On 09/15/2014 03:31 PM, Natxo Asenjo wrote: > hi, > > Centos 6.5. > > I want to create a certificate request for our mysql servers. I came up > with this command line: > > $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname > --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D > `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn` > New signing request "20140915132335" added. > > But it gets rejected: > > Request ID '20140915132335': > status: CA_REJECTED > ca-error: Server denied our request, giving up: 2100 (RPC failed at > server. Insufficient access: You need to be a member of the serviceadmin > role to add services). > stuck: yes > key pair storage: > type=FILE,location='/etc/pki/tls/private/hostname-mysql.key' > certificate: > type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > I think I have the serviceadmin role: > > $ ipa role-show "it specialist" > Role name: IT Specialist > Description: IT Specialist > Member groups: admins > Privileges: Host Administrators, Host Group Administrators, Service > Administrators, Automount Administrators > > The account is member of group admins. > > What am I doing wrong? > > Thanks! > -- > Groeten, > natxo > > >
It seems you hit the same issue as Michael. See my response: https://www.redhat.com/archives/freeipa-users/2014-September/msg00256.html You will need to 1) Create host `domainname` 2) Create services * mysql/`hostname` * mysql/`domainname` 3) Run ipa service-add-host mysql/`domainname` --host mysql/`hostname` 4) Resubmit certificate It looks like we need to do better in documentation&error message... Oh and BTW, this only works with FreeIPA 4.0+, details in ticket https://fedorahosted.org/freeipa/ticket/3977. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
