I have a cluster of 3 IPA servers, the primary server renewed the krb5kdc certificate last night, but did not include the principal name when it renewed, here is after the auto-renewal:
Number of certificates and requests being tracked: 9. Request ID '20221028185012': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.REDACTED subject: CN=ipa-primary.ipa.redacted,O=IPA.REDACTED issued: 2024-09-30 14:51:55 EDT expires: 2026-10-01 14:51:55 EDT dns: ipa-primary.ipa.redacted key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
After I manually renewed with getcert resubmit, it included the principal line:
[root@ipa-primary pki]# getcert list -i 20221028185012 Number of certificates and requests being tracked: 9. Request ID '20221028185012': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.REDACTED subject: CN=ipa-primary.ipa.REDACTED,O=IPA.REDACTED issued: 2024-10-01 13:26:06 EDT expires: 2026-10-02 13:26:06 EDT dns: ipa-primary.ipa.REDACTED principal name: krbtgt/IPA.REDACTED@IPA.REDACTED key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes
Any idea how I can track down how or why this was missed, and how to prevent this from happening in the future?