Hi, this is what my tracking req for kdc.crt looks like: Request ID '20220427071737': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=server.ipa.test,O=IPA.TEST issued: 2024-06-17 06:23:42 UTC expires: 2026-06-18 06:23:42 UTC dns: server.ipa.test principal name: krbtgt/ipa.t...@ipa.test key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Your request is using nssdb instead of pem file, did you manually change the tracking req? In order to repair, you can do getcert start-tracking -i 20250114082209 -r -f /var/kerberos/krb5kdc/kdc.crt -k /var/kerberos/krb5kdc/kdc.key -c IPA -C /usr/libexec/ipa/certmonger/renew_kdc_cert -T KDCs_PKINIT_Certs But since your cert seems to be valid, I don't think it can explain why webui doesn't work. Do you have a valid cert in /var/kerberos/krb5kdc/kdc.crt? What is the output of openssl x509 -noout -text -in /var/kerberos/krb5kdc/kdc.crt ? flo On Wed, Jan 29, 2025 at 1:08 PM Nacho Marti via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi! > > I have found the issue finally, the CA it is not set properly: > > Request ID '20250114082209': > status: CA_UNCONFIGURED > ca-error: Error setting up ccache for "host" service on client > using default keytab: Keytab contains no suitable keys for > host/ipa-replica01.test.private@TEST.PRIVATE. > stuck: yes > key pair storage: > type=NSSDB,location='/var/kerberos/krb5kdc',nickname='kdc.crt',token='NSS > Certificate DB' > certificate: > type=NSSDB,location='/var/kerberos/krb5kdc',nickname='kdc.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > I have executed the klist krb5.keytab command but I think it is correct: > > Keytab name: FILE:/etc/krb5.keytab > KVNO Principal > ---- > -------------------------------------------------------------------------- > 1 host/ipa-replica01.test.private@TEST.PRIVATE > 1 host/ipa-replica01.test.private@TEST.PRIVATE > > I tried everything to make that work even trying to set another CA but it > doesn't work, Any idea why? It shoud apper the CA issuer as the rest of the > masters but it appears in blank these options: > issuer: > subject: > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
