Rob Verduijn via FreeIPA-users wrote:
> Hello,
>
> Today I upgraded my ipaserver from centos 8.1 to centos 8.2
>
> And ipa-healthcheck --failures-only claims all my certs have expired in
> 1970.
> Which is a bit weird since they all seem to work fine for me.
> Everything seems to work except for a lot of errors in my logs from
> certmonger.
> I get a lot of these :
> ... [8777] Error authenticating to token "NSS Certificate DB".
> ... [8777] Error shutting down NSS.
> ... [8778] Token is named "NSS Generic Crypto Services", not "NSS
> Certificate DB", skipping.
> ... [8778] certread-n: Error authenticating to cert db slot NSS
> Certificate DB.
> ... [8778] Error locating certificate.
> ... [8778] Error shutting down NSS.
> ... [8779] Error authenticating to token "NSS Certificate DB".
> ... [8779] Error shutting down NSS.
> ... [8780] Token is named "NSS Generic Crypto Services", not "NSS
> Certificate DB", skipping.
> ... [8780] certread-n: Error authenticating to cert db slot NSS
> Certificate DB.
>
> Certmonger is up and running, but not functioning.
>
> Anybody know how to get certmonger to function properly again ?

certmonger doesn't have the pin/pinfile for the tracked certificate.

healthcheck is misinterpreting what's wrong. The issue is that
certmonger can't read the cert (lack of auth) so has no notafter date so
looks expired. This reporting has been improved in the
freeipa-healthcheck upstream.

Another user reported this on irc yesterday and it was the dogtag certs
that lacked a pin for some reason. You have the list of certmonger
request ids from the healthcheck output so I'd look at the certmonger
tracking for them. The user yesterday reported that the certs were in
NEWLY_ADDED_NEED_KEYINFO_READ_PIN.

For each id run:

# getcert start-tracking -i <id> -P `cat
/etc/pki/pki-tomcat/alias/pwdfile.txt`

You could alternatively use -p /etc/pki/pki-tomcat/alias/pwdfile.txt but
that isn't the default configuration.

rob