FreeIPA new commercial certificate install problem

Hi,
I’m using Fedora32, Freeipa IPA server version 4.8.10. API version 2.239, installed a commercial certificate.
We are now one month before certificate end date. We want to install a new one. We first to installed it on a replica to test things. All ran perfectly by using “ipa-cacert-manage install” and “ipa-certupdate”. We now want to deploy it on the Master server, same process but “ipa-certupdate” is failing with the following error, if somebody can help:

[root@freeipa0 ipa]# ipa-certupdate -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index'
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipalib.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa-client/sysrestore/sysrestore.state'
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.remote_plugins.schema$d6982be6...
ipalib.plugable: DEBUG: importing plugin module ipaclient.remote_plugins.schema$d6982be6.plugins
ipalib.plugable: DEBUG: importing all plugin modules in ipaclient.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.csrgen
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.otptoken_yubikey
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.rpcclient
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaclient.plugins.vault
ipalib.rpc: DEBUG: found session_cookie in persistent storage for principal 'admin@company.COM', cookie: 'ipa_session=MagBearerToken=qGa3prLM%2fkrxJmnuQmv069cA6LKHBCQJ3Lv26Y26J0r8Cp4jwQl5dQeN4PUgLwQeN%2fqVxz2zXYuczF0s94jfp6gD6CE7uYwW8bkLLE31UjxdvQ2%2fI0AXBon8dDQP63BU85UJqz4DNsH%2bNCH6LZv33zftdxJ%2b71NvW08CVClrTUaWBqTUnFbNuW5tV9A4o2FjiC4fpwVpjflcfMoK5FI6mg%3d%3d'
ipalib.rpc: DEBUG: setting session_cookie into context 'ipa_session=MagBearerToken=qGa3prLM%2fkrxJmnuQmv069cA6LKHBCQJ3Lv26Y26J0r8Cp4jwQl5dQeN4PUgLwQeN%2fqVxz2zXYuczF0s94jfp6gD6CE7uYwW8bkLLE31UjxdvQ2%2fI0AXBon8dDQP63BU85UJqz4DNsH%2bNCH6LZv33zftdxJ%2b71NvW08CVClrTUaWBqTUnFbNuW5tV9A4o2FjiC4fpwVpjflcfMoK5FI6mg%3d%3d;'
ipalib.rpc: DEBUG: trying https://freeipa0.company.com/ipa/session/json
ipalib.rpc: DEBUG: New HTTP connection (freeipa0.company.com)
ipalib.backend: DEBUG: Created connection context.rpcclient_140631450315696
ipalib.install.kinit: DEBUG: Initializing principal host/freeipa0.company.com@company.COM using keytab /etc/krb5.keytab
ipalib.install.kinit: DEBUG: using ccache /tmp/tmp-tlqq3j1m/ccache
ipapython.admintool: DEBUG:   File "/usr/lib/python3.8/site-packages/ipapython/admintool.py", line 180, in execute
    return_value = self.run()
  File "/usr/lib/python3.8/site-packages/ipaclient/install/ipa_certupdate.py", line 61, in run
    run_with_args(api)
  File "/usr/lib/python3.8/site-packages/ipaclient/install/ipa_certupdate.py", line 103, in run_with_args
    del os.environ['KRB5CCNAME']
  File "/usr/lib64/python3.8/os.py", line 691, in __delitem__
    raise KeyError(key) from None

ipapython.admintool: DEBUG: The ipa-certupdate command failed, exception: KeyError: 'KRB5CCNAME'
ipapython.admintool: ERROR: 'KRB5CCNAME'
ipapython.admintool: ERROR: The ipa-certupdate command failed.

Since you are using a commercial license for Freeipa server it would make sense to contact the vendor you obtained the license (certificate) from for assistance. Anyone else would just be guessing unless they also used the same environment.

From what is posted the only thing I can guess at is possibly some python package or module is missing that was present on the test server. Or, the fact that the key used is surrounded by literal single quotes may be the error. Possibly the quotes should not be there.

2 Likes