[Freeipa-users] Primary IPA server failed to properly renew krb5kdc Certificate

[Russ Long via FreeIPA-users]

I have a cluster of 3 IPA servers, the primary server renewed the krb5kdc 
certificate last night, but did not include the principal name when it renewed, 
here is after the auto-renewal:

Number of certificates and requests being tracked: 9.
Request ID '20221028185012':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.REDACTED
        subject: CN=ipa-primary.ipa.redacted,O=IPA.REDACTED
        issued: 2024-09-30 14:51:55 EDT
        expires: 2026-10-01 14:51:55 EDT
        dns: ipa-primary.ipa.redacted
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

After I manually renewed with getcert resubmit, it included the principal line: 

[root@ipa-primary pki]# getcert list -i 20221028185012
Number of certificates and requests being tracked: 9.
Request ID '20221028185012':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=IPA.REDACTED
        subject: CN=ipa-primary.ipa.REDACTED,O=IPA.REDACTED
        issued: 2024-10-01 13:26:06 EDT
        expires: 2026-10-02 13:26:06 EDT
        dns: ipa-primary.ipa.REDACTED
        principal name: krbtgt/IPA.REDACTED@IPA.REDACTED
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes

Any idea how I can track down how or why this was missed, and how to prevent 
this from happening in the future?
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue