Hi again,
Further troubleshooting has not proven successful. I think that this is partly
caused by me not understanding what the No valid negotiate header error
actually means. Most sources point in the direction of keytabs, so I suspect it
has to do with LDAP/KDC communications?
Also, when running getcert list, the following shows up at the top. However, I
don't know if this is caused by the other errors, or causing them?
Request ID '20210520194638':
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for requested realm.
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=COMPANY.COM
subject: CN=ipa.company.com,O=COMPANY.COM
issued: 2025-06-09 11:07:31 UTC
expires: 2027-06-10 11:07:31 UTC
principal name: krbtgt/company....@company.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
The other certificates listed are all valid and shows as MONITORING. This
failing(?) certificate also shows up when running ipa-getcert list.
If it's helpful, the instance is running in a CentOS 9 container.
Felix
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
