On 07/19/2013 08:10 AM, Rivet, Matt wrote: > >> When I check the host certificate I see a ca-error saying it cannot find >> a suitable key. >> >> # ipa-getcert list >> >> Number of certificates and requests being tracked: 1. >> Request ID '20130719035440': >> status: CA_UNCONFIGURED >> ca-error: Error setting up ccache for local "host" service using default >> keytab: Keytab contains no suitable keys for host/det-webdl01@. >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS >> Certificate DB' >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> > > What is the version of ipa-server , is the above error on ipa client , > if so what is the version of ipa-client > > Both client and server are version 3.0; the error is on the client > > There was similar bug in earlier versions, I would suggest you to update > the ipa server and clients to ipa-3.0 > > Yes the bug in earlier versions is here, > https://bugzilla.redhat.com/show_bug.cgi?id=747443 > I have double checked to see if the workaround applies after the bug fix, it > does not > >> When I check my keytab >> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com >> No error >> If I list my keytab, >> >> # klist -kt /etc/krb5.keytab >> >> Keytab name: FILE:/etc/krb5.keytab >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com >> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >> >> My /etc/krb5.conf file looks like: >> >> [libdefaults] >> default_keytab_name = FILE:/etc/krb5.keytab >> default_realm = EXAMPLE.COM >> dns_lookup_realm = false >> dns_lookup_kdc = false >> rdns = false >> ticket_lifetime = 24h >> forwardable = yes >> >> [realms] >> EXAMPLE.COM = { >> kdc = det-ldmpl01.sub.example.com:88 >> master_kdc = det-ldmpl01.sub.example.com:88 >> admin_server = det-ldmpl01.sub.example.com:749 >> default_domain = example.com >> pkinit_anchors = FILE:/etc/ipa/ca.crt >> } >> >> [domain_realm] >> .example.com = EXAMPLE.COM >> example.com = EXAMPLE.COM >> .sub.example.com = EXAMPLE.COM >> sub.example.com = EXAMPLE.COM >> >> It seems the error from ipa-getcert list shows: >> >> ca-error: Error setting up ccache for local "host" service using default >> keytab: Keytab contains no suitable keys for host/det-webdl01@. >> >> where it is trunking the hostname and not including the realm name after >> @ seems to be the problem, but I cannot figure out why. If I run >> `hostname` on this host it prints det-webdl01.sub.example.com. >>
Can you please check respective certmonger request in /var/lib/certmonger/requests/ and see if the principal is not misconfigured there from the time when request was created? I also think you should be able to override the bad principal with following command: # ipa-getcert start-tracking -i 20130719035440 -K "host/det-webdl01.sub.example....@example.com" HTH, Martin Certificate Request: Data: Version: 0 (0x0) Subject: CN=det-webdl01.sub.example.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: .. .. .. 4a:57 Exponent: 65537 (0x10001) Attributes: friendlyName :Server-Cer Requested Extensions: X509v3 Subject Alternative Name: DNS:det-webdl01.sub.example.com, othername:<unsupported>, othername:<unsupported> X509v3 Extended Key Usage: TLS Web Server Authentication ... ... ... The request also looks like this state=HAVE_CSR autorenew=1 monitor=1 ca_name=IPA submitted=20130719035440 ca_error=Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/det-webdl01@. Does IPA need to be in my host file or dns? _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users