Mark Haney wrote:
On 10/13/2017 09:48 AM, Mark Haney wrote:
I tried changing HOST/ to host/ and got this:
Certificate at same location is already used by request with nickname
"20171013123749"
Seems it doesn't matter on this setup. Oh, probably should mention
this is a CentOS 6.9 box. In case that matters.
Okay, we're getting somewhere now. Turns out I'm a giant moron. The
krb5.conf file I was using was incorrect. The domain_realm section
didn't include the 'astacalaska.net' bit. So, when I got that fixed and
issued a new getcert request, I have a new error:
Request ID '20171013140647':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for "host" service on client using
default keytab: Generic preauthentication failure.
stuck: yes
I'd be more specific, but this was a really generic error message.
So yeah, you've moving right along. I was in the middle of asking you to
check krb5.conf when this one came in :-)
So the reason the resubmit failed is certmonger tracks the location, etc
for certs to prevent duplicates (and racing at renewal time). You can
either drop a request using ipa-getcert stop-tracking -i <id>
Or ipa-getcert resubmit -i <id> ...new-or-changed-options...
The first is probably "cleaner" esp since you don't yet have a valid cert.
I'd check for SELinux issues on /etc/krb5.keytab. Perms should be 0600
root:root.
Or maybe it's the keytab itself. You can tell via:
# kinit -kt /etc/krb5.keytab
You need a key for the value of `hostname`.
But again, a cert isn't required for successful IPA integration. We
thought it would be a nifty future-proofing idea to have a cert on all
clients. We were wrong and no longer do it.
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org