Hello, Am Dienstag, 14. April 2015, 14:29:58 schrieb Nalin Dahyabhai: > On Tue, Apr 14, 2015 at 08:18:38PM +0200, Günther J. Niederwimmer wrote: > > Hello > > > > I mean I have a Problem with the ipa-getcert script. > > > > system CentOS 7 (1503) and IPA 4.1.x > > > > can any help or declare my mistake or is this a IPA Problem > > > > I do a > > > > kinit admin > > > > ipa-getcert request -d /etc/pki/nssdb -n Server-Cert -K HOST/xxx.4gjn.prv > > -N 'CN=xxx.4gjn.prv,O=$4GJN.PRV' > > > > and have afterward with > > ipa-getcert list > > > > Number of certificates and requests being tracked: 1. > > > > Request ID '20150414172251': > > status: CA_REJECTED > > ca-error: Server at https://ipa.4gjn.prv/ipa/xml denied our > > request, > > > > giving up: 2100 (RPC failed at server. Insufficient access: Insufficient > > 'add' privilege to add the entry > > 'krbprincipalname=HOST/[email protected],cn=services,cn=accounts,dc=4g > > jn,dc=prv'.).> > > stuck: yes > > > > key pair storage: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > > Certificate DB' > > > > certificate: > > type=NSSDB,location='/etc/pki/nssdb',nickname='Server- > > > > Cert' > > > > CA: IPA > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > The server rejected the request because no service with the Kerberos > principal name in the request exists yet. > > The "host" service is the one that's automatically created, and because > Kerberos principal names are case sensitive, "HOST" is seen as being > different from "host". The certmonger service uses the local host's > credentials in /etc/krb5.keytab to authenticate when it sends the > request to the CA (so you could skip the kinit step above), and the host > doesn't have the necessary privileges to create a new service, and > that's why that particular error message is coming back from the server. > > > ipa-getcert status > > process 4731: arguments to dbus_message_new_method_call() were incorrect, > > assertion "path != NULL" failed in file dbus-message.c line 1262. > > This is normally a bug in some application using the D-Bus library. > > > > D-Bus not built with -rdynamic so unable to print a backtrace > > > > Abgebrochen (Speicherabzug geschrieben) > > That's a bug in ipa-getcert. It should be producing an error message, > suggesting that you'd need to specify additional options to indicate > which request you wanted to check the status on, like so: > getcert status -i 20150414172251 > getcert status -d /etc/pki/nssdb -n Server-Cert > > I suggest 'ipa-getcert resubmit -i 20150414172251 -K host/xxx.4gjn.prv' > (note the lower case) to change the parameters in the certificate > request, which should be enough to satisfy the server's requirements.
Thank you for the answer and help I mean this is working now ;) after some --uninstall and delete the certificate (?) . The wrong command I found with google :-(. The status command is not working on my system! -- mit freundlichen Grüßen / best regards, Günther J. Niederwimmer -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
