From e40ec36d1e54a6a88476f3e06192ec8170c89e99 Mon Sep 17 00:00:00 2001 From: Alex Aizman Date: Tue, 17 Sep 2024 09:46:13 -0400 Subject: [PATCH] docs: cli/advanced.md, environment-vars.md, https.md, authn.md, cli.md * new content mostly around https * v3.24 updates * cross-references, etc. text works Signed-off-by: Alex Aizman --- api/env/ais.go | 12 +++- cmn/client.go | 3 +- docs/authn.md | 14 ++--- docs/cli.md | 12 +++- docs/cli/advanced.md | 122 +++++++++++++++++++++++++++++---------- docs/configuration.md | 2 +- docs/environment-vars.md | 56 +++++++++++++----- docs/https.md | 52 ++++++++++++++++- 8 files changed, 212 insertions(+), 61 deletions(-) diff --git a/api/env/ais.go b/api/env/ais.go index cf7a303bd4..2d1b3cddbb 100644 --- a/api/env/ais.go +++ b/api/env/ais.go @@ -23,13 +23,17 @@ var ( LocalRedirectCIDR string PubIPv4CIDR string - // https + // + // HTTPS + // for details and background, see: https://github.com/NVIDIA/aistore/blob/main/docs/environment-vars.md#https + // UseHTTPS string // TLS: client side Certificate string CertKey string ClientCA string SkipVerifyCrt string + // TLS: server (aistore, AuthN) side (NOTE comment below) // tests, CI NumTarget string @@ -53,12 +57,18 @@ var ( // false: HTTP transport, with all the TLS config (below) ignored // true: HTTPS/TLS + // for details and background, see: https://github.com/NVIDIA/aistore/blob/main/docs/environment-vars.md#https UseHTTPS: "AIS_USE_HTTPS", // cluster config: "net.http.use_https" // TLS: client side Certificate: "AIS_CRT", CertKey: "AIS_CRT_KEY", ClientCA: "AIS_CLIENT_CA", + + // TLS: server (aistore, AuthN) side + // "AIS_SERVER_CRT" - TLS certificate (pathname) + // "AIS_SERVER_KEY" - private key (ditto) + // TLS: common SkipVerifyCrt: "AIS_SKIP_VERIFY_CRT", // cluster config: "net.http.skip_verify" diff --git a/cmn/client.go b/cmn/client.go index 919a6a4c8a..b2482ee079 100644 --- a/cmn/client.go +++ b/cmn/client.go @@ -163,7 +163,8 @@ func NewClientTLS(cargs TransportArgs, sargs TLSArgs, intra bool) *http.Client { return &http.Client{Transport: transport, Timeout: cargs.Timeout} } -// see related: HTTPConf.ToTLS() +// EnvToTLS usage is limited to aisloader and tools +// NOTE that embedded intra-cluster clients utilize a similar method: `HTTPConf.ToTLS` func EnvToTLS(sargs *TLSArgs) { if s := os.Getenv(env.AIS.Certificate); s != "" { sargs.Certificate = s diff --git a/docs/authn.md b/docs/authn.md index 60a688a78a..5ad7dba6ae 100644 --- a/docs/authn.md +++ b/docs/authn.md @@ -176,17 +176,17 @@ Further references: Environment variables used by the deployment script to set up the AuthN server: -| Variable | Default Value | Description | -|----------------------|---------------------|-------------------------------------------------------------------------------------------------| +| Variable | Default Value | Description | +|------------------------|---------------------|-------------------------------------------------------------------------------------------------| | `AIS_AUTHN_SECRET_KEY` | `aBitLongSecretKey` | Secret key used to sign tokens | | `AIS_AUTHN_ENABLED` | `false` | Enable AuthN server and token-based access in AIStore proxy (`true` to enable) | | `AIS_AUTHN_PORT` | `52001` | Port on which AuthN listens to requests | | `AIS_AUTHN_TTL` | `24h` | Token expiration time. Can be set to `0` for no expiration | | `AIS_AUTHN_USE_HTTPS` | `false` | Enable HTTPS for AuthN server. If `true`, requires `AIS_SERVER_CRT` and `AIS_SERVER_KEY` to be set | -| `AIS_SERVER_CRT` | `""` | OpenSSL certificate. Required when `AIS_AUTHN_USE_HTTPS` is `true` | -| `AIS_SERVER_KEY` | `""` | OpenSSL key. Required when `AIS_AUTHN_USE_HTTPS` is `true` | -| `AIS_AUTHN_SU_NAME` | `admin` | Superuser (admin) name for AuthN | -| `AIS_AUTHN_SU_PASS` | `admin` | Superuser (admin) password for AuthN | +| `AIS_SERVER_CRT` | `""` | TLS certificate. Required when `AIS_AUTHN_USE_HTTPS` is `true` | +| `AIS_SERVER_KEY` | `""` | private key for the TLS certificate (above). | +| `AIS_AUTHN_SU_NAME` | `admin` | Superuser (admin) name for AuthN | +| `AIS_AUTHN_SU_PASS` | `admin` | Superuser (admin) password for AuthN | All variables can be set at AIStore cluster deployment and will override values in the config. Example of starting a cluster with AuthN enabled: @@ -420,4 +420,4 @@ When a cluster is registered, an arbitrary alias can be assigned to the cluster. | Operation | HTTP Action | Example | |------------------------------|-------------|-----------------------------------------------------------------------------------------------| | Get AuthN configuration | GET /v1/daemon | `curl -X GET $AUTHSRV/v1/daemon -H 'Authorization: Bearer '` | -| Update AuthN configuration | PUT /v1/daemon | `curl -X PUT $AUTHSRV/v1/daemon -d '{"log":{"dir":"","level":""},"net":{"http":{"port":,"use_https":false,"server_crt":"","server_key":""}},"auth":{"secret":"aBitLongSecretKey","expiration_time":"24h0m"},"timeout":{"default_timeout":"30s"}}' -H 'Authorization: Bearer '` | \ No newline at end of file +| Update AuthN configuration | PUT /v1/daemon | `curl -X PUT $AUTHSRV/v1/daemon -d '{"log":{"dir":"","level":""},"net":{"http":{"port":,"use_https":false,"server_crt":"","server_key":""}},"auth":{"secret":"aBitLongSecretKey","expiration_time":"24h0m"},"timeout":{"default_timeout":"30s"}}' -H 'Authorization: Bearer '` | diff --git a/docs/cli.md b/docs/cli.md index 3e6cafb407..6fd33d3a8f 100644 --- a/docs/cli.md +++ b/docs/cli.md @@ -245,9 +245,15 @@ In addition, environment can be used to **override** client-side TLS (aka, HTTPS | `AIS_CLIENT_CA` | Certificate authority that authorized (signed) the certificate | "cluster.client_ca_tls" | | `AIS_SKIP_VERIFY_CRT` | true: skip X.509 cert verification (usually enabled to circumvent limitations of self-signed certs) | "cluster.skip_verify_crt" | -See also: - -* [HTTPS: loading, reloading, and generating certificates; switching cluster between HTTP and HTTPS](/docs/https.md) +### Further references + +- [Generating self-signed certificates](/docs/https.md#generating-self-signed-certificates) +- [Deploying: 4 targets, 1 gateway, 6 mountpaths, AWS backend](/docs/https.md#deploying-4-targets-1-gateway-6-mountpaths-aws-backend) +- [Accessing HTTPS-based cluster](/docs/https.md#accessing-https-based-cluster) +- [Testing with self-signed certificates](/docs/https.md#testing-with-self-signed-certificates) +- [Observability: TLS related alerts]((/docs/https.md#observability-tls-related-alerts) +- [Updating and reloading X.509 certificates](/docs/https.md#updating-and-reloading-x509-certificates) +- [Switching cluster between HTTP and HTTPS](/docs/https.md#switching-cluster-between-http-and-https) ## First steps diff --git a/docs/cli/advanced.md b/docs/cli/advanced.md index 2f2f70eef8..745a3377fc 100644 --- a/docs/cli/advanced.md +++ b/docs/cli/advanced.md @@ -7,42 +7,38 @@ redirect_from: - /docs/cli/advanced.md/ --- -# `ais advanced` commands +Commands