Just found it in messages log. Looks like the env var for the principal was set, but when I decode the CSR it shows no principals added.
Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[642836]: Certificate in file "/var/kerberos/krb5kdc/kdc.crt" will not be valid after 2024-10-28 14:50:12 EDT. Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[642837]: 2024-09-30 14:50:17 [642837] Error initializing NSS. Sep 30 14:50:17 ipa-primary certmonger[642837]: 2024-09-30 14:50:17 [642837] error:04000067:object identifier routines::unknown object name Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote to /var/lib/certmonger/requests/20221028185012 Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] Setting "CERTMONGER_REQ_SUBJECT" to "O=IPA.REDACTED,cn=ipa-primary.ipa.REDACTED" for child. Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] Setting "CERTMONGER_REQ_HOSTNAME" to "ipa-primary.ipa.REDACTED" for child. Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] Setting "CERTMONGER_REQ_PRINCIPAL" to "krbtgt/[email protected]" for child. Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST----- When I decode the CSR for the manual renewal I did, it includes the formerly-missing principal. The env vars being set appear to be identical both times, but for good measure, here are the ones from the working request: Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] Setting "CERTMONGER_REQ_SUBJECT" to "O=IPA.REDACTED,cn=ipa-primary.ipa.REDACTED" for child. Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] Setting "CERTMONGER_REQ_HOSTNAME" to "ipa-primary.ipa.REDACTED" for child. Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] Setting "CERTMONGER_REQ_PRINCIPAL" to "krbtgt/[email protected]" for child. Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST----- -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
