[Freeipa-users] Re: Freeipa Certficates issues
Hi, Do you think if i upgrade the version of my ipa server, it will be better ? I am at the version 3.0. Thank you for your time. Julien Honore - Original Message - From: "Julien Honore" <jhon...@bmad.tech> To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> Cc: "Florence Blanc-Renaud" <f...@redhat.com> Sent: Wednesday, 30 August, 2017 10:44:38 Subject: Re: [Freeipa-users] Freeipa Certficates issues Hi Flo, When I try to apply the command. the result is: ipa-getkeytab --principal=host/$vltws01.vit@vit.lan Usage: ipa-getkeytab [-qPr?] [-q|--quiet] [-s|--server=Server Name] [-p|--principal=Kerberos Service Principal Name] [-k|--keytab=Keytab File Name] [-e|--enctypes=Comma separated encryption types list] [--permitted-enctypes] [-P|--password] [-D|--binddn=DN to bind as if not using kerberos] [-w|--bindpw=password to use if not using kerberos] [-r|--retrieve] [-?|--help] [--usage] I tried with a different way ipa-getkeytab -p host/vltws01.vit.lan Usage: ipa-getkeytab [-qPr?] [-q|--quiet] [-s|--server=Server Name] [-p|--principal=Kerberos Service Principal Name] [-k|--keytab=Keytab File Name] [-e|--enctypes=Comma separated encryption types list] [--permitted-enctypes] [-P|--password] [-D|--binddn=DN to bind as if not using kerberos] [-w|--bindpw=password to use if not using kerberos] [-r|--retrieve] [-?|--help] [--usage] And when I tried with the ipa-server, I have this result: ipa-getkeytab -s auth0.vit.lan -p host/vltws01.vit.lan -k /etc/krb5.keytab Kerberos User Principal not found. Do you have a valid Credential Cache? Like I said at the beginning, I changed the date on the IPA-Server and the users can continue to work. I don't understant why the certificates did not auto renew after they were expired. Thank you. Julien Honore - Original Message - From: "Florence Blanc-Renaud" <f...@redhat.com> To: "Julien Honore" <jhon...@bmad.tech>, "freeipa-users" <freeipa-users@lists.fedorahosted.org> Sent: Wednesday, 30 August, 2017 09:11:00 Subject: Re: [Freeipa-users] Freeipa Certficates issues On 08/29/2017 06:43 PM, Julien Honore wrote: > Hi Florence, > > Thank you for the reply. > > When I execute the command sudo kinit -kt /etc/krb5.keytab > the result is : > kinit: Clients credentials have been revoked while getting initial credentials > > When I try the command ipa-getkeytab, I don't have the same option. > Hi, (putting mailing list back in the recipients list) you are right, the --retrieve option was added only in IPA 4.x. If you run ipa-getkeytab without the -r option, it will request a new host keytab (all other keytabs previously obtained will be invalidated). So this should unblock certmonger, but if you were using the host keytab in other places you will need to overwrite them with the new keytab. Flo > Thank you. > > Julien Honore. > > - Original Message - > From: "Florence Blanc-Renaud" <f...@redhat.com> > To: "freeipa-users" <freeipa-users@lists.fedorahosted.org> > Cc: "Julien Honore" <jhon...@bmad.tech> > Sent: Tuesday, 29 August, 2017 12:14:10 > Subject: Re: [Freeipa-users] Freeipa Certficates issues > > On 08/29/2017 04:09 PM, Julien Honore via FreeIPA-users wrote: >> >> Hi, >> >> I have an issue with my freeipa server. >> >> The certificates expired and I can't resubmit. >> >> I put the date before the expiration of the certs. >> >> The result of ipa-getcert list : >> >> >> Number of certificates and requests being tracked: 8. >> Request ID '20150805183502': >> status: MONITORING >> ca-error: Error setting up ccache for "host" service on client using >> default keytab: Clients credentials have been revoked. >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=VIT.LAN >> subject: CN=auth0.vit.lan,O=VIT.LAN >> expires:2017-08-05 18 :35:02 UTC >> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20150805183539': >> status: MONITORING >> ca-error: Error setting up ccache for "host" service on client using >>
[Freeipa-users] Freeipa Certficates issues
Hi, I have an issue with my freeipa server. The certificates expired and I can't resubmit. I put the date before the expiration of the certs. The result of ipa-getcert list : Number of certificates and requests being tracked: 8. Request ID '20150805183502': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-VIT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-VIT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :35:02 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183539': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :35:39 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20150805183647': status: MONITORING ca-error: Error setting up ccache for "host" service on client using default keytab: Clients credentials have been revoked. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=VIT.LAN subject: CN=auth0.vit.lan,O=VIT.LAN expires: 2017-08-05 18 :36:47 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes If someone can help me with this issue ? It will be very helpful Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ADTRUST Service: RUNNING EXTID Service: RUNNING FreeIpa V3. Thank you Julien Honore ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
