Description
Note
This alert applies only to OceanBase clusters V4.0.0.0 and later.This alert is triggered when the SSL certificate uploaded by the user in the Certificate Management section expires.
Principle
The following table describes the key parameters involved in the monitoring logic of this alert.
| Parameter | Value |
|---|---|
| Monitoring metric | ssl_certificate_expired_status |
| Data source | The OCP-Server periodically queries whether any expired certificates exist. If so, an alert is triggered. |
| Metric collection (unit: seconds) | ssl_certificate_expired_status |
| Monitoring expression | max(ssl_certificate_expired_status{@LABELS}) by (@GBLABELS) |
| Collection interval | 60 seconds |
The value of the ssl_certificate_expired_status monitoring metric can be 0 or 1. A value of 0 indicates that the certificate file has not expired, and a value of 1 indicates that the certificate file has expired.
Rules
| Monitoring metric | Default threshold | Duration | Detection cycle | Elimination cycle |
|---|---|---|---|---|
| ssl_certificate_expired_status | 1 | 120 seconds | 60 seconds | 5 minutes |
Alert information
| Alert triggering method | Alert level | Scope |
|---|---|---|
| Based on the monitoring metric expression | Downtime | OCP |
Alert template
- Alert summary
- Template: ${alarm_target} ${alarm_name}
- Example: alarm_template_id=0:certificate_group=real_chain:certificate_file=ca_chain.pem:expired_time=1970-01-01T08:02:01+08:00 SSL certificate expiration alert
- Alert details
- Template: The certificate file ${certificate_file} in the SSL certificate group ${certificate_group} has expired. The expiration time is ${expired_time}. Please update the certificate in time to avoid service downtime caused by failure to establish a network connection.
- Example: The certificate file ca_chain.pem in the SSL certificate group real_chain has expired. The expiration time is 1970-01-01T08:02:01+08:00. Please update the certificate in time to avoid service downtime caused by failure to establish a network connection.
- Alert recovery
- Template: Alert: ${alarm_name}, SSL certificate expiration status: ${recover_value}
- Example: Alert: SSL certificate expiration alert, SSL certificate expiration status: 0
Impact on the system
If the SSL certificate expires, the OceanBase cluster and ObProxy cluster using the certificate may fail to establish SQL and RPC connections, leading to service downtime.
Possible causes
The SSL certificate has expired.
Procedure
- Obtain a new server certificate by reissuing the CA certificate.
- Upload the certificate in OCP. For more information, see Upload a certificate.
- Update the certificates for the OceanBase cluster and OBProxy cluster that use the expired certificate. For more information, see Manage SSL encryption for an OceanBase cluster and Manage SSL encryption for an OBProxy cluster.