Russ Long via FreeIPA-users wrote: > Just found it in messages log. > > Looks like the env var for the principal was set, but when I decode the CSR > it shows no principals added. > > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[642836]: Certificate in file > "/var/kerberos/krb5kdc/kdc.crt" will not be valid after 2024-10-28 14:50:12 > EDT. > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[642837]: 2024-09-30 14:50:17 [642837] > Error initializing NSS. > Sep 30 14:50:17 ipa-primary certmonger[642837]: 2024-09-30 14:50:17 [642837] > error:04000067:object identifier routines::unknown object name > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[756]: 2024-09-30 14:50:17 [756] Wrote > to /var/lib/certmonger/requests/20221028185012 > Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] > Setting "CERTMONGER_REQ_SUBJECT" to > "O=IPA.REDACTED,cn=ipa-primary.ipa.REDACTED" for child. > Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] > Setting "CERTMONGER_REQ_HOSTNAME" to "ipa-primary.ipa.REDACTED" for child. > Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] > Setting "CERTMONGER_REQ_PRINCIPAL" to "krbtgt/IPA.REDACTED@IPA.REDACTED" for > child. > Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] > Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. > Sep 30 14:50:17 ipa-primary certmonger[642838]: 2024-09-30 14:50:17 [642838] > Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST----- > > When I decode the CSR for the manual renewal I did, it includes the > formerly-missing principal. > > The env vars being set appear to be identical both times, but for good > measure, here are the ones from the working request: > > Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] > Setting "CERTMONGER_REQ_SUBJECT" to > "O=IPA.REDACTED,cn=ipa-primary.ipa.REDACTED" for child. > Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] > Setting "CERTMONGER_REQ_HOSTNAME" to "ipa-primary.ipa.REDACTED" for child. > Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] > Setting "CERTMONGER_REQ_PRINCIPAL" to "krbtgt/IPA.REDACTED@IPA.REDACTED" for > child. > Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] > Setting "CERTMONGER_OPERATION" to "SUBMIT" for child. > Oct 1 13:26:06 ipa-primary certmonger[6178]: 2024-10-01 13:26:06 [6178] > Setting "CERTMONGER_CSR" to "-----BEGIN CERTIFICATE REQUEST----- >
It looks like if there is an issue building a SAN extension it is simply dropped. My best guess about where this is failing, because there is no real context provided by certmonger, is after the OpenSSL extensions are generated a while loop is run "overerror = ERR_get_error()" and just prints out the errors found. This is something I've been working to improve in certmonger but I guess I haven't gotten to this one. It really makes no sense that the same code run over the same request would work in one case and fail in another. The request file should have remained mostly intact between, updating on the the not before/after values, the CSR and the resulting certificate. The resubmit would have needed this so we know it was there because it succeeded the second time. I'm also not sure how IPA issued a certificate that did not contain a principal SAN. It shouldn't do this. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
