I would like to use FreeIPA as a external CA for Puppet as described in http://www.freeipa.org/page/Using_IPA%27s_CA_for_Puppet.
But i am not able to request a Certificate for the puppetmaster.
My user has these privileges:
memberofindirect: cn=replication administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify dna range,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=unlock user accounts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=manage service keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=host administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=manage host ssh public keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=retrieve certificates from the ca,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=revoke certificate,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=host group administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify hostgroup membership,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=service administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=automount administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=add automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=modify automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services memberofindirect: cn=remove automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
This is what i call to request the certificate:
ipa-getcert request -K puppetmaster/$(hostname --fqdn) -d /etc/httpd/alias -n puppetmaster/$(hostname --fqdn)
This is the error message as shown in "ipa-getcert list"
ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: You need to be a member of the serviceadmin role to add services).
The system is runnig Centos 7
Note that the ipa-getcert command contacts certmonger which runs with host/your.host.fqdn privileges only. The host is not allowed to add the service object itself.
ipa-getcert
host/your.host.fqdn
Try adding the service in advance with your admin user first, before calling ipa-getcert:
$ ipa service-add puppetmaster/$(hostname --fqdn)
yes, I missed the very first step from the documentation in the link.
So... Is it working now?
Yes, the Ticket can be closed
Thanks. I referenced this ticket from #4567 which should hopefully resolve this eventually.
Metadata Update from @schlitzered: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.