTABLISHED 0          63389002   1522/ruby
tcp6       0      0 :::2224                 :::*                    LISTEN      0          27712      1522/ruby
tcp6       0      0     FIN_WAIT2   0          0          -
tcp6       0      0     ESTABLISHED 0          63386603   1522/ruby
tcp6       0      0     FIN_WAIT2   0          0          -

[root at bpmon0001kv pcsd]# ps -ef | grep 1522
root      1522     1  0 May15 ?        00:14:24 /usr/bin/ruby /usr/lib/pcsd/pcsd > /dev/null &

[root at bpmon0001kv pcsd]#  curl -vvI https://localhost:2224
* About to connect() to localhost port 2224 (#0)
*   Trying
* Connected to localhost ( port 2224 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* Server certificate:
*       subject: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US
*       start date: Mar 09 13:03:11 2017 GMT
*       expire date: Mar 07 13:03:11 2027 GMT
*       common name: bpmon0001kv.unix.banksys.be
*       issuer: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US
* Issuer certificate is invalid.
* Closing connection 0
curl: (60) Issuer certificate is invalid.
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet, equensWorldline' or Worldline group's liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for any damages resulting from any virus transmitted.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.clusterlabs.org/pipermail/users/attachments/20180524/3d967948/attachment.html>

More information about the Users mailing list