Felix O via FreeIPA-users wrote: > Hi again, > Further troubleshooting has not proven successful. I think that this is > partly caused by me not understanding what the No valid negotiate header > error actually means. Most sources point in the direction of keytabs, so I > suspect it has to do with LDAP/KDC communications? > > Also, when running getcert list, the following shows up at the top. However, > I don't know if this is caused by the other errors, or causing them? > Request ID '20210520194638': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for requested realm. > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=COMPANY.COM > subject: CN=ipa.company.com,O=COMPANY.COM > issued: 2025-06-09 11:07:31 UTC > expires: 2027-06-10 11:07:31 UTC > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > The other certificates listed are all valid and shows as MONITORING. This > failing(?) certificate also shows up when running ipa-getcert list. > If it's helpful, the instance is running in a CentOS 9 container.
This message does not indicate a keytab issue. You need a valid pkinit certificate. Make sure the IPA services are running: ipactl status Then force a resubmission of the certificate: getcert resubmit -i 20210520194638 -vw It should complete with MONITORING. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
