Brian Topping wrote:
I've been trying to work through the instructions at
https://www.freeipa.org/page/Apache_SNI_With_Kerberos and have not been having
much luck. I've followed the instructions there exactly, ending with the
ipa-getcert request -r -f /etc/httpd/certs/example.crt -k
/etc/httpd/certs/example.key -N CN=www.example.com -D www.example.com -K
but I keep getting the following:
ca-error: Server at https://ipa.example.com/ipa/xml denied our request, giving
up: 2100 (RPC failed at server. Insufficient access: not allowed to perform
What's interesting is it creates the private key file but the certificate
fails. I cannot find anything in the logs on either the ipa or the client
machine that would indicate what that failure is.
Does anyone recognize this situation where the key file is created but the
certificate is not created?
Key generation is done locally.
The failure is pretty clear, your host isn't allowed to do this:
Insufficient access: not allowed to perform this command
The Apache error log should contain this error as well.
What version of IPA is this?
And more information on what you're doing is needed, obfuscate as
needed, but what host are you running this on? I assume you want to
create an SNI for www.example.com on <somerandomname>.example.com?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project