[Freeipa-users] ipa-getcert request problem
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Sep 15 17:03:17 UTC 2014
On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
>
>>
>> hi,
>>
>> Centos 6.5.
>>
>> I want to create a certificate request for our mysql servers. I came up
>> with this command line:
>>
>> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
>> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
>> New signing request "20140915132335" added.
>>
>> But it gets rejected:
>>
>> Request ID '20140915132335':
>> status: CA_REJECTED
>> ca-error: Server denied our request, giving up: 2100 (RPC
>> failed at server. Insufficient access: You need to be a member of the
>> serviceadmin role to add services).
>> stuck: yes
>> key pair storage:
>> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key'
>> certificate:
>> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> I think I have the serviceadmin role:
>>
>> $ ipa role-show "it specialist"
>> Role name: IT Specialist
>> Description: IT Specialist
>> Member groups: admins
>> Privileges: Host Administrators, Host Group Administrators, Service
>> Administrators, Automount Administrators
>>
>> The account is member of group admins.
>>
>> What am I doing wrong?
>>
>
> ipa-getcert runs using the host credentials, not the current user's. A
> host cannot add services, even its own. So you need to pre-create the mysql
> service then run getcert resubmit -i 20140915132335 and IPA should issue
> the cert.
Yes! Thanks, I guess I had misunderstood how this should work. Now I have
the cert and the key and they are in the right place.
--
regards,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140915/a8c01743/attachment.htm>
More information about the Freeipa-users
mailing list