[Freeipa-users] ipa-getcert request problem
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Sep 15 13:31:58 UTC 2014
hi,
Centos 6.5.
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
`dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
New signing request "20140915132335" added.
But it gets rejected:
Request ID '20140915132335':
status: CA_REJECTED
ca-error: Server denied our request, giving up: 2100 (RPC failed at
server. Insufficient access: You need to be a member of the serviceadmin
role to add services).
stuck: yes
key pair storage:
type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
certificate:
type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command:
track: yes
auto-renew: yes
I think I have the serviceadmin role:
$ ipa role-show "it specialist"
Role name: IT Specialist
Description: IT Specialist
Member groups: admins
Privileges: Host Administrators, Host Group Administrators, Service
Administrators, Automount Administrators
The account is member of group admins.
What am I doing wrong?
Thanks!
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140915/e989486a/attachment.htm>
More information about the Freeipa-users
mailing list