On 07/22/2013 03:41 PM, Rivet, Matt wrote: > On 07/19/2013 08:10 AM, Rivet, Matt wrote: >> >>> When I check the host certificate I see a ca-error saying it cannot find >>> a suitable key. >>> >>> # ipa-getcert list >>> >>> Number of certificates and requests being tracked: 1. >>> Request ID '20130719035440': >>> status: CA_UNCONFIGURED >>> ca-error: Error setting up ccache for local "host" service using default >>> keytab: Keytab contains no suitable keys for host/det-webdl01@. >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS >>> Certificate DB' >>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer' >>> CA: IPA >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> >> >> What is the version of ipa-server , is the above error on ipa client , >> if so what is the version of ipa-client >> >> Both client and server are version 3.0; the error is on the client >> >> There was similar bug in earlier versions, I would suggest you to update >> the ipa server and clients to ipa-3.0 >> >> Yes the bug in earlier versions is here, >> https://bugzilla.redhat.com/show_bug.cgi?id=747443 >> I have double checked to see if the workaround applies after the bug fix, it >> does not >> >>> When I check my keytab >>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com >>> No error >>> If I list my keytab, >>> >>> # klist -kt /etc/krb5.keytab >>> >>> Keytab name: FILE:/etc/krb5.keytab >>> KVNO Timestamp Principal >>> ---- ----------------- >>> -------------------------------------------------------- >>> 2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com >>> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> 1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com >>> >>> My /etc/krb5.conf file looks like: >>> >>> [libdefaults] >>> default_keytab_name = FILE:/etc/krb5.keytab >>> default_realm = EXAMPLE.COM >>> dns_lookup_realm = false >>> dns_lookup_kdc = false >>> rdns = false >>> ticket_lifetime = 24h >>> forwardable = yes >>> >>> [realms] >>> EXAMPLE.COM = { >>> kdc = det-ldmpl01.sub.example.com:88 >>> master_kdc = det-ldmpl01.sub.example.com:88 >>> admin_server = det-ldmpl01.sub.example.com:749 >>> default_domain = example.com >>> pkinit_anchors = FILE:/etc/ipa/ca.crt >>> } >>> >>> [domain_realm] >>> .example.com = EXAMPLE.COM >>> example.com = EXAMPLE.COM >>> .sub.example.com = EXAMPLE.COM >>> sub.example.com = EXAMPLE.COM >>> >>> It seems the error from ipa-getcert list shows: >>> >>> ca-error: Error setting up ccache for local "host" service using default >>> keytab: Keytab contains no suitable keys for host/det-webdl01@. >>> >>> where it is trunking the hostname and not including the realm name after >>> @ seems to be the problem, but I cannot figure out why. If I run >>> `hostname` on this host it prints det-webdl01.sub.example.com. >>> > > Can you please check respective certmonger request in > /var/lib/certmonger/requests/ and see if the principal is not misconfigured > there from the time when request was created? > > I also think you should be able to override the bad principal with following > command: > > # ipa-getcert start-tracking -i 20130719035440 -K > "host/det-webdl01.sub.example....@example.com" > > HTH, > Martin > > > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: CN=det-webdl01.sub.example.com > Subject Public Key Info: > Public Key Algorithm: rsaEncryption > Public-Key: (2048 bit) > Modulus: > .. > .. > .. > 4a:57 > Exponent: 65537 (0x10001) > Attributes: > friendlyName :Server-Cer > Requested Extensions: > X509v3 Subject Alternative Name: > DNS:det-webdl01.sub.example.com, othername:<unsupported>, > othername:<unsupported> > X509v3 Extended Key Usage: > TLS Web Server Authentication > ... > ... > ... > > The request also looks like this > > state=HAVE_CSR > autorenew=1 > monitor=1 > ca_name=IPA > submitted=20130719035440 > ca_error=Error setting up ccache for local "host" service using default > keytab: Keytab contains no suitable keys for host/det-webdl01@. > > Does IPA need to be in my host file or dns?
I am not just thinking, could this be caused by reverse DNS resolution for this host being broken? Does "host $IP_ADDRESS_OF_YOUR_HOST" return "det-webdl01.sub.example.com." or just "det-webdl01."? > Does anyone know why certmonger is looking for a keytab for > host/det-webdl01@. instead of > host/host/det-webdl01.sub.example....@example.com? Also adding Nalin in the loop (he is the certmonger developer) to see if this error sounds familiar for him. Martin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users