[Freeipa-users] ipa-getcert request problem
Rob Crittenden
rcritten at redhat.com
Mon Sep 15 15:03:33 UTC 2014
Natxo Asenjo wrote:
>
> hi,
>
> Centos 6.5.
>
> I want to create a certificate request for our mysql servers. I came up
> with this command line:
>
> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
> New signing request "20140915132335" added.
>
> But it gets rejected:
>
> Request ID '20140915132335':
> status: CA_REJECTED
> ca-error: Server denied our request, giving up: 2100 (RPC
> failed at server. Insufficient access: You need to be a member of the
> serviceadmin role to add services).
> stuck: yes
> key pair storage:
> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
> certificate:
> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> I think I have the serviceadmin role:
>
> $ ipa role-show "it specialist"
> Role name: IT Specialist
> Description: IT Specialist
> Member groups: admins
> Privileges: Host Administrators, Host Group Administrators, Service
> Administrators, Automount Administrators
>
> The account is member of group admins.
>
> What am I doing wrong?
ipa-getcert runs using the host credentials, not the current user's. A
host cannot add services, even its own. So you need to pre-create the
mysql service then run getcert resubmit -i 20140915132335 and IPA should
issue the cert.
rob
More information about the Freeipa-users
mailing list