Hello all,
I'm trying to issue some certificates via certmonger and I'm missing a permission somewhere.
The situation is thus:
I have a small docker swarm of containers which access storage volumes on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a ZFS array.
Some of these containers, in this case a WiFi controller can ingest certificates dropped into their volumes.
I want to use the storage server to request and drop the certificate files for the controller (in this case called omada) directly into the docker volume for the container, so the storage server will manage renewals and the container just sees the cert files as normal.
On xstorage1 I used the following process to create the host, service and request the certificate:
kinit admin ipa host-add omada.i.xrs444.net ipa service-add HTTP://omada.i.xrs444.net ipa service-add-host --hosts xstorage1.i.xrs444.net HTTP://omada.i.xrs444.net ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k /nasstore/containers/omada-data/tls.key -r -K HTTP/ omada.i.xrs444.net@I.XRS444.NET -N 'CN=omada.i.xrs444.net,O=I.XRS444.NET' -D omada.i.xrs444.net -C "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt"
(The -C is calling a script to concatenate the cert change into one file)
This appears to process without error, but when I run ipa-getcert list I see the following error:
Request ID '20201019194610': status: CA_REJECTED ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/ omada.i.xrs444.net@I.XRS444.NET ,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.).
In the GUI of xipa1 (IPA Server) I can see the host and service, with xstorage1 listed in the 'managed by' tab for both.
I tried from another host with the same results.
What have I missed? I'm sure I've done this before a while back, but I can't recall how I did it. Looking through guides online I can't see a step I've skipped.
Thomas
Thomas Letherby via FreeIPA-users wrote:
Hello all,
I'm trying to issue some certificates via certmonger and I'm missing a permission somewhere.
The situation is thus:
I have a small docker swarm of containers which access storage volumes on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a ZFS array.
Some of these containers, in this case a WiFi controller can ingest certificates dropped into their volumes.
I want to use the storage server to request and drop the certificate files for the controller (in this case called omada) directly into the docker volume for the container, so the storage server will manage renewals and the container just sees the cert files as normal.
On xstorage1 I used the following process to create the host, service and request the certificate:
kinit admin ipa host-add omada.i.xrs444.net http://omada.i.xrs444.net ipa service-add HTTP://omada.i.xrs444.net ipa service-add-host --hosts xstorage1.i.xrs444.net http://xstorage1.i.xrs444.net HTTP://omada.i.xrs444.net ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k /nasstore/containers/omada-data/tls.key -r -K HTTP/omada.i.xrs444.net@I.XRS444.NET mailto:omada.i.xrs444.net@I.XRS444.NET -N 'CN=omada.i.xrs444.net http://omada.i.xrs444.net,O=I.XRS444.NET http://I.XRS444.NET' -D omada.i.xrs444.net http://omada.i.xrs444.net -C "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt"
(The -C is calling a script to concatenate the cert change into one file)
This appears to process without error, but when I run ipa-getcert list I see the following error:
Request ID '20201019194610': status: CA_REJECTED ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/omada.i.xrs444.net@I.XRS444.NET mailto:omada.i.xrs444.net@I.XRS444.NET,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.).
In the GUI of xipa1 (IPA Server) I can see the host and service, with xstorage1 listed in the 'managed by' tab for both.
I tried from another host with the same results.
What have I missed? I'm sure I've done this before a while back, but I can't recall how I did it. Looking through guides online I can't see a step I've skipped.
You added service HTTP: (with a colon) and you're requesting HTTP with no colon.
rob
And now I feel a bit silly...
Thanks for spotting that, it appears I type :// automatically after the letters http!
Making it HTTP/ all the way through seems to have done the trick, thanks again!
Thomas
On Mon, Oct 19, 2020 at 5:56 PM Rob Crittenden rcritten@redhat.com wrote:
Thomas Letherby via FreeIPA-users wrote:
Hello all,
I'm trying to issue some certificates via certmonger and I'm missing a permission somewhere.
The situation is thus:
I have a small docker swarm of containers which access storage volumes on a IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a ZFS array.
Some of these containers, in this case a WiFi controller can ingest certificates dropped into their volumes.
I want to use the storage server to request and drop the certificate files for the controller (in this case called omada) directly into the docker volume for the container, so the storage server will manage renewals and the container just sees the cert files as normal.
On xstorage1 I used the following process to create the host, service and request the certificate:
kinit admin ipa host-add omada.i.xrs444.net http://omada.i.xrs444.net ipa service-add HTTP://omada.i.xrs444.net ipa service-add-host --hosts xstorage1.i.xrs444.net http://xstorage1.i.xrs444.net HTTP://omada.i.xrs444.net ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k /nasstore/containers/omada-data/tls.key -r -K HTTP/omada.i.xrs444.net@I.XRS444.NET mailto:omada.i.xrs444.net@I.XRS444.NET -N 'CN=omada.i.xrs444.net http://omada.i.xrs444.net,O=I.XRS444.NET http://I.XRS444.NET' -D omada.i.xrs444.net http://omada.i.xrs444.net -C "/usr/local/bin/catcerts.sh /nasstore/containers/omada-data/cert.crt /etc/ipa/ca.crt //nasstore/containers/omada-data/tls.crt"
(The -C is calling a script to concatenate the cert change into one
file)
This appears to process without error, but when I run ipa-getcert list I see the following error:
Request ID '20201019194610': status: CA_REJECTED ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/omada.i.xrs444.net@I.XRS444.NET <mailto:omada.i.xrs444.net@I.XRS444.NET ,cn=services,cn=accounts,dc=i,dc=xrs444,dc=net'.).
In the GUI of xipa1 (IPA Server) I can see the host and service, with xstorage1 listed in the 'managed by' tab for both.
I tried from another host with the same results.
What have I missed? I'm sure I've done this before a while back, but I can't recall how I did it. Looking through guides online I can't see a step I've skipped.
You added service HTTP: (with a colon) and you're requesting HTTP with no colon.
rob
freeipa-users@lists.fedorahosted.org