Felix O via FreeIPA-users wrote:
> Hi again,
> Further troubleshooting has not proven successful. I think that this is 
> partly caused by me not understanding what the No valid negotiate header 
> error actually means. Most sources point in the direction of keytabs, so I 
> suspect it has to do with LDAP/KDC communications?
> 
> Also, when running getcert list, the following shows up at the top. However, 
> I don't know if this is caused by the other errors, or causing them?
> Request ID '20210520194638':
>       status: CA_UNREACHABLE
>       ca-error: Error setting up ccache for "host" service on client using 
> default keytab: Cannot contact any KDC for requested realm.
>       stuck: no
>       key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>       certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>       CA: IPA
>       issuer: CN=Certificate Authority,O=COMPANY.COM
>       subject: CN=ipa.company.com,O=COMPANY.COM
>       issued: 2025-06-09 11:07:31 UTC
>       expires: 2027-06-10 11:07:31 UTC
>       principal name: krbtgt/[email protected]
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>       eku: id-kp-serverAuth,id-pkinit-KPKdc
>       profile: KDCs_PKINIT_Certs
>       pre-save command:
>       post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>       track: yes
>       auto-renew: yes
> 
> The other certificates listed are all valid and shows as MONITORING. This 
> failing(?) certificate also shows up when running ipa-getcert list.
> If it's helpful, the instance is running in a CentOS 9 container.

This message does not indicate a keytab issue.

You need a valid pkinit certificate.

Make sure the IPA services are running: ipactl status

Then force a resubmission of the certificate: getcert resubmit -i
20210520194638 -vw

It should complete with MONITORING.

rob

-- 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to