URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
HonzaCholasta commented:
"""
@stlaz, this seems to be a bug in kinit. When you have a certificate chain root
CA -> intermediate CA -> KDC and want to trust the intermediate CA, but not the
root CA, the
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
stlaz commented:
"""
`kinit -n` still fails with my external CA setup. I found out the reason is
that I have a self-sign certificate in the trust chain:
```
[36993] 1494834859.113259: PKINIT client could
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
stlaz commented:
"""
`kinit -n` still fails with my setup. I found out the reason is that I have a
self-sign certificate in the trust chain:
```
[36993] 1494834859.113259: PKINIT client could not verify
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
stlaz commented:
"""
`kinit -n` still fails with my setup. I found out the reason is that I have a
self-sign certificate in the trust chain:
```
[36993] 1494834859.113259: PKINIT client could not verify
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
HonzaCholasta commented:
"""
@stlaz, FTFY. Also fixed wrong permissions on the CA-less KDC key file (props
to @dkupka).
The "preauthentication failed" with `--no-pkinit` is expected indeed.
"""
See the
URL: https://github.com/freeipa/freeipa/pull/758
Title: #758: install: fix CA-less PKINIT
stlaz commented:
"""
External CA (rebased on current master to be able to install):
```
$ kinit -n
kinit: Invalid certificate while getting initial credentials
$ /usr/bin/kinit -n -c
