Ivan Ferreira wrote:
Hi everybody. I’m testing ipa-server 2.1.3. I’m trying to create a
Certificate for vsftpd.

I can successfully create the certificate with the following command:

# ipa cert-request --add --principal=FTP/ftp.linux.com.py ftp.csr

But I want to create certificates with subjectAltName DNS extensions,
and it seems that is not possible through an openSSL CRS and dogtag.

So I deleted the service entry, then I created again using:

# ipa service-add FTP/ftp.linux.com.py

Then, I try to create the certificate using the following command:

# ipa-getcert request -k /etc/vsftpd/private/ftp.key -f
/etc/vsftpd/certs/ftp.crt -N "cn=ftp.linux.com.py" -D
"cn=le-303.linux.com.py" -D "cn=ftp" -D "cn=le-303" -K FTP/ftp.linux.com.py

But I have the following error:

Request ID '20120108062420':


ca-error: Server denied our request, giving up: 2100 (RPC failed at
server. Insufficient access: Insufficient 'write' privilege to the
'userCertificate' attribute of entry

stuck: yes

key pair storage: type=FILE,location='/etc/vsftpd/private/ftp.key'

certificate: type=FILE,location='/etc/vsftpd/certs/ftp.crt'




expires: unknown

track: yes

auto-renew: yes

It looks like there is a problem with an ACI, or admin principal is not
having enough privileges.

¿Anyone gime me some hints?

ipa-getcert executes using the host principal of the machine it is running on. If you really want this machine to do the request you can add it as a manager to the service:

# ipa service-add-host --hosts=<host_you_are_on> FTP/ftp.linux.com.py
# ipa resubmit -i 20120108062420

If you don't want certmonger tracking this forever you can tell it to stop once the cert is generated with:

# ipa-getcert stop-tracking -i 20120108062420


Freeipa-users mailing list

Reply via email to