[Freeipa-users] Issues with SNI+Kerberos
Rob Crittenden
rcritten at redhat.com
Tue Jun 2 18:54:21 UTC 2015
Brian Topping wrote:
> Hi all,
>
> I've been trying to work through the instructions at https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having much luck. I've followed the instructions there exactly, ending with the following command:
>
>> ipa-getcert request -r -f /etc/httpd/certs/example.crt -k /etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K HTTP/www.example.com
>
> but I keep getting the following:
>
>> ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command).
>
> What's interesting is it creates the private key file but the certificate fails. I cannot find anything in the logs on either the ipa or the client machine that would indicate what that failure is.
>
> Does anyone recognize this situation where the key file is created but the certificate is not created?
Key generation is done locally.
The failure is pretty clear, your host isn't allowed to do this:
Insufficient access: not allowed to perform this command
The Apache error log should contain this error as well.
What version of IPA is this?
And more information on what you're doing is needed, obfuscate as
needed, but what host are you running this on? I assume you want to
create an SNI for www.example.com on <somerandomname>.example.com?
rob
More information about the Freeipa-users
mailing list