Thomas Letherby via FreeIPA-users wrote: > Hello all, > > I'm trying to issue some certificates via certmonger and I'm missing a > permission somewhere. > > The situation is thus: > > I have a small docker swarm of containers which access storage volumes > on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, > stored on a ZFS array. > > Some of these containers, in this case a WiFi controller can ingest > certificates dropped into their volumes. > > I want to use the storage server to request and drop the certificate > files for the controller (in this case called omada) directly into the > docker volume for the container, so the storage server will manage > renewals and the container just sees the cert files as normal. > > On xstorage1 I used the following process to create the host, service > and request the certificate: > > kinit admin > ipa host-add omada.i.xrs444.net <http://omada.i.xrs444.net> > ipa service-add HTTP://omada.i.xrs444.net > ipa service-add-host --hosts xstorage1.i.xrs444.net > <http://xstorage1.i.xrs444.net> HTTP://omada.i.xrs444.net > ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k > /nasstore/containers/omada-data/tls.key -r -K > HTTP/[email protected] > <mailto:[email protected]> -N 'CN=omada.i.xrs444.net > <http://omada.i.xrs444.net>,O=I.XRS444.NET <http://I.XRS444.NET>' -D > omada.i.xrs444.net <http://omada.i.xrs444.net> -C > "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt > /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt" > > (The -C is calling a script to concatenate the cert change into one file) > > This appears to process without error, but when I run ipa-getcert list I > see the following error: > > Request ID '20201019194610': > status: CA_REJECTED > ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our > request, giving up: 2100 (RPC failed at server. Insufficient access: > Insufficient 'add' privilege to add the entry > 'krbprincipalname=HTTP/[email protected] > <mailto:[email protected]>,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.). > > In the GUI of xipa1 (IPA Server) I can see the host and service, with > xstorage1 listed in the 'managed by' tab for both. > > I tried from another host with the same results. > > What have I missed? I'm sure I've done this before a while back, but I > can't recall how I did it. Looking through guides online I can't see a > step I've skipped.
You added service HTTP: (with a colon) and you're requesting HTTP with no colon. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
