[Freeipa-users] ipa-getcert request problem

Martin Kosek mkosek at redhat.com
Tue Sep 16 06:23:15 UTC 2014 

On 09/15/2014 05:01 PM, Martin Kosek wrote:
> On 09/15/2014 03:31 PM, Natxo Asenjo wrote:
>> hi,
>>
>> Centos 6.5.
>>
>> I want to create a certificate request for our mysql servers. I came up
>> with this command line:
>>
>> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
>> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
>> New signing request "20140915132335" added.
>>
>> But it gets rejected:
>>
>> Request ID '20140915132335':
>>         status: CA_REJECTED
>>         ca-error: Server denied our request, giving up: 2100 (RPC failed at
>> server.  Insufficient access: You need to be a member of the serviceadmin
>> role to add services).
>>         stuck: yes
>>         key pair storage:
>> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
>>         certificate:
>> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
>>         CA: IPA
>>         issuer:
>>         subject:
>>         expires: unknown
>>         pre-save command:
>>         post-save command:
>>         track: yes
>>         auto-renew: yes
>>
>> I think I have the serviceadmin role:
>>
>> $ ipa role-show "it specialist"
>>   Role name: IT Specialist
>>   Description: IT Specialist
>>   Member groups: admins
>>   Privileges: Host Administrators, Host Group Administrators, Service
>>               Administrators, Automount Administrators
>>
>> The account is member of group admins.
>>
>> What am I doing wrong?
>>
>> Thanks!
>> --
>> Groeten,
>> natxo
>>
>>
>>
> 
> It seems you hit the same issue as Michael. See my response:
> https://www.redhat.com/archives/freeipa-users/2014-September/msg00256.html
> 
> You will need to
> 
> 1) Create host `domainname`
> 2) Create services
> * mysql/`hostname`
> * mysql/`domainname`
> 3) Run ipa service-add-host mysql/`domainname` --host mysql/`hostname`
> 4) Resubmit certificate
> 
> It looks like we need to do better in documentation&error message...

FYI - I filed https://fedorahosted.org/freeipa/ticket/4540 to improve the message.

> Oh and
> BTW, this only works with FreeIPA 4.0+, details in ticket
> https://fedorahosted.org/freeipa/ticket/3977.
> 
> Martin
>

More information about the Freeipa-users mailing list