FixIPAcert: Difference between revisions

From T2B Wiki
Jump to navigation Jump to search
(Created page with "If cert-monger won't renew the certificate with an error like: certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable ...")
 
No edit summary
 
Line 2: Line 2:
  certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/phedex.wn.iihe.ac.be@.
  certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/phedex.wn.iihe.ac.be@.


Steps:
Choose solution A or B:


==== Solution A ====
1. Set the hostname to the private one:
hostname host.wn.iihe.ac.be
2. Uninstall ipa client:
ipa-client-install --uninstall
3. Set One Time Password (OTP) in freeipa for the host (either use the common one, or one of your choosing) <br>
4. Check that the script '''/root/ipa_enrollment.sh''' has the correct OTP on the first command, then execute it:
/root/ipa_enrollment.sh
4. If everything went well, the last output line should be:
MAC verified OK
5. Set back the hostname to the public one
hostname host.iihe.ac.be
==== Solution B ====
1.Set the hostname to the private one:
1.Set the hostname to the private one:
  hostname host.wn.iihe.ac.be  
  hostname host.wn.iihe.ac.be  

Latest revision as of 13:44, 16 November 2018

If cert-monger won't renew the certificate with an error like:

certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/phedex.wn.iihe.ac.be@.

Choose solution A or B:

Solution A

1. Set the hostname to the private one:

hostname host.wn.iihe.ac.be

2. Uninstall ipa client:

ipa-client-install --uninstall

3. Set One Time Password (OTP) in freeipa for the host (either use the common one, or one of your choosing)
4. Check that the script /root/ipa_enrollment.sh has the correct OTP on the first command, then execute it:

/root/ipa_enrollment.sh

4. If everything went well, the last output line should be:

MAC verified OK

5. Set back the hostname to the public one

hostname host.iihe.ac.be

Solution B

1.Set the hostname to the private one:

hostname host.wn.iihe.ac.be 

2. make sure the file /etc/krb5.conf looks something like:

#File modified by ipa-client-install                                                                                           

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = WN.IIHE.AC.BE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  WN.IIHE.AC.BE = {
    kdc = freeipa.wn.iihe.ac.be:88
    master_kdc = freeipa.wn.iihe.ac.be:88
    admin_server = freeipa.wn.iihe.ac.be:749
    default_domain = wn.iihe.ac.be
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .wn.iihe.ac.be = WN.IIHE.AC.BE
  wn.iihe.ac.be = WN.IIHE.AC.BE

3. get the list of the current certificates and note the Request ID:

getcert list

4. Issue the renewal command:

getcert resubmit -i REQUEST_ID

5. Extract the certificate:

/etc/cron.weekly/extract_machine_cert_from_nssdb.sh

If this worked, you should get an output like:

certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      ecf952c9e775998f587132d0e0bd3304ac917d9a   IPA Machine Certificate - phedex.wn.iihe.ac.be
pk12util: PKCS12 EXPORT SUCCESSFUL
MAC verified OK

6. Re-set the hostname to the correct one:

hostname host.(wn.)iihe.ac.be