#4540 Report better error when certmonger tries to add SAN service
Closed: Fixed None Opened 7 years ago by mkosek.

When certmonger tries to request a certificate for a service principal, it always does it with add=True option. This instructs cert-req command to create a new service for which the hosts usually do not have privileges and it usually ends with error messages like:

# ipa-getcert request -d /etc/httpd/nssdb -n Server-Cert -K test/`hostname` -N
CN=`hostname`,O=EXAMPLE.COM -D san.host.example.test -g 2048
New signing request "20140915143901" added.

# ipa-getcert list -i 20140915143901
Number of certificates and requests being tracked: 8.
Request ID '20140915143901':
    status: CA_REJECTED
    ca-error: Server at https://ipa.mkosek-fedora20.test/ipa/xml denied our
request, giving up: 2100 (RPC failed at server.  Insufficient access: You need
to be a member of the serviceadmin role to add services).
    stuck: yes

Users can be easily confused with the error as they are not aware of these internal mechanics. This resulted already in 2 user confusions ([thread 1], http://www.redhat.com/archives/freeipa-users/2014-September/msg00252.html thread 2).

We should either improve the error message or change the mechanics.

I've been looking into changing the mechanics. It is probably ok for a host to be able to create its own services.

The ACI for this is rather tricky and depends on a fix in 389-ds 1.3.2, https://fedorahosted.org/389/ticket/47894.

This is the ACI I'm experimenting with. So far so good but I haven't fully tested it:

dn: cn=services,cn=accounts,dc=example,dc=com
changetype: modify
add: aci
aci: (targetattr = "*") (version 3.0;acl "Allow host to add its own services"; allow (add) userattr = "managedby#SELFDN" ; )

I should add that the fix for SAN is a bit different, as in that case the error is the same but for different reasons (adding a service to a host that doesn't exist, isn't you or isn't managed by you)

Related ticket: https://fedorahosted.org/freeipa/ticket/4567

Note that the fix to allow host add it's own certificate may require ACI extension - https://fedorahosted.org/389/ticket/47904.

Given this is just error message fix in the end, we can fix in 4.0.x as the SAN feature was introduced in this release.


  • 8e602ea Remove misleading authorization error message in cert-request with --add


  • ed5ffbf Remove misleading authorization error message in cert-request with --add


  • 80da03a Remove misleading authorization error message in cert-request with --add

Metadata Update from @mkosek:
- Issue assigned to jcholast
- Issue set to the milestone: FreeIPA 4.0.4

4 years ago

Login to comment on this ticket.