Red Hat Bugzilla – Bug 1207649
host certificate not issued to client during ipa-client-install
Last modified: 2015-07-22 03:39:54 EDT
Created attachment 1008994 [details] console output with snip from error_log from IPA Server Description of problem: During ipa-client-install host certificate is not issued to client and complaining about the host record not found on IPA server for SAN in certificate request. ca-error: Server at https://dhcp207-188.testrelm.test/ipa/xml failed request, will retry: 4001 (RPC failed at server. no host record for subject alt name host/dhcp207-3.testrelm.test@TESTRELM.TEST in certificate request). Version-Release number of selected component (if applicable): [root@dhcp207-3 ~]# rpm -q ipa-client certmonger ipa-client-3.0.0-45.el6.x86_64 certmonger-0.77.1-1.el6.x86_64 [root@dhcp207-3 ~]# How reproducible: Always Steps to Reproduce: 1. Run ipa-client-install 2. Run "getcert list" to check host certificate issued to host Actual results: Host Certificate not issued Expected results: Host certificate should have been issued Additional info: (1)Please find the attached console output on client and snip from /var/log/httpd/error_log on IPA Server.
Created attachment 1012224 [details] Fix Attached a patch with a fix. Note that this is caused by the fix for bug 1154776.
Verified. IPA Version: ============ On Server: [root@dhcp207-230 ~]# rpm -q ipa-server pki-ca ipa-server-3.0.0-46.el6.x86_64 pki-ca-9.0.3-41.el6.noarch [root@dhcp207-230 ~]# On Client: [root@dhcp207-223 ~]# rpm -q ipa-client certmonger ipa-client-3.0.0-46.el6.x86_64 certmonger-0.77.2-1.el6.x86_64 [root@dhcp207-223 ~]# Console output snip: ==================== [root@dhcp207-223 ~]# ipa-client-install -U --domain=testrelm.test --realm=TESTRELM.TEST -p admin -w xxxxxxxx --server=dhcp207-230.testrelm.test Hostname: dhcp207-223.testrelm.test Realm: TESTRELM.TEST DNS Domain: testrelm.test IPA Server: dhcp207-230.testrelm.test BaseDN: dc=testrelm,dc=test Synchronizing time with KDC... Successfully retrieved CA cert Subject: CN=Certificate Authority,O=TESTRELM.TEST Issuer: CN=Certificate Authority,O=TESTRELM.TEST Valid From: Tue Apr 21 15:20:44 2015 UTC Valid Until: Sat Apr 21 15:20:44 2035 UTC Enrolled in IPA realm TESTRELM.TEST Attempting to get host TGT... ..... SSSD enabled Configuring testrelm.test as NIS domain Configured /etc/openldap/ldap.conf NTP enabled Configured /etc/ssh/ssh_config Configured /etc/ssh/sshd_config Client configuration complete. [root@dhcp207-223 ~]# ipa-getcert list Number of certificates and requests being tracked: 1. Request ID '20150422070325': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - dhcp207-223.testrelm.test',token='NSS Certificate DB' certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - dhcp207-223.testrelm.test',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TESTRELM.TEST subject: CN=dhcp207-223.testrelm.test,O=TESTRELM.TEST expires: 2017-04-22 07:03:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes [root@dhcp207-223 ~]#
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-1462.html