drwxrwxrwt. root root 4.0K tmp
[root@ipa5 centos]# kinit admin
Password for admin@FIXEDANDMOBILE.COM:
The output for /etc/krb5.keytab
[root@ipa5 centos]# klist -kt /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
Faraz Younus <farazby@gmail.com> writes:
> Robbie Harwood <rharwood@redhat.com> wrote:
>> Faraz Younus writes:
>>
>>> Hello ,
>>>
>>> I'm getting failed when updating new certificate whether it is external &
>>> Letsencrypt. Previously I was installing successfully letsencrypt
>>> certificate 15 days ago.
>>>
>>> I'm following below github repo to setup freeipa.
>>>
>>> https://github.com/freeipa/ansible-freeipa/tree/master/roles
>>>
>>> root# ipa-server-certinstall -w -d ipa5.fixedandmobile.com.p12
>>>
>>> Peer's certificate issuer is not trusted (certutil: certificate is
>> invalid:
>>> Peer's Certificate issuer is not recognized.
>>>
>>> ). Please run ipa-cacert-manage install and ipa-certupdate to install the
>>> CA certificate.
>>>
>>> The ipa-server-certinstall command failed.
>>>
>>> root# ipa-certupdate -v
>>>
>>> ipapython.admintool: DEBUG: Not logging to a file
>>>
>>> ipalib.rpc: DEBUG: failed to find session_cookie in persistent storage
>> for
>>> principal 'admin@FIXEDANDMOBILE.COM'
>>>
>>> ipalib.rpc: INFO: trying https://ipa5.fixedandmobile.com/ipa/json
>>>
>>> ipalib.rpc: DEBUG: New HTTP connection (ipa5.fixedandmobile.com)
>>>
>>> ipalib.rpc: DEBUG: received Set-Cookie (<type
>>>
>> 'list'>)'['ipa_session=MagBearerToken=7%2feoIywViL2KTkXiG1w0hP0DdWEaK4pE75LdZtDKSRPqBDLuzEqJdY%2fUnrwLqOBnhZBTqjj8gdAGD%2fSWn%2bwq1xLTiDo7%2f8CRETD%2bW5AvHT1VNFFRZibPfE1JS2BVE09q%2bdQrPAV60PA4cth2Qcdsvfp0U2oLj1xML6eRsoXG00REURhaFp8cCaB9AuQVKLbO8Byf3Pie3qafgN1SJ04jzA%3d%3d;path=/ipa;httponly;secure;']'
>>>
>>> ipalib.rpc: DEBUG: storing cookie
>>>
>> 'ipa_session=MagBearerToken=7%2feoIywViL2KTkXiG1w0hP0DdWEaK4pE75LdZtDKSRPqBDLuzEqJdY%2fUnrwLqOBnhZBTqjj8gdAGD%2fSWn%2bwq1xLTiDo7%2f8CRETD%2bW5AvHT1VNFFRZibPfE1JS2BVE09q%2bdQrPAV60PA4cth2Qcdsvfp0U2oLj1xML6eRsoXG00REURhaFp8cCaB9AuQVKLbO8Byf3Pie3qafgN1SJ04jzA%3d%3d;'
>>> for principal admin@FIXEDANDMOBILE.COM
>>>
>>> ipalib.backend: DEBUG: Created connection
>> context.rpcclient_139889220220816
>>>
>>> ipalib.rpc: INFO: [try 1]: Forwarding 'schema' to json server '
>>> https://ipa5.fixedandmobile.com/ipa/json'
>>>
>>> ipalib.rpc: DEBUG: HTTP connection keep-alive (ipa5.fixedandmobile.com)
>>>
>>> ipalib.rpc: DEBUG: received Set-Cookie (<type
>>>
>> 'list'>)'['ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;path=/ipa;httponly;secure;']'
>>>
>>> ipalib.rpc: DEBUG: storing cookie
>>>
>> 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;'
>>> for principal admin@FIXEDANDMOBILE.COM
>>>
>>> ipalib.backend: DEBUG: Destroyed connection
>>> context.rpcclient_139889220220816
>>>
>>> ipalib.plugable: DEBUG: importing all plugin modules in
>>> ipaclient.remote_plugins.schema$79e69edd...
