Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1251225
Description of problem: On an IPA Master running on RHEL7.1, I upgrade to 7.2 and now I cannot by default request certs for service principals: [root@rhel7-9 ~]# ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance. For the new default CAACL created during upgrade I see this: [root@rhel7-9 ~]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE User category: all Host category: all Profiles: caIPAserviceCert ---------------------------- Number of entries returned 1 ---------------------------- Version-Release number of selected component (if applicable): ipa-server-4.2.0-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install IPA Master on RHEL7.1 2. Upgrade to IPA version 4.2 (update to RHEL7.2) 3. Attempt to request a service cert: cat > /tmp/cert-req.conf <<EOF [ req ] default_bits = 2048 default_keyfile = /tmp/cert-req.key distinguished_name = test_key_file prompt = no output_password = .. [ test_key_file ] C = US ST = CA L = SFO O = RedHat Technology OU = RedHat IT CN = rhel7-9.example.com EOF openssl req -new -config /tmp/cert-req.conf -out /tmp/cert-req.csr ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr Actual results: ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance. Expected results: I expected this to work as it did in RHEL7.1 but, now I'm not sure. I need confirmation here. Additional info:
attachment freeipa-ftweedal-0033-Fix-default-CA-ACL-added-during-upgrade.patch
master:
ipa-4-2:
Metadata Update from @jcholast: - Issue assigned to ftweedal - Issue set to the milestone: FreeIPA 4.2.1
Login to comment on this ticket.