Re: [Freeipa-users] Host certificate issue problem

Fri, 19 Jul 2013 08:33:29 -0700 


On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>
>> When I check the host certificate I see a ca-error saying it cannot find
>> a suitable key.
>>
>> # ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>> Request ID '20130719035440':
>> status: CA_UNCONFIGURED
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01@.
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>> Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>
> What is the version of ipa-server , is the above error on ipa client ,
> if so what is the version of ipa-client
>
> Both client and server are version 3.0; the error is on the client
>
> There was similar bug in earlier versions, I would suggest you to update
> the ipa server and clients to ipa-3.0
>
> Yes the bug in earlier versions is here, 
> https://bugzilla.redhat.com/show_bug.cgi?id=747443
> I have double checked to see if the workaround applies after the bug fix, it 
> does not
>
>> When I check my keytab
>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com
>> No error
>> If I list my keytab,
>>
>> # klist -kt /etc/krb5.keytab
>>
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>
>> My /etc/krb5.conf file looks like:
>>
>> [libdefaults]
>>  default_keytab_name = FILE:/etc/krb5.keytab
>>  default_realm = EXAMPLE.COM
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   EXAMPLE.COM = {
>>     kdc = det-ldmpl01.sub.example.com:88
>>     master_kdc = det-ldmpl01.sub.example.com:88
>>     admin_server = det-ldmpl01.sub.example.com:749
>>     default_domain = example.com
>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .example.com = EXAMPLE.COM
>>   example.com = EXAMPLE.COM
>>   .sub.example.com = EXAMPLE.COM
>>   sub.example.com = EXAMPLE.COM
>>
>> It seems the error from ipa-getcert list shows:
>>
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01@.
>>
>> where it is trunking the hostname and not including the realm name after
>> @ seems to be the problem, but I cannot figure out why.  If I run
>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>

Can you please check respective certmonger request in
/var/lib/certmonger/requests/ and see if the principal is not misconfigured
there from the time when request was created?

I also think you should be able to override the bad principal with following
command:

# ipa-getcert start-tracking -i 20130719035440 -K
"host/det-webdl01.sub.example....@example.com"

HTH,
Martin



Certificate Request:
    Data:
        Version: 0 (0x0)
        Subject: CN=det-webdl01.sub.example.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
..
..
..
                    4a:57
                Exponent: 65537 (0x10001)
        Attributes:
            friendlyName             :Server-Cer
        Requested Extensions:
            X509v3 Subject Alternative Name:
                DNS:det-webdl01.sub.example.com, othername:<unsupported>, 
othername:<unsupported>
            X509v3 Extended Key Usage:
                TLS Web Server Authentication
...
...
...

The request also looks like this 

state=HAVE_CSR
autorenew=1
monitor=1
ca_name=IPA
submitted=20130719035440
ca_error=Error setting up ccache for local "host" service using default keytab: 
Keytab contains no suitable keys for host/det-webdl01@.

Does IPA need to be in my host file or dns?

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to