No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


HUAWEI CLOUD Stack 6.5.0 Alarm and Event Reference 04

Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ALM-2001006 Certificate Exception Alarm

ALM-2001006 Certificate Exception Alarm


This alarm is generated when the validity date of the Nginx certificate is less than 30 days.


Alarm ID

Alarm Severity

Auto Clear







Resource name

Name of the device for which the alarm is generated

Resource type


Monitor type

Service monitoring

Host IP address

IP address of the host


Data in recent periods


Threshold for generating an alarm

Impact on the System

Currently, this alarm has no impact on services. However, after the certificate expires, the system displays a message indicating that the access is not secure when you log in to the website. You can still access the website, but you need to handle the exception as soon as possible.

Possible Cause

  • If the threshold is 1, the certificate is about to expire.
  • If the threshold is 2, the certificate has expired.
  • If the threshold is 3, the certificate is invalid or does not exist.


  • You have obtained the certificate file, private key file, and private key password. For example, the certificate file is server.crt, and the private key file is server.key. For details about how to create a certificate, see "Certificate Management" > "Replacing Type A Certificates" > "Preparing for Replacement" > "Generating Certificates for Components" in HUAWEI CLOUD Stack 6.5.0 Security Management Guide.
  • If the obtained private key file name is not server.key, manually change the name (for example, serverkey.pem or serverkey.key) to server.key.
  • You have obtained a tool, such as PuTTY, for cross-platform remote access.
  • You have obtained a file transfer tool, such as WinSCP.


  1. Log in to ManageOne Maintenance Portal using a browser.

    • URL: https://Address for accessing the homepage of ManageOne Maintenance Portal:31943, for example,
    • Default username: admin; default password: Huawei12#$

  2. On the menu bar in the upper part of the page, choose Alarms > Current Alarms.
  3. In the alarm list, locate the alarm to be handled, and click on the left of the alarm. The Details page is displayed.
  4. Choose Location Info, obtain the host IP address, that is, the IP address of the node where the alarm is generated.
  1. Use PuTTY to log in to the Nginx node whose certificates are to be replaced.

    The default user name is onframework. The default password is cnp200@HW.

  2. Run the following command to switch to the root user:

    sudo su - root

    Default password: Cloud12#$

  3. Run the following command to disable user logout upon system timeout:


  4. Run the following commands to back up the certificate:

    cd /opt/onframework/nginx

    tar zcvf /tmp/nginx_config.tar.gz conf/

  5. Use a network transmission tool (such as WinSCP) to upload certificate files server.key and server.crt to the Nginx nodes.
  6. Run the following command to import environment variables:

    source /etc/profile

  7. Switch to the directory where server.key and server.crt files are stored and run the following command to encrypt the private key:

    openssl rsa -aes256 -in server.key -out server.key

    • If a password is set for the private key, the following information is displayed:
      Enter pass phrase for server.key:

      Enter the password of the private key (that is, the password used for generating the .key file when the customer applies for the certificate), and then enter a password for encrypting the private key file twice. (Enter any password that contains more than four characters and keep it secure. This password needs to be used in 13.)

      Figure 16-2 Command execution
    • If a password is not set for the private key, enter the password for encrypting the private key file twice. (Enter any password that contains more than four characters and keep it secure. This password needs to be used in 13.)
      Figure 16-3 Command execution

  8. Run the following commands to update the private key and certificate:

    cp server.key /opt/onframework/nginx/conf/SSL/server.key

    cp server.crt /opt/onframework/nginx/conf/SSL/server.crt


    When the system prompts you whether to overwrite the existing private key and certificate, enter yes.

  9. Run the following command to encrypt the password of the encrypted private key using safetool:

    /opt/onframework/nginx/tools/safetool/bin/safetool -b

    Enter the private key described in 11.

    Copy the generated ciphertext to the /opt/onframework/nginx/conf/SSL/server.pass directory.

  10. Run the following command to restart the Nginx service:

    /opt/onframework/nginx/bin/ restart

  11. Switch to the directory where the original server.key and server.crt files are stored, and run the following command to delete the original certificate file:

    rm server.key

    rm server.crt

    rm xxx.pfx

    rm /tmp/nginx_config.tar.gz

  1. Check whether the alarm is cleared.

    • If yes, no further action is required.
    • If no, contact technical support for assistance.



Updated: 2019-08-30

Document ID: EDOC1100062365

Views: 45247

Downloads: 33

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Previous Next