On Wed, Oct 07, 2020 at 03:58:19AM -0000, Chuck Musser via FreeIPA-users wrote:
ok got it. I did the kinit to do the update and was able to import
the cert and update the certs collection.
It took several attempts and the above advice to get the right procedure, but to recap,
the steps (near as I can tell) are:
1. Create a PKCS#12 certificate from the server certificate, private key and the chain
containing the CA's cert. I used openssl's pkcs12 command for this.
2. Import the CA's cert with "ipa-cacert-manage"
3. Use ip-server-certinstall to install the certificate bundle thing from step 1. This
depends on step 2, because the CA must be trusted.
4. use "kinit" to get a Kerberos ticket. The argument to this is "admin in
our case", because that's our administrative
5 Use "ipa-certupdate" to update the list of certificates and restart the
services that need restarting.
Thanks for the help!
You are welcome, Chuck.
Hey Rob and Flo, a quick thought: ipa-certupdate needs root always,
so host keytab is available. Indeed, in
ipa_certupdate.run_with_args() it (re-)kinit's with host keytab.
Only API initialisation fails when running from CLI without latent,
non-expired credentials (in ipa_certupdate.CertUpdate.run()).
Can we bootstrap the API using the host keytab instead, and avoid
this error?
Cheers,
Fraser