[Freeipa-users] ipa-getcert Problem ?

Nalin Dahyabhai nalin at redhat.com
Tue Apr 14 18:29:58 UTC 2015 

On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote:
> Hello
> 
> I mean I have a Problem with the ipa-getcert script.
> 
> system CentOS 7 (1503) and IPA 4.1.x
> 
> can any help or declare my mistake or is this a IPA Problem
> 
> I do a
> 
> kinit admin
> 
> ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv -N 
> 'CN=xxx.4gjn.prv,O=$4GJN.PRV'
> 
> and have afterward with
> ipa-getcert list
> 
> Number of certificates and requests being tracked: 1.
> Request ID '20150414172251':
>         status: CA_REJECTED
>         ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our request, 
> giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient 'add' 
> privilege to add the entry 
> 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4gjn,dc=prv'.).
>         stuck: yes
>         key pair storage: 
> type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS 
> Certificate DB'
>         certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-
> Cert'
>         CA: IPA
>         issuer: 
>         subject: 
>         expires: unknown
>         pre-save command: 
>         post-save command: 
>         track: yes
>         auto-renew: yes

The server rejected the request because no service with the Kerberos
principal name in the request exists yet.

The "host" service is the one that's automatically created, and because
Kerberos principal names are case sensitive, "HOST" is seen as being
different from "host".  The certmonger service uses the local host's
credentials in /etc/krb5.keytab to authenticate when it sends the
request to the CA (so you could skip the kinit step above), and the host
doesn't have the necessary privileges to create a new service, and
that's why that particular error message is coming back from the server.

> ipa-getcert status
> process 4731: arguments to dbus_message_new_method_call() were incorrect, 
> assertion "path != NULL" failed in file dbus-message.c line 1262.
> This is normally a bug in some application using the D-Bus library.
>   D-Bus not built with -rdynamic so unable to print a backtrace
> Abgebrochen (Speicherabzug geschrieben)

That's a bug in ipa-getcert.  It should be producing an error message,
suggesting that you'd need to specify additional options to indicate
which request you wanted to check the status on, like so:
  getcert status -i 20150414172251
  getcert status -d /etc/pki/nssdb -n Server-Cert

I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv'
(note the lower case) to change the parameters in the certificate
request, which should be enough to satisfy the server's requirements.

HTH,

Nalin

More information about the Freeipa-users mailing list