[Freeipa-users] Re: ipa-getcert request results in CA_REJECTED, on an enrolled host

Tue, 12 Mar 2024 06:22:50 -0700 

On Аўт, 12 сак 2024, Bo Lind via FreeIPA-users wrote:

I'm having a weird one. This has worked well on a number of other, identical 
hosts, but one is repeatedly giving me trouble:

root@naughtyhost:~# ipa-getcert request -f /etc/pki/tls/certs/xrdp.pem -k 
/etc/pki/tls/private/xrdp.key -r -w -v
New signing request "20240312125107" added.
State NEWLY_ADDED_READING_KEYINFO, stuck: no.
State SUBMITTING, stuck: no.
State CA_REJECTED, stuck: yes.

root@naughtyhost:~# ipa-getcert list
Number of certificates and requests being tracked: 1.
Request ID '20240312125107':
        status: CA_REJECTED
        ca-error: Server at https://idm0.example.local/ipa/json denied our 
request, giving up: 2100 (Insufficient access: SASL(-1): generic failure: 
GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information 
(Credential cache is empty)).
        stuck: yes
        key pair storage: type=FILE,location='/etc/pki/tls/private/xrdp.key'
        certificate: type=FILE,location='/etc/pki/tls/certs/xrdp.pem'
        CA: IPA
        issuer:
        subject:
        issued: unknown
        expires: unknown
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

I've tried looking in the logfiles on idm0, but couldn't really find anything 
useful.


I think it might be a problem with old host/service objects.
Can you check if 'ipa host-show --all --raw hostname' returns
krbCanonicalName attribute? If it is not there, you can set one with

ipa host-mod hostname --addattr krbcanonicalname=host/hostname@REALM

See https://pagure.io/freeipa/issue/9465 for some details.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to