Fraser Tweedale wrote:
On Wed, Oct 07, 2020 at 03:58:19AM -0000, Chuck Musser via
FreeIPA-users wrote:
> ok got it. I did the kinit to do the update and was able to import the cert and
update the certs collection.
>
> It took several attempts and the above advice to get the right procedure, but to
recap, the steps (near as I can tell) are:
>
> 1. Create a PKCS#12 certificate from the server certificate, private key and the
chain containing the CA's cert. I used openssl's pkcs12 command for this.
> 2. Import the CA's cert with "ipa-cacert-manage"
> 3. Use ip-server-certinstall to install the certificate bundle thing from step 1.
This depends on step 2, because the CA must be trusted.
> 4. use "kinit" to get a Kerberos ticket. The argument to this is
"admin in our case", because that's our administrative
> 5 Use "ipa-certupdate" to update the list of certificates and restart the
services that need restarting.
>
> Thanks for the help!
>
You are welcome, Chuck.
Hey Rob and Flo, a quick thought: ipa-certupdate needs root always,
so host keytab is available. Indeed, in
ipa_certupdate.run_with_args() it (re-)kinit's with host keytab.
Only API initialisation fails when running from CLI without latent,
non-expired credentials (in ipa_certupdate.CertUpdate.run()).
Can we bootstrap the API using the host keytab instead, and avoid
this error?
I filed an issue upstream,
https://pagure.io/freeipa/issue/8531
rob