<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">Dear,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We are using pacemaker in order to configure a kvm cluster<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Our security has detected that we are using on servers an invalid certificate (self signed) and has asked us to solve the problem<o:p></o:p></p>
<p class="MsoNormal">Can you please tell me how I can solve this problem (by issuing ourselves via our pki a certificate that will be not anymore self-signed)?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I know how to request the new certificate but I have no idea about how I can replace it<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Can you help us?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thanks<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Pascal Duray<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Some details<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]# rpm -q pcs<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">pcs-0.9.158-6.el7.centos.1.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]# rpm -q ruby<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL-BE" style="font-size:9.0pt;font-family:"Courier New"">ruby-2.0.0.648-33.el7_4.x86_64<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL-BE" style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]#<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="NL-BE" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL-BE" style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="NL-BE" style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]# netstat -laputen | grep 2224
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp 32 0 172.18.232.41:47488 172.18.232.42:2224 CLOSE_WAIT 0 63383048 1522/ruby
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp 0 0 172.18.232.41:47508 172.18.232.42:2224 ESTABLISHED 0 63384499 1522/ruby
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp 32 0 172.18.232.41:52588 172.18.232.41:2224 CLOSE_WAIT 0 63386729 1522/ruby
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp 0 0 172.18.232.41:52604 172.18.232.41:2224 ESTABLISHED 0 63389002 1522/ruby
<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Courier New"">tcp6 0 0 :::2224 :::* LISTEN 0 27712 1522/ruby <o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Courier New"">tcp6 0 0 172.18.232.41:2224 172.18.232.41:52588 FIN_WAIT2 0 0 -
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp6 0 0 172.18.232.41:2224 172.18.232.41:52604 ESTABLISHED 0 63386603 1522/ruby
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">tcp6 0 0 172.18.232.41:2224 172.18.232.42:49012 FIN_WAIT2 0 0 -
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]# ps -ef | grep 1522
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">root 1522 1 0 May15 ? 00:14:24
<span style="background:yellow;mso-highlight:yellow">/usr/bin/ruby /usr/lib/pcsd/pcsd</span> > /dev/null &<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">[root@bpmon0001kv pcsd]# curl -vvI https://localhost:2224<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">* About to connect() to localhost port 2224 (#0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">* Trying 127.0.0.1...<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">* Connected to localhost (127.0.0.1) port 2224 (#0)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">* Initializing NSS with certpath: sql:/etc/pki/nssdb<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Courier New"">* CAfile: /etc/pki/tls/certs/ca-bundle.crt<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="FR" style="font-size:9.0pt;font-family:"Courier New"">
</span><span style="font-size:9.0pt;font-family:"Courier New"">CApath: none<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* Server certificate:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* subject: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* start date: Mar 09 13:03:11 2017 GMT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* expire date: Mar 07 13:03:11 2027 GMT<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* common name: bpmon0001kv.unix.banksys.be<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* issuer: CN=bpmon0001kv.unix.banksys.be,OU=pcsd,O=pcsd,L=Minneapolis,ST=MN,C=US<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* NSS error -8156 (SEC_ERROR_CA_CERT_INVALID)<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New";background:yellow;mso-highlight:yellow">* Issuer certificate is invalid.</span><span style="font-size:9.0pt;font-family:"Courier New""><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">* Closing connection 0<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">curl: (60) Issuer certificate is invalid.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">More details here: http://curl.haxx.se/docs/sslcerts.html<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New""><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">curl performs SSL certificate verification by default, using a "bundle"<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">of Certificate Authority (CA) public keys (CA certs). If the default<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">bundle file isn't adequate, you can specify an alternate file<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">using the --cacert option.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">If this HTTPS server uses a certificate signed by a CA represented in<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">the bundle, the certificate verification probably failed due to a<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">problem with the certificate (it might be expired, or the name might<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">not match the domain name in the URL).<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">If you'd like to turn off curl's verification of the certificate, use<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Courier New"">the -k (or --insecure) option.<o:p></o:p></span></p>
</div>
<br>
<font face="Verdana" color="Black" size="1"><br>
************************************************************************************************<br>
This e-mail and the documents attached are confidential and intended solely for the addressee; it may also be privileged. If you receive this e-mail in error, please notify the sender immediately and destroy it. As its integrity cannot be secured on the Internet,
equensWorldline’ or Worldline group’s liability cannot be triggered for the message content. Although the sender endeavours to maintain a computer virus-free network, the sender does not warrant that this transmission is virus-free and will not be liable for
any damages resulting from any virus transmitted.<br>
</font>
</body>
</html>