Natxo Asenjo wrote:


Centos 6.5.

I want to create a certificate request for our mysql servers. I came up
with this command line:

$ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
--fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
`dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
New signing request "20140915132335" added.

But it gets rejected:

Request ID '20140915132335':
         status: CA_REJECTED
         ca-error: Server denied our request, giving up: 2100 (RPC
failed at server.  Insufficient access: You need to be a member of the
serviceadmin role to add services).
         stuck: yes
         key pair storage:
         CA: IPA
         expires: unknown
         pre-save command:
         post-save command:
         track: yes
         auto-renew: yes

I think I have the serviceadmin role:

$ ipa role-show "it specialist"
   Role name: IT Specialist
   Description: IT Specialist
   Member groups: admins
   Privileges: Host Administrators, Host Group Administrators, Service
               Administrators, Automount Administrators

The account is member of group admins.

What am I doing wrong?

ipa-getcert runs using the host credentials, not the current user's. A host cannot add services, even its own. So you need to pre-create the mysql service then run getcert resubmit -i 20140915132335 and IPA should issue the cert.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to