The command ipa-certupdate retrieves trusted CA certs from LDAP and updates several CA bundles on the system. Amongst others it updates the Kerberos CA bundle at /var/lib/ipa-client/pki/kdc-ca-bundle.pem. The file is used by both Kerberos clients and Kerberos KDC servers for PKINIT. The KDC loads and caches the bundle on startup. Since the ipa-certupdate command does not restart/reload the KDC, new CA certs do not come into effect.
ipa-certupdate
/var/lib/ipa-client/pki/kdc-ca-bundle.pem
kinit -X X509_user_identity=FILE:cert.pem,cert.key
kinit fails. KDC logs
preauth (pkinit) verify failure: Failed to verify received certificate (depth 1): unable to get local issuer certificate: content type not enveloped data
After systemctl restart krb5kdc.service the same kinit command succeeds.
systemctl restart krb5kdc.service
kinit works after ipa-certupdate without manual restart/reload of KDC.
freeipa-server-4.9.10-4.fc36.x86_64 krb5-server-1.19.2-11.fc36.x86_64
Metadata Update from @jrische: - Issue assigned to jrische
Metadata Update from @cheimes: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6543
master:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2075452
Issue linked to bug 2075452
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2143224 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2075452)
Issue linked to bug 2143224
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=2143224,https://bugzilla.redhat.com/show_bug.cgi?id=2075452 (was: https://bugzilla.redhat.com/show_bug.cgi?id=2143224)
Log in to comment on this ticket.