Rob Verduijn via FreeIPA-users wrote: > Hello, > > Today I upgraded my ipaserver from centos 8.1 to centos 8.2 > > And ipa-healthcheck --failures-only claims all my certs have expired in > 1970. > Which is a bit weird since they all seem to work fine for me. > Everything seems to work except for a lot of errors in my logs from > certmonger. > I get a lot of these : > ... [8777] Error authenticating to token "NSS Certificate DB". > ... [8777] Error shutting down NSS. > ... [8778] Token is named "NSS Generic Crypto Services", not "NSS > Certificate DB", skipping. > ... [8778] certread-n: Error authenticating to cert db slot NSS > Certificate DB. > ... [8778] Error locating certificate. > ... [8778] Error shutting down NSS. > ... [8779] Error authenticating to token "NSS Certificate DB". > ... [8779] Error shutting down NSS. > ... [8780] Token is named "NSS Generic Crypto Services", not "NSS > Certificate DB", skipping. > ... [8780] certread-n: Error authenticating to cert db slot NSS > Certificate DB. > > Certmonger is up and running, but not functioning. > > Anybody know how to get certmonger to function properly again ?
certmonger doesn't have the pin/pinfile for the tracked certificate. healthcheck is misinterpreting what's wrong. The issue is that certmonger can't read the cert (lack of auth) so has no notafter date so looks expired. This reporting has been improved in the freeipa-healthcheck upstream. Another user reported this on irc yesterday and it was the dogtag certs that lacked a pin for some reason. You have the list of certmonger request ids from the healthcheck output so I'd look at the certmonger tracking for them. The user yesterday reported that the certs were in NEWLY_ADDED_NEED_KEYINFO_READ_PIN. For each id run: # getcert start-tracking -i <id> -P `cat /etc/pki/pki-tomcat/alias/pwdfile.txt` You could alternatively use -p /etc/pki/pki-tomcat/alias/pwdfile.txt but that isn't the default configuration. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
