FixIPAcert

If cert-monger won't renew the certificate with an error like:

certmonger: Error setting up ccache for local "host" service using default keytab: Keytab contains no suitable keys for host/phedex.wn.iihe.ac.be@.

Steps:

1.Set the hostname to the private one:

hostname host.wn.iihe.ac.be 

2. make sure the file /etc/krb5.conf looks something like:

#File modified by ipa-client-install                                                                                           

includedir /var/lib/sss/pubconf/krb5.include.d/

[libdefaults]
  default_realm = WN.IIHE.AC.BE
  dns_lookup_realm = false
  dns_lookup_kdc = false
  rdns = false
  ticket_lifetime = 24h
  forwardable = yes

[realms]
  WN.IIHE.AC.BE = {
    kdc = freeipa.wn.iihe.ac.be:88
    master_kdc = freeipa.wn.iihe.ac.be:88
    admin_server = freeipa.wn.iihe.ac.be:749
    default_domain = wn.iihe.ac.be
    pkinit_anchors = FILE:/etc/ipa/ca.crt
  }

[domain_realm]
  .wn.iihe.ac.be = WN.IIHE.AC.BE
  wn.iihe.ac.be = WN.IIHE.AC.BE

3. get the list of the current certificates and note the Request ID:

getcert list

4. Issue the renewal command:

getcert resubmit -i REQUEST_ID

5. Extract the certificate:

/etc/cron.weekly/extract_machine_cert_from_nssdb.sh

If this worked, you should get an output like:

certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa      ecf952c9e775998f587132d0e0bd3304ac917d9a   IPA Machine Certificate - phedex.wn.iihe.ac.be
pk12util: PKCS12 EXPORT SUCCESSFUL
MAC verified OK

6. Re-set the hostname to the correct one:

hostname host.(wn.)iihe.ac.be