FixIPAcert
If cert-monger won't renew the certificate with an error like:
certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/phedex.wn.iihe.ac.be@.
Choose solution A or B:
Solution A
1. Set the hostname to the private one:
hostname host.wn.iihe.ac.be
2. Uninstall ipa client:
ipa-client-install --uninstall
3. Set One Time Password (OTP) in freeipa for the host (either use the common one, or one of your choosing)
4. Check that the script /root/ipa_enrollment.sh has the correct OTP on the first command, then execute it:
/root/ipa_enrollment.sh
4. If everything went well, the last output line should be:
MAC verified OK
5. Set back the hostname to the public one
hostname host.iihe.ac.be
Solution B
1.Set the hostname to the private one:
hostname host.wn.iihe.ac.be
2. make sure the file /etc/krb5.conf looks something like:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = WN.IIHE.AC.BE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
[realms]
WN.IIHE.AC.BE = {
kdc = freeipa.wn.iihe.ac.be:88
master_kdc = freeipa.wn.iihe.ac.be:88
admin_server = freeipa.wn.iihe.ac.be:749
default_domain = wn.iihe.ac.be
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.wn.iihe.ac.be = WN.IIHE.AC.BE
wn.iihe.ac.be = WN.IIHE.AC.BE
3. get the list of the current certificates and note the Request ID:
getcert list
4. Issue the renewal command:
getcert resubmit -i REQUEST_ID
5. Extract the certificate:
/etc/cron.weekly/extract_machine_cert_from_nssdb.sh
If this worked, you should get an output like:
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa ecf952c9e775998f587132d0e0bd3304ac917d9a IPA Machine Certificate - phedex.wn.iihe.ac.be pk12util: PKCS12 EXPORT SUCCESSFUL MAC verified OK
6. Re-set the hostname to the correct one:
hostname host.(wn.)iihe.ac.be