[Freeipa-users] Host certificate issue problem

Martin Kosek mkosek at redhat.com
Fri Jul 19 08:41:03 UTC 2013 

On 07/19/2013 08:10 AM, Rivet, Matt wrote:
> 
>> When I check the host certificate I see a ca-error saying it cannot find
>> a suitable key.
>>
>> # ipa-getcert list
>>
>> Number of certificates and requests being tracked: 1.
>> Request ID '20130719035440':
>> status: CA_UNCONFIGURED
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>> stuck: yes
>> key pair storage:
>> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer',token='NSS
>> Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cer'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
> 
> What is the version of ipa-server , is the above error on ipa client ,
> if so what is the version of ipa-client
> 
> Both client and server are version 3.0; the error is on the client
> 
> There was similar bug in earlier versions, I would suggest you to update
> the ipa server and clients to ipa-3.0
> 
> Yes the bug in earlier versions is here, https://bugzilla.redhat.com/show_bug.cgi?id=747443
> I have double checked to see if the workaround applies after the bug fix, it does not
> 
>> When I check my keytab
>> # kinit -kt /etc/krb5.keytab host/det-webdl01.sub.example.com at EXAMPLE.COM
>> No error
>> If I list my keytab,
>>
>> # klist -kt /etc/krb5.keytab
>>
>> Keytab name: FILE:/etc/krb5.keytab
>> KVNO Timestamp         Principal
>> ---- -----------------
>> --------------------------------------------------------
>>    2 07/18/13 13:14:06 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    2 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>    1 07/18/13 13:14:07 host/det-webdl01.sub.example.com at EXAMPLE.COM
>>
>> My /etc/krb5.conf file looks like:
>>
>> [libdefaults]
>>  default_keytab_name = FILE:/etc/krb5.keytab
>>  default_realm = EXAMPLE.COM
>>  dns_lookup_realm = false
>>  dns_lookup_kdc = false
>>   rdns = false
>>   ticket_lifetime = 24h
>>   forwardable = yes
>>
>> [realms]
>>   EXAMPLE.COM = {
>>     kdc = det-ldmpl01.sub.example.com:88
>>     master_kdc = det-ldmpl01.sub.example.com:88
>>     admin_server = det-ldmpl01.sub.example.com:749
>>     default_domain = example.com
>>     pkinit_anchors = FILE:/etc/ipa/ca.crt
>>   }
>>
>> [domain_realm]
>>   .example.com = EXAMPLE.COM
>>   example.com = EXAMPLE.COM
>>   .sub.example.com = EXAMPLE.COM
>>   sub.example.com = EXAMPLE.COM
>>
>> It seems the error from ipa-getcert list shows:
>>
>> ca-error: Error setting up ccache for local "host" service using default
>> keytab: Keytab contains no suitable keys for host/det-webdl01 at .
>>
>> where it is trunking the hostname and not including the realm name after
>> @ seems to be the problem, but I cannot figure out why.  If I run
>> `hostname` on this host it prints det-webdl01.sub.example.com.
>>

Can you please check respective certmonger request in
/var/lib/certmonger/requests/ and see if the principal is not misconfigured
there from the time when request was created?

I also think you should be able to override the bad principal with following
command:

# ipa-getcert start-tracking -i 20130719035440 -K
"host/det-webdl01.sub.example.com at EXAMPLE.COM"

HTH,
Martin

More information about the Freeipa-users mailing list