Natxo Asenjo wrote:
I want to create a certificate request for our mysql servers. I came up
with this command line:
$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
`dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
New signing request "20140915132335" added.
But it gets rejected:
Request ID '20140915132335':
ca-error: Server denied our request, giving up: 2100 (RPC
failed at server. Insufficient access: You need to be a member of the
serviceadmin role to add services).
key pair storage:
I think I have the serviceadmin role:
$ ipa role-show "it specialist"
Role name: IT Specialist
Description: IT Specialist
Member groups: admins
Privileges: Host Administrators, Host Group Administrators, Service
Administrators, Automount Administrators
The account is member of group admins.
What am I doing wrong?
ipa-getcert runs using the host credentials, not the current user's. A
host cannot add services, even its own. So you need to pre-create the
mysql service then run getcert resubmit -i 20140915132335 and IPA should
issue the cert.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project