for special use cases (e.g. scripting) and *advanced* usage scenarios, whereby a certain level of understanding of possible consequences is assumed (and required). -Commands for special use cases (e.g. scripting) and *advanced* usage scenarios, whereby a certain level of understanding of possible consequences is implied and required: +## Table of Contents +- [`ais advanced`](#ais-advanced) +- [Manual Resilvering](#manual-resilvering) +- [Preload bucket](#preload-bucket) +- [Remove node from Smap](#remove-node-from-smap) +- [Rotate logs: individual nodes or entire cluster](#rotate-logs-individual-nodes-or-entire-cluster) +- [Disable/Enable cloud backend at runtime](#disableenable-cloud-backend-at-runtime) +- [Load TLS certificate](#load-tls-certificate) + +## `ais advanced` ```console $ ais advanced --help -NAME: - ais advanced - special commands intended for development and advanced usage USAGE: ais advanced command [command options] [arguments...] COMMANDS: - gen-shards generate and write random TAR shards, e.g.: - - gen-shards 'ais://bucket1/shard-{001..999}.tar' - write 999 random shards (default sizes) to ais://bucket1 - - gen-shards 'gs://bucket2/shard-{01..20..2}.tgz' - 10 random gzipped tarfiles to Cloud bucket - (notice quotation marks in both cases) - resilver resilver user data on a given target (or all targets in the cluster): fix data redundancy - with respect to bucket configuration, remove migrated objects and old/obsolete workfiles + resilver resilver user data on a given target (or all targets in the cluster); entails: + - fix data redundancy with respect to bucket configuration; + - remove migrated objects and old/obsolete workfiles. preload preload object metadata into in-memory cache remove-from-smap immediately remove node from cluster map (beware: potential data loss!) random-node print random node ID (by default, ID of a randomly selected target) random-mountpath print a random mountpath from a given target rotate-logs rotate aistore logs - enable-backend (re)enable cloud backend - disable-backend disable cloud backend - ``` - -AIS CLI features a number of miscellaneous and advanced-usage commands. - -## Table of Contents -- [Manual Resilvering](#manual-resilvering) -- [Preload bucket](#preload-bucket) -- [Remove node from Smap](#remove-node-from-smap) -- [Rotate logs: individual nodes or entire cluster](#rotate-logs-individual-nodes-or-entire-cluster) -- [Disable/Enable cloud backend at runtime](#disableenable-cloud-backend-at-runtime) + enable-backend (re)enable cloud backend (see also: 'ais config cluster backend') + disable-backend disable cloud backend (see also: 'ais config cluster backend') + load-X.509 (re)load TLS certificate +``` ## Manual Resilvering @@ -65,9 +61,7 @@ Started resilver "NGxmOthtE", use 'ais show job xaction NGxmOthtE' to monitor th `ais advanced preload BUCKET` -Preload bucket's objects metadata into in-memory caches. - -### Examples +Preload objects metadata into in-memory cache. ```console $ ais advanced preload ais://bucket @@ -77,7 +71,7 @@ $ ais advanced preload ais://bucket `ais advanced remove-from-smap NODE_ID` -Immediately remove node from the cluster map. +Immediately remove node from the cluster map (a.k.a. Smap). Beware! When the node in question is ais target, the operation may (and likely will) result in a data loss that cannot be undone. Use decommission and start/stop maintenance operations to perform graceful removal. @@ -93,11 +87,15 @@ xVMNp8081 