[Freeipa-users] Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute
Rob Crittenden
rcritten at redhat.com
Mon Jan 9 14:52:02 UTC 2012
Ivan Ferreira wrote:
> Hi everybody. I’m testing ipa-server 2.1.3. I’m trying to create a
> Certificate for vsftpd.
>
> I can successfully create the certificate with the following command:
>
> # ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr
>
> But I want to create certificates with subjectAltName DNS extensions,
> and it seems that is not possible through an openSSL CRS and dogtag.
>
> So I deleted the service entry, then I created again using:
>
> # ipa service-add FTP/ftp.linux.com.py
>
> Then, I try to create the certificate using the following command:
>
> # ipa-getcert request -k /etc/vsftpd/private/ftp.key -f
> /etc/vsftpd/certs/ftp.crt -N "cn=ftp.linux.com.py" -D
> "cn=le-303.linux.com.py" -D "cn=ftp" -D "cn=le-303" -K FTP/ftp.linux.com.py
>
> But I have the following error:
>
> Request ID '20120108062420':
>
> status: CA_REJECTED
>
> ca-error: Server denied our request, giving up: 2100 (RPC failed at
> server. Insufficient access: Insufficient 'write' privilege to the
> 'userCertificate' attribute of entry
> 'krbprincipalname=ftp/ftp.linux.com.py at linux.com.py,cn=services,cn=accounts,dc=linux,dc=com,dc=py'.).
>
> stuck: yes
>
> key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'
>
> certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'
>
> CA: IPA
>
> issuer:
>
> subject:
>
> expires: unknown
>
> track: yes
>
> auto-renew: yes
>
> It looks like there is a problem with an ACI, or admin principal is not
> having enough privileges.
>
> ¿Anyone gime me some hints?
ipa-getcert executes using the host principal of the machine it is
running on. If you really want this machine to do the request you can
add it as a manager to the service:
# ipa service-add-host --hosts=<host_you_are_on> FTP/ftp.linux.com.py
# ipa resubmit -i 20120108062420
If you don't want certmonger tracking this forever you can tell it to
stop once the cert is generated with:
# ipa-getcert stop-tracking -i 20120108062420
rob
More information about the Freeipa-users
mailing list