Mark Haney wrote:
On 10/13/2017 09:48 AM, Mark Haney wrote:
I tried changing HOST/ to host/ and got this:
Certificate at same location is already used by request with nickname

Seems it doesn't matter on this setup.  Oh, probably should mention
this is a CentOS 6.9 box. In case that matters.

Okay, we're getting somewhere now.  Turns out I'm a giant moron. The
krb5.conf file I was using was incorrect.  The domain_realm section
didn't include the '' bit. So, when I got that fixed and
issued a new getcert request, I have a new error:

Request ID '20171013140647':
    ca-error: Error setting up ccache for "host" service on client using
default keytab: Generic preauthentication failure.
    stuck: yes

I'd be more specific, but this was a really generic error message.

So yeah, you've moving right along. I was in the middle of asking you to check krb5.conf when this one came in :-)

So the reason the resubmit failed is certmonger tracks the location, etc for certs to prevent duplicates (and racing at renewal time). You can either drop a request using ipa-getcert stop-tracking -i <id>

Or ipa-getcert resubmit -i <id>

The first is probably "cleaner" esp since you don't yet have a valid cert.

I'd check for SELinux issues on /etc/krb5.keytab. Perms should be 0600 root:root.

Or maybe it's the keytab itself. You can tell via:

#  kinit -kt /etc/krb5.keytab

You need a key for the value of `hostname`.

But again, a cert isn't required for successful IPA integration. We thought it would be a nifty future-proofing idea to have a cert on all clients. We were wrong and no longer do it.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to