On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Natxo Asenjo wrote:
>> Centos 6.5.
>> I want to create a certificate request for our mysql servers. I came up
>> with this command line:
>> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname
>> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D
>> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn`
>> New signing request "20140915132335" added.
>> But it gets rejected:
>> Request ID '20140915132335':
>> status: CA_REJECTED
>> ca-error: Server denied our request, giving up: 2100 (RPC
>> failed at server. Insufficient access: You need to be a member of the
>> serviceadmin role to add services).
>> stuck: yes
>> key pair storage:
>> CA: IPA
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> I think I have the serviceadmin role:
>> $ ipa role-show "it specialist"
>> Role name: IT Specialist
>> Description: IT Specialist
>> Member groups: admins
>> Privileges: Host Administrators, Host Group Administrators, Service
>> Administrators, Automount Administrators
>> The account is member of group admins.
>> What am I doing wrong?
> ipa-getcert runs using the host credentials, not the current user's. A
> host cannot add services, even its own. So you need to pre-create the mysql
> service then run getcert resubmit -i 20140915132335 and IPA should issue
> the cert.
Yes! Thanks, I guess I had misunderstood how this should work. Now I have
the cert and the key and they are in the right place.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project