Russ Long via FreeIPA-users wrote: > I have a cluster of 3 IPA servers, the primary server renewed the krb5kdc > certificate last night, but did not include the principal name when it > renewed, here is after the auto-renewal: > > Number of certificates and requests being tracked: 9. > Request ID '20221028185012': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.REDACTED > subject: CN=ipa-primary.ipa.redacted,O=IPA.REDACTED > issued: 2024-09-30 14:51:55 EDT > expires: 2026-10-01 14:51:55 EDT > dns: ipa-primary.ipa.redacted > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > After I manually renewed with getcert resubmit, it included the principal > line: > > [root@ipa-primary pki]# getcert list -i 20221028185012 > Number of certificates and requests being tracked: 9. > Request ID '20221028185012': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.REDACTED > subject: CN=ipa-primary.ipa.REDACTED,O=IPA.REDACTED > issued: 2024-10-01 13:26:06 EDT > expires: 2026-10-02 13:26:06 EDT > dns: ipa-primary.ipa.REDACTED > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > Any idea how I can track down how or why this was missed, and how to prevent > this from happening in the future? >
What exactly did you do to resubmit the request? The journal may have some information depending on what /etc/sysconfig/certmonger contains (-d2 is the newish default). This request goes through IPA so some details may be in /var/log/httpd/error_log. Either through the journal or the Apache log you should be able to find the CSRs that were submitted for the bad and good certs. Maybe they will be different. Similarly the returned certificates. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