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>>> ipaclient.remote_plugins.schema$79e69edd.plugins
>>>
>>> ipalib.plugable: DEBUG: importing all plugin modules in
>> ipaclient.plugins...
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.automember
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.automount
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>>> ipaclient.plugins.certprofile
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.hbacrule
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.hbactest
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.internal
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.location
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.migration
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.otptoken
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>>> ipaclient.plugins.otptoken_yubikey
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.permission
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.rpcclient
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.sudorule
>>>
>>> ipalib.plugable: DEBUG: importing plugin module
>> ipaclient.plugins.topology
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
>>>
>>> ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
>>>
>>> ipalib.rpc: DEBUG: found session_cookie in persistent storage for
>> principal
>>> 'admin@FIXEDANDMOBILE.COM', cookie:
>>>
>> 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d'
>>>
>>> ipalib.rpc: DEBUG: setting session_cookie into context
>>>
>> 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;'
>>>
>>> ipalib.rpc: INFO: trying
>> https://ipa5.fixedandmobile.com/ipa/session/json
>>>
>>> ipalib.rpc: DEBUG: New HTTP connection (ipa5.fixedandmobile.com)
>>>
>>> ipalib.rpc: DEBUG: received Set-Cookie (<type
>>>
>> 'list'>)'['ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;path=/ipa;httponly;secure;']'
>>>
>>> ipalib.rpc: DEBUG: storing cookie
>>>
>> 'ipa_session=MagBearerToken=7PkGtgj%2fPCAF7lH774apcgiEy8NWrTzE3mFkHYl0eLj3%2bujnT%2fQru5wDXVKPv5ky7TwRzS%2bVifAcvSv97FnucGLDC%2b17365XlJuuexo2K0IueTFg5oFAdOf6aCk%2bB%2bNC8Rjawej3u1gidQa8y285gLYBmD0rW44cdrHaulcW72pgD1ts1%2fC1uwRsolhCx30Iwfe0Qj9TGSjd0OvS0TfS0A%3d%3d;'
>>> for principal admin@FIXEDANDMOBILE.COM
>>>
>>> ipalib.backend: DEBUG: Created connection
>> context.rpcclient_139889190138192
>>>
>>> ipalib.install.kinit: DEBUG: Initializing principal host/
>>> ipa5.fixedandmobile.com@FIXEDANDMOBILE.COM using keytab /etc/krb5.keytab
>>>
>>> ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-Rln5Jh/ccache
>>>
>>> ipapython.admintool: DEBUG: File
>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
>>> execute
>>>
>>> return_value = self.run()
>>>
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
>>> line 62, in run
>>>
>>> run_with_args(api)
>>>
>>> File
>>> "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_certupdate.py",
>>> line 83, in run_with_args
>>>
>>> kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_name)
>>>
>>> File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line
>> 47,
>>> in kinit_keytab
>>>
>>> cred = gssapi.Credentials(name=name, store=store, usage='initiate')
>>>
>>> File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in
>>> __new__
>>>
>>> store=store)
>>>
>>> File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in
>>> acquire
>>>
>>> usage)
>>>
>>> File "ext_cred_store.pyx", line 182, in
>>> gssapi.raw.ext_cred_store.acquire_cred_from
>>> (gssapi/raw/ext_cred_store.c:1732)
>>>
>>>
>>> ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception:
>>> GSSError: Major (851968): Unspecified GSS failure. Minor code may
>> provide
>>> more information, Minor (2529639107): No credentials cache found
>>>
>>> ipapython.admintool: ERROR: Major (851968): Unspecified GSS failure.
>> Minor
>>> code may provide more information, Minor (2529639107): No credentials
>> cache
>>> found
>>>
>>> ipapython.admintool: ERROR: The ipa-certupdate command failed.
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>> To unsubscribe send an email to
>> freeipa-users-leave@lists.fedorahosted.org
>>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>>
>> Did you kinit first? This probably should have a better UI than dying
>> in exception...
>
> Yes I did the kinit admin before running the update
(Please keep the list in CC.)
Is /tmp writeable? What's the output of `klist -kt /etc/krb5.keytab`?
Thanks,
--Robbie