Hello,
Today I upgraded my ipaserver from centos 8.1 to centos 8.2
And ipa-healthcheck --failures-only claims all my certs have expired in 1970. Which is a bit weird since they all seem to work fine for me. Everything seems to work except for a lot of errors in my logs from certmonger. I get a lot of these : ... [8777] Error authenticating to token "NSS Certificate DB". ... [8777] Error shutting down NSS. ... [8778] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8778] certread-n: Error authenticating to cert db slot NSS Certificate DB. ... [8778] Error locating certificate. ... [8778] Error shutting down NSS. ... [8779] Error authenticating to token "NSS Certificate DB". ... [8779] Error shutting down NSS. ... [8780] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8780] certread-n: Error authenticating to cert db slot NSS Certificate DB.
Certmonger is up and running, but not functioning.
Anybody know how to get certmonger to function properly again ?
Rob
Rob Verduijn via FreeIPA-users wrote:
Hello,
Today I upgraded my ipaserver from centos 8.1 to centos 8.2
And ipa-healthcheck --failures-only claims all my certs have expired in 1970. Which is a bit weird since they all seem to work fine for me. Everything seems to work except for a lot of errors in my logs from certmonger. I get a lot of these : ... [8777] Error authenticating to token "NSS Certificate DB". ... [8777] Error shutting down NSS. ... [8778] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8778] certread-n: Error authenticating to cert db slot NSS Certificate DB. ... [8778] Error locating certificate. ... [8778] Error shutting down NSS. ... [8779] Error authenticating to token "NSS Certificate DB". ... [8779] Error shutting down NSS. ... [8780] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8780] certread-n: Error authenticating to cert db slot NSS Certificate DB.
Certmonger is up and running, but not functioning.
Anybody know how to get certmonger to function properly again ?
certmonger doesn't have the pin/pinfile for the tracked certificate.
healthcheck is misinterpreting what's wrong. The issue is that certmonger can't read the cert (lack of auth) so has no notafter date so looks expired. This reporting has been improved in the freeipa-healthcheck upstream.
Another user reported this on irc yesterday and it was the dogtag certs that lacked a pin for some reason. You have the list of certmonger request ids from the healthcheck output so I'd look at the certmonger tracking for them. The user yesterday reported that the certs were in NEWLY_ADDED_NEED_KEYINFO_READ_PIN.
For each id run:
# getcert start-tracking -i <id> -P `cat /etc/pki/pki-tomcat/alias/pwdfile.txt`
You could alternatively use -p /etc/pki/pki-tomcat/alias/pwdfile.txt but that isn't the default configuration.
rob
Thanx,
It was indeed the problem and your suggestion also solved it.
Rob
Op di 16 jun. 2020 om 16:08 schreef Rob Crittenden rcritten@redhat.com:
Rob Verduijn via FreeIPA-users wrote:
Hello,
Today I upgraded my ipaserver from centos 8.1 to centos 8.2
And ipa-healthcheck --failures-only claims all my certs have expired in 1970. Which is a bit weird since they all seem to work fine for me. Everything seems to work except for a lot of errors in my logs from certmonger. I get a lot of these : ... [8777] Error authenticating to token "NSS Certificate DB". ... [8777] Error shutting down NSS. ... [8778] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8778] certread-n: Error authenticating to cert db slot NSS Certificate DB. ... [8778] Error locating certificate. ... [8778] Error shutting down NSS. ... [8779] Error authenticating to token "NSS Certificate DB". ... [8779] Error shutting down NSS. ... [8780] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. ... [8780] certread-n: Error authenticating to cert db slot NSS Certificate DB.
Certmonger is up and running, but not functioning.
Anybody know how to get certmonger to function properly again ?
certmonger doesn't have the pin/pinfile for the tracked certificate.
healthcheck is misinterpreting what's wrong. The issue is that certmonger can't read the cert (lack of auth) so has no notafter date so looks expired. This reporting has been improved in the freeipa-healthcheck upstream.
Another user reported this on irc yesterday and it was the dogtag certs that lacked a pin for some reason. You have the list of certmonger request ids from the healthcheck output so I'd look at the certmonger tracking for them. The user yesterday reported that the certs were in NEWLY_ADDED_NEED_KEYINFO_READ_PIN.
For each id run:
# getcert start-tracking -i <id> -P `cat /etc/pki/pki-tomcat/alias/pwdfile.txt`
You could alternatively use -p /etc/pki/pki-tomcat/alias/pwdfile.txt but that isn't the default configuration.
rob
freeipa-users@lists.fedorahosted.org