0.16% 31.12GiB 6m50s MvwQp8080[P] 0.18% 31.12GiB 6m40s NnPLp8082 0.16% 31.12GiB 6m50s - $ ais advanced remove-from-smap MvwQp8080 Node MvwQp 8080 is primary: cannot remove $ ais advanced remove-from-smap p[xVMNp8081] +``` + +And the result: + +```console $ ais show cluster proxy PROXY MEM USED % MEM AVAIL UPTIME BcnQp8083 0.16% 31.12GiB 8m @@ -151,6 +149,7 @@ This capability is now supported, and will be included in v3.24 release. And the ### Examples **1)** say, there's a cloud bucket with 4 objects: + ```console $ ais ls s3://test-bucket NAME SIZE CACHED @@ -163,6 +162,7 @@ NAME SIZE CACHED Note that only 2 objects out of 4 are in-cluster. **2)** disable s3 backend: + ```console $ ais advanced disable-backend gcp aws azure @@ -172,12 +172,14 @@ cluster: disabled aws backend ``` **3)** observe "offline" error when trying to list the bucket: + ```console $ ais ls s3://test-bucket Error: ErrRemoteBucketOffline: bucket "s3://test-bucket" is currently unreachable ``` **4)** but (!) all in-cluster objects can still be listed: + ```console $ ais ls s3://test-bucket --cached NAME SIZE @@ -186,24 +188,28 @@ NAME SIZE ``` **5)** and read: + ```console $ ais get s3://test-bucket/111 /dev/null -GET and discard 111 from s3://test-bucket (15.97KiB) +GET (and discard) 111 from s3://test-bucket (15.97KiB) ``` **6)** expectedly, remote objects are not accessible: + ```console $ ais get s3://test-bucket/333 /dev/null Error: object "s3://test-bucket/333" does not exist ``` **7)** let's now reconnect s3: + ```console $ ais advanced enable-backend aws cluster: enabled aws backend ``` -**8)** and observer that both in-cluster and remote content is now again available: +**8)** finally, observe that both in-cluster and remote content is now again available: + ```console $ ais ls s3://test-bucket NAME SIZE CACHED @@ -213,5 +219,61 @@ NAME SIZE CACHED 444 15.97KiB no $ ais get s3://test-bucket/333 /dev/null -GET and discard 333 from s3://test-bucket (15.97KiB) +GET (and discard) 333 from s3://test-bucket (15.97KiB) ``` + +## Load TLS certificate + +HTTPS deployment implies (and requires) that each AIS node has a valid TLS (a.k.a. [X.509](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)) certificate. + +The latter has a number of interesting properties ultimately intended to authenticate clients (users) to servers (AIS nodes). And vice versa. + +In addition, TLS certfificates tend to expire from time to time. In fact, each TLS certificate has expiration date with the standard-defined maximum being 13 months (397 days). + +> Some sources claim 398 days but the (much) larger point remains: TLS certificates do expire. Which means, they must be periodically updated and timely reloaded. + +Starting v3.24, AIStore: + +* tracks certificate expiration times; +* automatically - upon update - reloads updated certificates; +* raises associated alerts. + +### Associated alerts + +```console +$ ais show cluster + +PROXY MEM AVAIL LOAD AVERAGE UPTIME STATUS ALERT +p[KKFpNjqo][P] 127.77GiB [5.2 7.2 3.1] 108h30m40s online tls-cert-will-soon-expire +... + +TARGET MEM AVAIL CAP USED(%) CAP AVAIL LOAD AVERAGE UPTIME STATUS ALERT +t[pDztYhhb] 98.02GiB 16% 960.824GiB [9.1 13.4 8.3] 108h30m1s online tls-cert-will-soon-expire +... +... +``` + +Overall, there are currentky 3 (three) related alerts: + +| alert | comment | +| -- | -- | +| `tls-cert-will-soon-expire` | a warning that X.509 cert will expire in less than 3 days | +| `tls-cert-expired` | red