#4918 Cannot Request Certificate for Service
Closed: Invalid None Opened 6 years ago by schlitzered.

I would like to use FreeIPA as a external CA for Puppet as described in http://www.freeipa.org/page/Using_IPA%27s_CA_for_Puppet.

But i am not able to request a Certificate for the puppetmaster.

My user has these privileges:

memberofindirect: cn=replication administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify dna range,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=unlock user accounts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage service keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage host ssh public keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=retrieve certificates from the ca,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=revoke certificate,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host group administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hostgroup membership,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=service administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=automount administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services

This is what i call to request the certificate:

ipa-getcert request -K puppetmaster/$(hostname --fqdn) -d /etc/httpd/alias -n puppetmaster/$(hostname --fqdn)

This is the error message as shown in "ipa-getcert list"

ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: You need to be a member of the serviceadmin role to add services).


The system is runnig Centos 7

Note that the ipa-getcert command contacts certmonger which runs with host/your.host.fqdn privileges only. The host is not allowed to add the service object itself.

Try adding the service in advance with your admin user first, before calling ipa-getcert:

$ ipa service-add puppetmaster/$(hostname --fqdn)

yes, I missed the very first step from the documentation in the link.

So... Is it working now?

Yes, the Ticket can be closed

Thanks. I referenced this ticket from #4567 which should hopefully resolve this eventually.

Metadata Update from @schlitzered:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

4 years ago

Login to comment on this ticket.

Metadata