Thanx, It was indeed the problem and your suggestion also solved it.
Rob Op di 16 jun. 2020 om 16:08 schreef Rob Crittenden <[email protected]>: > Rob Verduijn via FreeIPA-users wrote: > > Hello, > > > > Today I upgraded my ipaserver from centos 8.1 to centos 8.2 > > > > And ipa-healthcheck --failures-only claims all my certs have expired in > > 1970. > > Which is a bit weird since they all seem to work fine for me. > > Everything seems to work except for a lot of errors in my logs from > > certmonger. > > I get a lot of these : > > ... [8777] Error authenticating to token "NSS Certificate DB". > > ... [8777] Error shutting down NSS. > > ... [8778] Token is named "NSS Generic Crypto Services", not "NSS > > Certificate DB", skipping. > > ... [8778] certread-n: Error authenticating to cert db slot NSS > > Certificate DB. > > ... [8778] Error locating certificate. > > ... [8778] Error shutting down NSS. > > ... [8779] Error authenticating to token "NSS Certificate DB". > > ... [8779] Error shutting down NSS. > > ... [8780] Token is named "NSS Generic Crypto Services", not "NSS > > Certificate DB", skipping. > > ... [8780] certread-n: Error authenticating to cert db slot NSS > > Certificate DB. > > > > Certmonger is up and running, but not functioning. > > > > Anybody know how to get certmonger to function properly again ? > > certmonger doesn't have the pin/pinfile for the tracked certificate. > > healthcheck is misinterpreting what's wrong. The issue is that > certmonger can't read the cert (lack of auth) so has no notafter date so > looks expired. This reporting has been improved in the > freeipa-healthcheck upstream. > > Another user reported this on irc yesterday and it was the dogtag certs > that lacked a pin for some reason. You have the list of certmonger > request ids from the healthcheck output so I'd look at the certmonger > tracking for them. The user yesterday reported that the certs were in > NEWLY_ADDED_NEED_KEYINFO_READ_PIN. > > For each id run: > > # getcert start-tracking -i <id> -P `cat > /etc/pki/pki-tomcat/alias/pwdfile.txt` > > You could alternatively use -p /etc/pki/pki-tomcat/alias/pwdfile.txt but > that isn't the default configuration. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
