And now I feel a bit silly... Thanks for spotting that, it appears I type :// automatically after the letters http!
Making it HTTP/ all the way through seems to have done the trick, thanks again! Thomas On Mon, Oct 19, 2020 at 5:56 PM Rob Crittenden <[email protected]> wrote: > Thomas Letherby via FreeIPA-users wrote: > > Hello all, > > > > I'm trying to issue some certificates via certmonger and I'm missing a > > permission somewhere. > > > > The situation is thus: > > > > I have a small docker swarm of containers which access storage volumes > > on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, > > stored on a ZFS array. > > > > Some of these containers, in this case a WiFi controller can ingest > > certificates dropped into their volumes. > > > > I want to use the storage server to request and drop the certificate > > files for the controller (in this case called omada) directly into the > > docker volume for the container, so the storage server will manage > > renewals and the container just sees the cert files as normal. > > > > On xstorage1 I used the following process to create the host, service > > and request the certificate: > > > > kinit admin > > ipa host-add omada.i.xrs444.net <http://omada.i.xrs444.net> > > ipa service-add HTTP://omada.i.xrs444.net > > ipa service-add-host --hosts xstorage1.i.xrs444.net > > <http://xstorage1.i.xrs444.net> HTTP://omada.i.xrs444.net > > ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k > > /nasstore/containers/omada-data/tls.key -r -K > > HTTP/[email protected] > > <mailto:[email protected]> -N 'CN=omada.i.xrs444.net > > <http://omada.i.xrs444.net>,O=I.XRS444.NET <http://I.XRS444.NET>' -D > > omada.i.xrs444.net <http://omada.i.xrs444.net> -C > > "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt > > /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt" > > > > (The -C is calling a script to concatenate the cert change into one file) > > > > This appears to process without error, but when I run ipa-getcert list I > > see the following error: > > > > Request ID '20201019194610': > > status: CA_REJECTED > > ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our > > request, giving up: 2100 (RPC failed at server. Insufficient access: > > Insufficient 'add' privilege to add the entry > > 'krbprincipalname=HTTP/[email protected] > > <mailto:[email protected] > >,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.). > > > > In the GUI of xipa1 (IPA Server) I can see the host and service, with > > xstorage1 listed in the 'managed by' tab for both. > > > > I tried from another host with the same results. > > > > What have I missed? I'm sure I've done this before a while back, but I > > can't recall how I did it. Looking through guides online I can't see a > > step I've skipped. > > You added service HTTP: (with a colon) and you're requesting HTTP with > no colon. > > rob > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