alert (as the name implies) | +| `tls-cert-invalid` | ditto | + +### Loading and reloading certificate on demand + +```console +$ ais advanced load-X.509 +Done: all nodes. +``` + +### Further references + +- [Generating self-signed certificates](/docs/https.md#generating-self-signed-certificates) +- [Deploying: 4 targets, 1 gateway, 6 mountpaths, AWS backend](/docs/https.md#deploying-4-targets-1-gateway-6-mountpaths-aws-backend) +- [Accessing HTTPS-based cluster](/docs/https.md#accessing-https-based-cluster) +- [Testing with self-signed certificates](/docs/https.md#testing-with-self-signed-certificates) +- [Observability: TLS related alerts](/docs/https.md#observability-tls-related-alerts) +- [Updating and reloading X.509 certificates](/docs/https.md#updating-and-reloading-x509-certificates) +- [Switching cluster between HTTP and HTTPS](/docs/https.md#switching-cluster-between-http-and-https) diff --git a/docs/configuration.md b/docs/configuration.md index 13ca09ba2d..aa53089f08 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -534,7 +534,7 @@ If extended attributes are disabled globally when deploying a cluster, node IDs ## Enabling HTTPS -To switch from HTTP protocol to an encrypted HTTPS, configure `net.http.use_https`=`true` and modify `net.http.server_crt` and `net.http.server_key` values so they point to your OpenSSL certificate and key files respectively (see [AIStore configuration](/deploy/dev/local/aisnode_config.sh)). +To switch from HTTP protocol to an encrypted HTTPS, configure `net.http.use_https`=`true` and modify `net.http.server_crt` and `net.http.server_key` values so they point to your TLS certificate and key files respectively (see [AIStore configuration](/deploy/dev/local/aisnode_config.sh)). The following HTTPS topics are also covered elsewhere: diff --git a/docs/environment-vars.md b/docs/environment-vars.md index de84b60c8c..6bea61e83b 100644 --- a/docs/environment-vars.md +++ b/docs/environment-vars.md @@ -96,14 +96,40 @@ See also: ## HTTPS +At first it may sound slightly confusing, but HTTP-wise aistore is both a client and a server. + +All nodes in a cluster talk to each other using HTTP (or HTTPS) - the fact that inevitably implies a certain client-side configuration (and configurability). + +In particular, aistore server-side HTTPS environment includes: + | name | comment | | ---- | ------- | -| `AIS_USE_HTTPS` | tells aistore to run HTTPS transport (both public and intra-cluster networks); overrides the corresponding config; e.g. usage: 'export AIS_USE_HTTPS=true' | -| `AIS_CRT` | X.509 certificate pathname (this and the rest variables in the table are ignored when aistore is AIS_USE_HTTPS==false | -| `AIS_CRT_KEY` | pathname that contains X.509 certificate private key | -| `AIS_CLIENT_CA` | certificate authority that authorized (signed) the certificate | +| `AIS_USE_HTTPS` | tells aistore to run HTTPS transport (both public and intra-cluster networks) | +| `AIS_SERVER_CRT` | TLS certificate (pathname). Required when `AIS_USE_HTTPS` is `true` | +| `AIS_SERVER_KEY` | private key (pathname) for the certificate above. | | `AIS_SKIP_VERIFY_CRT` | when true will skip X.509 cert verification (usually enabled to circumvent limitations of self-signed certs) | +> E.g., for local playground, typical usage starts from running `export AIS_USE_HTTPS=true` followed by one of the usual `make deploy` combinations. + +In addition, all embedded (intra-cluster) clients in a cluster utilize the