Cloned from https://issues.redhat.com/browse/RHEL-39477
# ipa config-show ... Hidden IPA masters: ipaserver.example.test
When a IPA server is marked as Hidden Replica then "kdc.crt" certificate is not getting renewed due to error that the server is not active KDC.
# getcert list -f /var/kerberos/krb5kdc/kdc.crt status: MONITORING ca-error: Server at https://ipaserver.example.test/ipa/json denied our request, giving up: 2100 (Insufficient access: Host 'ipaserver.example.test' is not an active KDC). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.TEST subject: CN=ipaserver.example.test,O=EXAMPLE.TEST issued: 2022-05-24 01:36:17 UTC expires: 2024-05-24 01:36:17 UTC dns: ipaserver.example.test principal name: krbtgt/EXAMPLE.TEST@EXAMPLE.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
As a work around if we manually disable and enable below command the "kdc.crt" get renewed.
ipa-pkinit-manage disable The ipa-pkinit-manage command was successful ipa-pkinit-manage enable Configuring Kerberos KDC (krb5kdc) [1/1]: installing X509 Certificate for PKINIT Done configuring Kerberos KDC (krb5kdc). The ipa-pkinit-manage command was successful getcert list -f /var/kerberos/krb5kdc/kdc.crt Number of certificates and requests being tracked: 10. Request ID '20240531070303': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.TEST subject: CN=ipaserver.example.test,O=EXAMPLE.TEST issued: 2024-05-31 12:33:06 IST expires: 2026-06-01 12:33:06 IST dns: ipaserver.example.test principal name: krbtgt/EXAMPLE.TEST@EXAMPLE.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
As IPA server can be promoted and demoted to hidden replica any time hence it may cause issue if the replica server is made active as part of cluster.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/demoting-or-promoting-hidden-replicas_configuring-and-managing-idm
ipa-server-4.9.12-9.module+el8.9.0+20420+fef9eb45.x86_64
Always
Install IPA server as hidden replica or promote it as per link above. Wait for the kdc.crt to expire Try renewing of "kdc.crt using below command.
# getcert resubmit -f /var/kerberos/krb5kdc/kdc.crt
Even if the IPA server has been prompted as hidden replica the "kdc.crt" certificate should renew.
"kdc.crt" certificate renewal is failing with error.
ca-error: Server at https://ipaserver.example.test/ipa/json denied our request, giving up: 2100 (Insufficient access: Host 'ipaserver.example.test' is not an active KDC).
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-39477, https://issues.redhat.com/browse/RHEL-4913
master:
ipa-4-12:
ipa-4-11:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-39477, https://issues.redhat.com/browse/RHEL-4913, https://issues.redhat.com/browse/RHEL-45908 (was: https://issues.redhat.com/browse/RHEL-39477, https://issues.redhat.com/browse/RHEL-4913)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-39477, https://issues.redhat.com/browse/RHEL-4913, https://issues.redhat.com/browse/RHEL-45908, https://issues.redhat.com/browse/RHEL-46607 (was: https://issues.redhat.com/browse/RHEL-39477, https://issues.redhat.com/browse/RHEL-4913, https://issues.redhat.com/browse/RHEL-45908)
Metadata Update from @rcritten: - Custom field changelog adjusted to The renewal of the PKINIT certficate on hidden replicas were failing because of a test ensuring that the KDC service is either enabled or configured. The test was extended to include hidden as well.
Log in to comment on this ticket.