Hi,
I’m using Fedora32, Freeipa IPA server version 4.8.10. API version 2.239, installed a commercial certificate.
We are now one month before certificate end date. We want to install a new one. We first to installed it on a replica to test things. All ran perfectly by using “ipa-cacert-manage install” and “ipa-certupdate”. We now want to deploy it on the Master server, same process but “ipa-certupdate” is failing with the following error, if somebody can help:
[root@freeipa0 ipa]# ipa-certupdate -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$d6982be6...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$d6982be6.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: found session_cookie in persistent storage for principal 'admin@company.COM', cookie: 'ipa_session=MagBearerToken=qGa3prLM%2fkrxJmnuQmv069cA6LKHBCQJ3Lv26Y26J0r8Cp4jwQl5dQeN4PUgLwQeN%2fqVxz2zXYuczF0s94jfp6gD6CE7uYwW8bkLLE31UjxdvQ2%2fI0AXBon8dDQP63BU85UJqz4DNsH%2bNCH6LZv33zftdxJ%2b71NvW08CVClrTUaWBqTUnFbNuW5tV9A4o2FjiC4fpwVpjflcfMoK5FI6mg%3d%3d'
ipalib.rpc: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=qGa3prLM%2fkrxJmnuQmv069cA6LKHBCQJ3Lv26Y26J0r8Cp4jwQl5dQeN4PUgLwQeN%2fqVxz2zXYuczF0s94jfp6gD6CE7uYwW8bkLLE31UjxdvQ2%2fI0AXBon8dDQP63BU85UJqz4DNsH%2bNCH6LZv33zftdxJ%2b71NvW08CVClrTUaWBqTUnFbNuW5tV9A4o2FjiC4fpwVpjflcfMoK5FI6mg%3d%3d;'
ipalib.rpc: DEBUG: trying https://freeipa0.company.com/ipa/session/json
ipalib.rpc: DEBUG: New HTTP connection (freeipa0.company.com)
ipalib.backend: DEBUG: Created connection context.rpcclient_140631450315696
ipalib.install.kinit: DEBUG: Initializing principal host/freeipa0.company.com@company.COM using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-tlqq3j1m/ccache
ipapython.admintool: DEBUG: File "/usr/lib/python3.8/site-packages/ipapython/admintool.py", line 180, in execute
return_value = self.run()
File "/usr/lib/python3.8/site-packages/ipaclient/install/ipa_certupdate.py", line 61, in run
run_with_args(api)
File "/usr/lib/python3.8/site-packages/ipaclient/install/ipa_certupdate.py", line 103, in run_with_args
del os.environ['KRB5CCNAME']
File "/usr/lib64/python3.8/os.py", line 691, in __delitem__
raise KeyError(key) from None
ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: KeyError: 'KRB5CCNAME'
ipapython.admintool: ERROR: 'KRB5CCNAME'
ipapython.admintool: ERROR: The ipa-certupdate command failed.