[Freeipa-devel] [PATCHES 0001-0013 v5.1] Profiles and CA ACLs
Martin Kosek
mkosek at redhat.com
Tue Jun 2 16:54:57 UTC 2015
On 06/02/2015 06:37 PM, Martin Basti wrote:
> On 02/06/15 14:11, Fraser Tweedale wrote:
>> On Mon, Jun 01, 2015 at 05:22:28PM +1000, Fraser Tweedale wrote:
...
> 4)
> * Maybe I do everything wrong :)
>
> I'm not able to create certificate stored in FILE, via ipa-getcert request.
> I'm getting error:
> status: CA_UNREACHABLE
> ca-error: Server at https://vm-137.example.com/ipa/xml failed request,
> will retry: 4001 (RPC failed at server. vm-137.example.com at example.com: host
> not found).
>
> or error:
> Request ID '20150602154115':
> status: CA_REJECTED
> ca-error: Server at https://vm-137.example.com/ipa/xml denied our request,
> giving up: 2100 (RPC failed at server. Insufficient access: not allowed to
> perform this command).
> (I'm root and kinited as admin)
>
> Maybe additional ACI is required for cert_request as it is VirtualCommand
Note that even if you run ipa-getcert kinited as root/admin, it asks certmonger
to do that job and certmonger works as host/... principal.
More information about the Freeipa-devel
mailing list