Issue #4918: Cannot Request Certificate for Service - freeipa

freeipa

#4918 Cannot Request Certificate for Service

Closed: Invalid None Opened 9 years ago by schlitzered.

I would like to use FreeIPA as a external CA for Puppet as described in http://www.freeipa.org/page/Using_IPA%27s_CA_for_Puppet.

But i am not able to request a Certificate for the puppetmaster.

My user has these privileges:

memberofindirect: cn=replication administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove replication agreements,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify dna range,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host enrollment,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage host keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=enroll a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add krbprincipalname to a host,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=unlock user accounts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage service keytab,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hosts,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=manage host ssh public keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=retrieve certificates from the ca,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=revoke certificate,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=host group administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hostgroups,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify hostgroup membership,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=service administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify services,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=automount administrators,cn=privileges,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify automount maps,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=add automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=modify automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services
memberofindirect: cn=remove automount keys,cn=permissions,cn=pbac,dc=playground1,dc=aws,dc=shopgate,dc=services

This is what i call to request the certificate:

ipa-getcert request -K puppetmaster/$(hostname --fqdn) -d /etc/httpd/alias -n puppetmaster/$(hostname --fqdn)

This is the error message as shown in "ipa-getcert list"

ca-error: Server denied our request, giving up: 2100 (RPC failed at server. Insufficient access: You need to be a member of the serviceadmin role to add services).

schlitzered commented 9 years ago

The system is runnig Centos 7

mkosek commented 9 years ago

Note that the ipa-getcert command contacts certmonger which runs with host/your.host.fqdn privileges only. The host is not allowed to add the service object itself.

Try adding the service in advance with your admin user first, before calling ipa-getcert:

$ ipa service-add puppetmaster/$(hostname --fqdn)

schlitzered commented 9 years ago

yes, I missed the very first step from the documentation in the link.

mkosek commented 9 years ago

So... Is it working now?

schlitzered commented 9 years ago

Yes, the Ticket can be closed

mkosek commented 9 years ago

Thanks. I referenced this ticket from #4567 which should hopefully resolve this eventually.

Metadata Update from @schlitzered:
- Issue assigned to someone
- Issue set to the milestone: 0.0 NEEDS_TRIAGE

7 years ago

Metadata

Assignee

someone

Tags

None

Blocking

None

Depending on

None

Priority

normal

Milestone

0.0 NEEDS_TRIAGE

None

affects_doc

None

source

None

knownissue

None

type

defect

blockedby

None

test_case

None

component

Access control

blocking

None

on_review

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

tester

None

changelog

None

design

None

freeipa

Source Code

#4918 Cannot Request Certificate for Service Closed: Invalid None Opened 9 years ago by schlitzered.

Metadata

#4918 Cannot Request Certificate for Service

Closed: Invalid None Opened 9 years ago by schlitzered.