On Mon, Sep 15, 2014 at 5:03 PM, Rob Crittenden <[email protected]> wrote:
> Natxo Asenjo wrote: > >> >> hi, >> >> Centos 6.5. >> >> I want to create a certificate request for our mysql servers. I came up >> with this command line: >> >> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname >> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D >> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn` >> New signing request "20140915132335" added. >> >> But it gets rejected: >> >> Request ID '20140915132335': >> status: CA_REJECTED >> ca-error: Server denied our request, giving up: 2100 (RPC >> failed at server. Insufficient access: You need to be a member of the >> serviceadmin role to add services). >> stuck: yes >> key pair storage: >> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key' >> certificate: >> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> I think I have the serviceadmin role: >> >> $ ipa role-show "it specialist" >> Role name: IT Specialist >> Description: IT Specialist >> Member groups: admins >> Privileges: Host Administrators, Host Group Administrators, Service >> Administrators, Automount Administrators >> >> The account is member of group admins. >> >> What am I doing wrong? >> > > ipa-getcert runs using the host credentials, not the current user's. A > host cannot add services, even its own. So you need to pre-create the mysql > service then run getcert resubmit -i 20140915132335 and IPA should issue > the cert. Yes! Thanks, I guess I had misunderstood how this should work. Now I have the cert and the key and they are in the right place. -- regards, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
