On 09/15/2014 05:01 PM, Martin Kosek wrote: > On 09/15/2014 03:31 PM, Natxo Asenjo wrote: >> hi, >> >> Centos 6.5. >> >> I want to create a certificate request for our mysql servers. I came up >> with this command line: >> >> $ sudo /usr/bin/ipa-getcert request -r -f /etc/pki/tls/certs/`hostname >> --fqdn`-mysql.crt -k /etc/pki/tls/private/`hostname --fqdn`-mysql.key -D >> `dnsdomainname` -U id-kp-serverAuth -K mysql/`hostname --fqdn` >> New signing request "20140915132335" added. >> >> But it gets rejected: >> >> Request ID '20140915132335': >> status: CA_REJECTED >> ca-error: Server denied our request, giving up: 2100 (RPC failed at >> server. Insufficient access: You need to be a member of the serviceadmin >> role to add services). >> stuck: yes >> key pair storage: >> type=FILE,location='/etc/pki/tls/private/hostname-mysql.key' >> certificate: >> type=FILE,location='/etc/pki/tls/certs/hostname-mysql.crt' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> I think I have the serviceadmin role: >> >> $ ipa role-show "it specialist" >> Role name: IT Specialist >> Description: IT Specialist >> Member groups: admins >> Privileges: Host Administrators, Host Group Administrators, Service >> Administrators, Automount Administrators >> >> The account is member of group admins. >> >> What am I doing wrong? >> >> Thanks! >> -- >> Groeten, >> natxo >> >> >> > > It seems you hit the same issue as Michael. See my response: > https://www.redhat.com/archives/freeipa-users/2014-September/msg00256.html > > You will need to > > 1) Create host `domainname` > 2) Create services > * mysql/`hostname` > * mysql/`domainname` > 3) Run ipa service-add-host mysql/`domainname` --host mysql/`hostname` > 4) Resubmit certificate > > It looks like we need to do better in documentation&error message...
FYI - I filed https://fedorahosted.org/freeipa/ticket/4540 to improve the message. > Oh and > BTW, this only works with FreeIPA 4.0+, details in ticket > https://fedorahosted.org/freeipa/ticket/3977. > > Martin > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
