[Freeipa-users] ipa-getcert Problem ?

Günther J. Niederwimmer gjn at gjn.priv.at
Wed Apr 15 06:47:12 UTC 2015 

Hello,

Am Dienstag, 14. April 2015, 14:29:58 schrieb Nalin Dahyabhai:
> On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote:
> > Hello
> > 
> > I mean I have a Problem with the ipa-getcert script.
> > 
> > system CentOS 7 (1503) and IPA 4.1.x
> > 
> > can any help or declare my mistake or is this a IPA Problem
> > 
> > I do a
> > 
> > kinit admin
> > 
> > ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv
> > -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV'
> > 
> > and have afterward with
> > ipa-getcert list
> > 
> > Number of certificates and requests being tracked: 1.
> > 
> > Request ID '20150414172251':
> >         status: CA_REJECTED
> >         ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our
> >         request,
> > 
> > giving up: 2100 (RPC failed at server.  Insufficient access: Insufficient
> > 'add' privilege to add the entry
> > 'krbprincipalname=HOST/xxx.4gjn.prv at 4GJN.PRV,cn=services,cn=accounts,dc=4g
> > jn,dc=prv'.).> 
> >         stuck: yes
> > 
> >         key pair storage:
> > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS
> > Certificate DB'
> > 
> >         certificate:
> >         type=NSSDB,location='/etc/pki/nssdb',nickname='Server-
> > 
> > Cert'
> > 
> >         CA: IPA
> >         issuer:
> >         subject:
> >         expires: unknown
> >         pre-save command:
> >         post-save command:
> >         track: yes
> >         auto-renew: yes
> 
> The server rejected the request because no service with the Kerberos
> principal name in the request exists yet.
> 
> The "host" service is the one that's automatically created, and because
> Kerberos principal names are case sensitive, "HOST" is seen as being
> different from "host".  The certmonger service uses the local host's
> credentials in /etc/krb5.keytab to authenticate when it sends the
> request to the CA (so you could skip the kinit step above), and the host
> doesn't have the necessary privileges to create a new service, and
> that's why that particular error message is coming back from the server.
> 
> > ipa-getcert status
> > process 4731: arguments to dbus_message_new_method_call() were incorrect,
> > assertion "path != NULL" failed in file dbus-message.c line 1262.
> > This is normally a bug in some application using the D-Bus library.
> > 
> >   D-Bus not built with -rdynamic so unable to print a backtrace
> > 
> > Abgebrochen (Speicherabzug geschrieben)
> 
> That's a bug in ipa-getcert.  It should be producing an error message,
> suggesting that you'd need to specify additional options to indicate
> which request you wanted to check the status on, like so:
>   getcert status -i 20150414172251
>   getcert status -d /etc/pki/nssdb -n Server-Cert
> 
> I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv'
> (note the lower case) to change the parameters in the certificate
> request, which should be enough to satisfy the server's requirements.

Thank you for the answer and help

I mean this is working now ;) after some --uninstall and delete the certificate 
(?) . The wrong command I found with google :-(.

The status command is not working on my system!


-- 
mit freundlichen Grüßen / best regards,

  Günther J. Niederwimmer

More information about the Freeipa-users mailing list