[Freeipa-users] ipa-getcert request problem

Natxo Asenjo natxo.asenjo at gmail.com
Mon Sep 15 17:03:17 UTC 2014 

On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> Natxo Asenjo wrote:
>
>>
>> hi,
>>
>> Centos 6.5.
>>
>> I want to create a certificate request for our mysql servers. I came up
>> with this command line:
>>
>> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
>> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
>> New signing request "20140915132335" added.
>>
>> But it gets rejected:
>>
>> Request ID '20140915132335':
>>          status: CA_REJECTED
>>          ca-error: Server denied our request, giving up: 2100 (RPC
>> failed at server.  Insufficient access: You need to be a member of the
>> serviceadmin role to add services).
>>          stuck: yes
>>          key pair storage:
>> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
>>          certificate:
>> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
>>          CA: IPA
>>          issuer:
>>          subject:
>>          expires: unknown
>>          pre-save command:
>>          post-save command:
>>          track: yes
>>          auto-renew: yes
>>
>> I think I have the serviceadmin role:
>>
>> $ ipa role-show "it specialist"
>>    Role name: IT Specialist
>>    Description: IT Specialist
>>    Member groups: admins
>>    Privileges: Host Administrators, Host Group Administrators, Service
>>                Administrators, Automount Administrators
>>
>> The account is member of group admins.
>>
>> What am I doing wrong?
>>
>
> ipa-getcert runs using the host credentials, not the current user's. A
> host cannot add services, even its own. So you need to pre-create the mysql
> service then run getcert resubmit -i 20140915132335 and IPA should issue
> the cert.


Yes! Thanks, I guess I had misunderstood how this should work. Now I have
the cert and the key and they are in the right place.

-- 
regards,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140915/a8c01743/attachment.htm>

More information about the Freeipa-users mailing list