[Freeipa-users] ipa-getcert request problem
Martin Kosek
mkosek at redhat.com
Tue Sep 16 06:23:15 UTC 2014
On 09/15/2014 05:01 PM, Martin Kosek wrote:
> On 09/15/2014 03:31 PM, Natxo Asenjo wrote:
>> hi,
>>
>> Centos 6.5.
>>
>> I want to create a certificate request for our mysql servers. I came up
>> with this command line:
>>
>> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
>> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
>> New signing request "20140915132335" added.
>>
>> But it gets rejected:
>>
>> Request ID '20140915132335':
>> status: CA_REJECTED
>> ca-error: Server denied our request, giving up: 2100 (RPC failed at
>> server. Insufficient access: You need to be a member of the serviceadmin
>> role to add services).
>> stuck: yes
>> key pair storage:
>> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
>> certificate:
>> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> I think I have the serviceadmin role:
>>
>> $ ipa role-show "it specialist"
>> Role name: IT Specialist
>> Description: IT Specialist
>> Member groups: admins
>> Privileges: Host Administrators, Host Group Administrators, Service
>> Administrators, Automount Administrators
>>
>> The account is member of group admins.
>>
>> What am I doing wrong?
>>
>> Thanks!
>> --
>> Groeten,
>> natxo
>>
>>
>>
>
> It seems you hit the same issue as Michael. See my response:
> https://www.redhat.com/archives/freeipa-users/2014-September/msg00256.html
>
> You will need to
>
> 1) Create host `domainname`
> 2) Create services
> * mysql/`hostname`
> * mysql/`domainname`
> 3) Run ipa service-add-host mysql/`domainname` --host mysql/`hostname`
> 4) Resubmit certificate
>
> It looks like we need to do better in documentation&error message...
FYI - I filed https://fedorahosted.org/freeipa/ticket/4540 to improve the message.
> Oh and
> BTW, this only works with FreeIPA 4.0+, details in ticket
> https://fedorahosted.org/freeipa/ticket/3977.
>
> Martin
>
More information about the Freeipa-users
mailing list