Gateway Node Certificate Expiring or Expired

# Issue Overview

The communication between various components of the OpenResty Edge system uses TLS encryption to ensure security. When you see an alert in the Edge Admin interface, or encounter errors like check_cert_expiration(): API error: invalid timestamp in the Edge Node’s error logs, it indicates that the Edge Node’s certificate is about to expire or has expired, and there were issues during the automatic renewal process.

# Impact

1. Certificate about to expire: Usually doesn’t directly affect the system, but needs to be addressed promptly to prevent certificate expiration.
2. Certificate expired: Will result in communication failure between components, including but not limited to:
   • Unable to synchronize configurations
   • Unable to upload logs
   • Other functions dependent on secure communication may be affected

# Resolution

# 1. Check and Fix Edge Admin System Time

# 1.1 Check System Time

Verify if the Edge Admin’s system time matches the current actual time.

date

# 1.2 Correct System Time

Choose one of the following methods to correct the time:

# Method One: Using Chrony or NTP Service (Recommended)

# 1. Install Chrony
# For apt systems (e.g., Ubuntu, Debian)
sudo apt-get update && sudo apt-get install -y chrony

# For yum systems (e.g., CentOS, RHEL)
sudo yum update && sudo yum install -y chrony

# 2. Restart Chrony service
sudo systemctl restart chronyd

# 3. Verify Chrony synchronization status
chronyc sources
chronyc tracking

# 4. Enable Chrony service to start on boot
sudo systemctl enable chronyd

# Method Two: Manually Set Time

1. Set system date and time:

   sudo date -s "YYYY-MM-DD HH:MM:SS"
   

   Replace “YYYY-MM-DD HH:MM:SS” with the current correct date and time.

2. Synchronize system time to hardware clock:

   sudo hwclock --systohc
   

# 1.3 Restart Edge Admin Service

After time correction, restart the Edge Admin service:

sudo systemctl restart upgrade-oredge-admin

# 2. Check and Fix Edge Node System Time

# 2.1 Certificate About to Expire

1. Check Edge Node’s system time:

   date
   

2. If the time is incorrect, adjust the Edge Node’s system time using the above Edge Admin time correction methods (NTP service or manual setting).

3. Restart Edge Node service:

   sudo systemctl restart upgrade-oredge-node
   

# 2.2 Certificate Expired

1. Check Edge Node’s system time:

   date
   

2. If the time is incorrect, adjust it using the above time correction methods.

3. Migrate traffic: Move traffic to other normally functioning Edge Nodes.

4. Restart Edge Node service:

   sudo systemctl restart upgrade-oredge-node
   

5. Remove and re-add the node to the cluster:

   • In the Edge Admin’s gateway cluster management interface, delete this Edge Node.
   • Continuously refresh the gateway cluster interface, wait for the Edge Node to reappear in the candidate list.
   • Re-approve the Edge Node to join the cluster.