I have done a few upgrades/installs of 2.0(3b) over the last 7-10 days, and each and every time the installation of this version expires the default keyring and it needs to be regenerated via the CLI.
I noticed this wasn't in the known open caveats so wanted to highlight this here.
Can you please get me the output of:
show keyring default detail
There is an open bug on that version that shows the SSL cert validity to be one month (not 7-10 days). Once we confirm if this is the issue you're seeing I'll request you to open a TAC SR so we can attach the bug and track for you.
Sorry for the delay in replying. Do you need the output from a system exhibiting the issue or can it be from one that has had the keyring regenerated?
I've fixed most of the installations/upgrades I've done as I don't like to leave with any errors showing. If it needs to be exhibiting the error I can recreate this in our lab tomorrow.
I'd need the output from a "problem system" to identify the bug. You're applying the correct work around it sounds like so unless its a task to get the output you can just fix it.
The issue has to do with the default expiration date on the system cert. Regenerating is is the correct fix. This will be permanently fixed in future releases also.
To add further, you want to check the validity of the certificate before starting the upgrade.
In earlier releases, system does not raise an alert when the certificate has expired.
It is fixed in 2.0.3a and above. So it might look like upgrade is generating an alert but really the fixed code is generating alert for an expired certificate that existed before the upgrade.