following environment: + +| name | comment | +| ---- | ------- | +| `AIS_CRT` | TLS certificate pathname (this and the rest variables in the table are ignored when aistore is AIS_USE_HTTPS==false | +| `AIS_CRT_KEY` | pathname that contains X.509 certificate private key | +| `AIS_CLIENT_CA` | certificate authority that authorized (signed) the certificate | +| `AIS_SKIP_VERIFY_CRT` | when true will skip X.509 cert verification (usually enabled to circumvent limitations of self-signed certs) | + +### Further references + +- [Generating self-signed certificates](/docs/https.md#generating-self-signed-certificates) +- [Deploying: 4 targets, 1 gateway, 6 mountpaths, AWS backend](/docs/https.md#deploying-4-targets-1-gateway-6-mountpaths-aws-backend) +- [Accessing HTTPS-based cluster](/docs/https.md#accessing-https-based-cluster) +- [Testing with self-signed certificates](/docs/https.md#testing-with-self-signed-certificates) +- [Observability: TLS related alerts]((/docs/https.md#observability-tls-related-alerts) +- [Updating and reloading X.509 certificates](/docs/https.md#updating-and-reloading-x509-certificates) +- [Switching cluster between HTTP and HTTPS](/docs/https.md#switching-cluster-between-http-and-https) + ## Local Playground | name | comment | @@ -262,17 +288,17 @@ AIStore Authentication Server (**AuthN**) provides OAuth 2.0 compliant [JSON Web AuthN supports multiple AIS clusters; in fact, there's no limit on the number of clusters a given AuthN instance can provide authentication and access control service for. -| Variable | Default Value | Description | -|----------------------|---------------------|-------------------------------------------------------------------------------------------------| -| `AIS_AUTHN_SECRET_KEY` | `aBitLongSecretKey` | Secret key used to sign tokens | -| `AIS_AUTHN_ENABLED` | `false` | Enable AuthN server and token-based access in AIStore proxy (`true` to enable) | -| `AIS_AUTHN_PORT` | `52001` | Port on which AuthN listens to requests | -| `AIS_AUTHN_TTL` | `24h` | Token expiration time. Can be set to `0` for no expiration | -| `AIS_AUTHN_USE_HTTPS` | `false` | Enable HTTPS for AuthN server. If `true`, requires `AIS_SERVER_CRT` and `AIS_SERVER_KEY` to be set | -| `AIS_SERVER_CRT` | `""` | OpenSSL certificate. Required when `AIS_AUTHN_USE_HTTPS` is `true` | -| `AIS_SERVER_KEY` | `""` | OpenSSL key. Required when `AIS_AUTHN_USE_HTTPS` is `true` | -| `AIS_AUTHN_SU_NAME` | `admin` | Superuser (admin) name for AuthN | -| `AIS_AUTHN_SU_PASS` | `admin` | Superuser (admin) password for AuthN | +| Variable | Default Value | Description | +|------------------------|---------------------|-------------------------------------------------------------------------------------------| +| `AIS_AUTHN_SECRET_KEY` | `aBitLongSecretKey` | Secret key used to sign tokens | +| `AIS_AUTHN_ENABLED` | `false` | Enable AuthN server and token-based access in AIStore proxy (`true` to enable) | +| `AIS_AUTHN_PORT` | `52001` | Port on which AuthN listens to requests | +| `AIS_AUTHN_TTL` | `24h` | Token expiration time. Can be set to `0` for no expiration | +| `AIS_AUTHN_USE_HTTPS` | `false` | Enable HTTPS for AuthN server. If `true`, requires `AIS_SERVER_CRT` and `AIS_SERVER_KEY` | +| `AIS_SERVER_CRT` | `""` | TLS certificate (pathname). Required when `AIS_AUTHN_USE_HTTPS` is `true` | +| `AIS_SERVER_KEY` | `""` | pathname that contains X.509 certificate private key | +| `AIS_AUTHN_SU_NAME` | `admin` | Superuser (admin) name for AuthN | +| `AIS_AUTHN_SU_PASS` | `admin` | Superuser (admin) password for AuthN | Separately, there's also client-side AuthN environment that includes: diff --git a/docs/https.md b/docs/https.md index be6a99d05c..c134fa363a 100644 --- a/docs/https.md +++ b/docs/https.md @@ -11,8 +11,9 @@ In this document: - [Generating self-signed certificates](#generating-self-signed-certificates) - [Deploying: 4 targets, 1 gateway, 6 mountpaths, AWS backend](#deploying-4-targets-1-gateway-6-mountpaths-aws-backend) -- [Accessing the cluster](#accessing-the-cluster) +- [Accessing HTTPS-based cluster](#accessing-https-based-cluster) - [Testing with self-signed certificates](#testing-with-self-signed-certificates) +- [Observability: TLS related alerts](#observability-tls-related-alerts) - [Updating and reloading X.509 certificates](#updating-and-reloading-x509-certificates) - [Switching cluster between HTTP and HTTPS](#switching-cluster-between-http-and-https) @@ -58,7 +59,7 @@ $ TAGS=aws AIS_USE_HTTPS=true AIS_SKIP_VERIFY_CRT=true AIS_SERVER_CRT= See also: [Client-side TLS environment](/docs/cli.md#environment-variables) +## Observability: TLS related alerts + +HTTPS deployment implies (and requires) that each AIS node has a valid TLS (a.k.a. [X.509](https://www.ssl.com/faqs/what-is-an-x-509-certificate/)) certificate. + +The latter has a number of interesting properties ultimately intended to authenticate clients to the server (AIS node, in this case), and vice versa. + +In addition, TLS certfificates tend to expire from time to time. In fact, each TLS certificate has expiration date with the standard-defined maximum being 13 months (397 days). + +> Some sources claim 398 days but the (much) larger point remains: TLS certificates do expire. Which means, they must be periodically updated and timely reloaded. + +Starting v3.24, AIStore: + +* tracks certificate expiration times; +* automatically - upon update - reloads updated certificates; +* raises associated alerts. + +### Associated alerts + +```console +$ ais show cluster + +PROXY MEM AVAIL LOAD AVERAGE UPTIME STATUS ALERT +p[KKFpNjqo][P] 127.77GiB [5.2 7.2 3.1] 108h30m40s online **tls-cert-will-soon-expire** +... + +TARGET MEM AVAIL CAP USED(%) CAP AVAIL LOAD AVERAGE UPTIME STATUS ALERT +t[pDztYhhb] 98.02GiB 16% 960.824GiB [9.1 13.4 8.3] 108h30m1s online **tls-cert-will-soon-expire** +... +... +``` + +Overall, there are currentky 3 (three) alerts: + +| alert | comment | +| -- | -- | +| `tls-cert-will-soon-expire` | a warning that X.509 cert will expire in less than 3 days | +| `tls-cert-expired` | red alert (as the name implies) | +| `tls-cert-invalid` | ditto | + ## Updating and reloading X.509 certificates Quoting WWW: @@ -148,6 +188,7 @@ In addition, if certificate fails to load or expires, AIS node raises the namesa ```console $ ais show cluster + PROXY MEM USED(%) MEM AVAIL LOAD AVERAGE UPTIME STATUS ALERT p[atipJhgn][P] 0.17% 27.51GiB [0.3 0.1 0.0] - online **tls-cert-expired** @@ -183,6 +224,11 @@ Done. Note: if [AuthN](/docs/authn.md) is deployed, the API (and CLI above) will require administrative permissions. +### Further references + +* [HTTPS-related environment variables](environment-vars.md#https) +- [Reloading TLS certificate](/docs/cli/advanced.md#load-tls-certificate) + ## Switching cluster between HTTP and HTTPS ### From HTTP to HTTPS @@ -249,4 +295,4 @@ $ make kill cli deploy <<< $'6\n6\n4\ny\ny\nn\n' # step 5: and use $ ais show cluster -``` +