On 07/22/2013 03:41 PM, Rivet, Matt wrote:
> On 07/19/2013 08:10 AM, Rivet, Matt wrote:
>>
>>> When I check the host certificate I see a ca-error saying it cannot find
>>> a suitable key.
>>>
>>> # ipa-getcert list
>>>
>>> Number of certificates and requests being tracked: 1.
>>> Request ID '20130719035440':
>>> status: CA_UNCONFIGURED
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01@.
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>>> Certificate DB'
>>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>>
>> What is the version of ipa-server , is the above error on ipa client ,
>> if so what is the version of ipa-client
>>
>> Both client and server are version 3.0; the error is on the client
>>
>> There was similar bug in earlier versions, I would suggest you to update
>> the ipa server and clients to ipa-3.0
>>
>> Yes the bug in earlier versions is here, 
>> https://bugzilla.redhat.com/show_bug.cgi?id=747443
>> I have double checked to see if the workaround applies after the bug fix, it 
>> does not
>>
>>> When I check my keytab
>>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example....@example.com
>>> No error
>>> If I list my keytab,
>>>
>>> # klist -kt /etc/krb5.keytab
>>>
>>> Keytab name: FILE:/etc/krb5.keytab
>>> KVNO Timestamp         Principal
>>> ---- -----------------
>>> --------------------------------------------------------
>>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example....@example.com
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example....@example.com
>>>
>>> My /etc/krb5.conf file looks like:
>>>
>>> [libdefaults]
>>>  default_keytab_name = FILE:/etc/krb5.keytab
>>>  default_realm = EXAMPLE.COM
>>>  dns_lookup_realm = false
>>>  dns_lookup_kdc = false
>>>   rdns = false
>>>   ticket_lifetime = 24h
>>>   forwardable = yes
>>>
>>> [realms]
>>>   EXAMPLE.COM = {
>>>     kdc = det-ldmpl01.sub.example.com:88
>>>     master_kdc = det-ldmpl01.sub.example.com:88
>>>     admin_server = det-ldmpl01.sub.example.com:749
>>>     default_domain = example.com
>>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>>   }
>>>
>>> [domain_realm]
>>>   .example.com = EXAMPLE.COM
>>>   example.com = EXAMPLE.COM
>>>   .sub.example.com = EXAMPLE.COM
>>>   sub.example.com = EXAMPLE.COM
>>>
>>> It seems the error from ipa-getcert list shows:
>>>
>>> ca-error: Error setting up ccache for local "host" service using default
>>> keytab: Keytab contains no suitable keys for host/det-webdl01@.
>>>
>>> where it is trunking the hostname and not including the realm name after
>>> @ seems to be the problem, but I cannot figure out why.  If I run
>>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>>
>
> Can you please check respective certmonger request in
> /var/lib/certmonger/requests/ and see if the principal is not misconfigured
> there from the time when request was created?
>
> I also think you should be able to override the bad principal with following
> command:
>
> # ipa-getcert start-tracking -i 20130719035440 -K
> "host/det-webdl01.sub.example....@example.com"
>
> HTH,
> Martin
>
>
>
> Certificate Request:
>     Data:
>         Version: 0 (0x0)
>         Subject: CN=det-webdl01.sub.example.com
>         Subject Public Key Info:
>             Public Key Algorithm: rsaEncryption
>                 Public-Key: (2048 bit)
>                 Modulus:
> ..
> ..
> ..
>                     4a:57
>                 Exponent: 65537 (0x10001)
>         Attributes:
>             friendlyName             :Server-Cer
>         Requested Extensions:
>             X509v3 Subject Alternative Name:
>                 DNS:det-webdl01.sub.example.com, othername:<unsupported>, 
> othername:<unsupported>
>             X509v3 Extended Key Usage:
>                 TLS Web Server Authentication
> ...
> ...
> ...
>
> The request also looks like this
>
> state=HAVE_CSR
> autorenew=1
> monitor=1
> ca_name=IPA
> submitted=20130719035440
> ca_error=Error setting up ccache for local "host" service using default 
> keytab: Keytab contains no suitable keys for host/det-webdl01@.
>
> Does IPA need to be in my host file or dns?

I am not just thinking, could this be caused by reverse DNS resolution for this
host being broken?

Does "host $IP_ADDRESS_OF_YOUR_HOST" return "det-webdl01.sub.example.com." or
just "det-webdl01."?

> Does anyone know why certmonger is looking for a keytab for 
> host/det-webdl01@. instead of 
> host/host/det-webdl01.sub.example....@example.com?

Also adding Nalin in the loop (he is the certmonger developer) to see if this
error sounds familiar for him.

Martin


[mattr@det-webdl01 ~]$ host det-webdl01
det-webdl01.sub.example.com has address 10.1.1.2
[mattr@det-webdl01 ~]$ host 10.1.1.2
Host 2.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)

Looks like I dont have a PTR record setup.  I will set up one for this host and 
resubmit/regenerate the csr.

Matt



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to