#9269 ipa-certupdate does not restart/reload KDC on servers
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by cheimes.

Issue

The command ipa-certupdate retrieves trusted CA certs from LDAP and updates several CA bundles on the system. Amongst others it updates the Kerberos CA bundle at /var/lib/ipa-client/pki/kdc-ca-bundle.pem. The file is used by both Kerberos clients and Kerberos KDC servers for PKINIT. The KDC loads and caches the bundle on startup. Since the ipa-certupdate command does not restart/reload the KDC, new CA certs do not come into effect.

Steps to Reproduce

  1. Install new CA certs with ipa-certupdate
  2. Attempt PKINIT with a client cert that is signed by the new CA (kinit -X X509_user_identity=FILE:cert.pem,cert.key)

Actual behavior

kinit fails. KDC logs

preauth (pkinit) verify failure: Failed to verify received certificate (depth 1): unable to get local issuer certificate: content type not enveloped data

After systemctl restart krb5kdc.service the same kinit command succeeds.

Expected behavior

kinit works after ipa-certupdate without manual restart/reload of KDC.

Version/Release/Distribution

freeipa-server-4.9.10-4.fc36.x86_64
krb5-server-1.19.2-11.fc36.x86_64

Metadata Update from @jrische:
- Issue assigned to jrische

2 years ago

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6543

2 years ago

master:

  • dbebed2 Add PKINIT support to ipa-client-install

ipa-4-10:

  • 9d902d3 Add PKINIT support to ipa-client-install

ipa-4-9:

  • 80da53e Add PKINIT support to ipa-client-install

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2075452

2 years ago
2 years ago

Log in to comment on this ticket.

Metadata