[Freeipa-users] ipa-getcert Problem ?
Günther J. Niederwimmer
gjn at gjn.priv.at
Wed Apr 15 06:47:12 UTC 2015
Hello,
Am Dienstag, 14. April 2015, 14:29:58 schrieb Nalin Dahyabhai:
> On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote:
> > Hello
> >
> > I mean I have a Problem with the ipa-getcert script.
> >
> > system CentOS 7 (1503) and IPA 4.1.x
> >
> > can any help or declare my mistake or is this a IPA Problem
> >
> > I do a
> >
> > kinit admin
> >
> > ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv
> > -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV'
> >
> > and have afterward with
> > ipa-getcert list
> >
> > Number of certificates and requests being tracked: 1.
> >
> > Request ID '20150414172251':
> > status: CA_REJECTED
> > ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our
> > request,
> >
> > giving up: 2100 (RPC failed at server. Insufficient access: Insufficient
> > 'add' privilege to add the entry
> > 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4g
> > jn,dc=prv'.).>
> > stuck: yes
> >
> > key pair storage:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> >
> > certificate:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-
> >
> > Cert'
> >
> > CA: IPA
> > issuer:
> > subject:
> > expires: unknown
> > pre-save command:
> > post-save command:
> > track: yes
> > auto-renew: yes
>
> The server rejected the request because no service with the Kerberos
> principal name in the request exists yet.
>
> The "host" service is the one that's automatically created, and because
> Kerberos principal names are case sensitive, "HOST" is seen as being
> different from "host". The certmonger service uses the local host's
> credentials in /etc/krb5.keytab to authenticate when it sends the
> request to the CA (so you could skip the kinit step above), and the host
> doesn't have the necessary privileges to create a new service, and
> that's why that particular error message is coming back from the server.
>
> > ipa-getcert status
> > process 4731: arguments to dbus_message_new_method_call() were incorrect,
> > assertion "path != NULL" failed in file dbus-message.c line 1262.
> > This is normally a bug in some application using the D-Bus library.
> >
> > D-Bus not built with -rdynamic so unable to print a backtrace
> >
> > Abgebrochen (Speicherabzug geschrieben)
>
> That's a bug in ipa-getcert. It should be producing an error message,
> suggesting that you'd need to specify additional options to indicate
> which request you wanted to check the status on, like so:
> getcert status -i 20150414172251
> getcert status -d /etc/pki/nssdb -n Server-Cert
>
> I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv'
> (note the lower case) to change the parameters in the certificate
> request, which should be enough to satisfy the server's requirements.
Thank you for the answer and help
I mean this is working now ;) after some --uninstall and delete the certificate
(?) . The wrong command I found with google :-(.
The status command is not working on my system!
--
mit freundlichen Grüßen / best regards,
Günther J. Niederwimmer
More information about the Freeipa-users
mailing list