I'm trying to issue some certificates via certmonger and I'm missing a
The situation is thus:
I have a small docker swarm of containers which access storage volumes on a
IPA-joined storage server (xstorage1 - Ubuntu 18.04) via NFS, stored on a
Some of these containers, in this case a WiFi controller can ingest
certificates dropped into their volumes.
I want to use the storage server to request and drop the certificate files
for the controller (in this case called omada) directly into the docker
volume for the container, so the storage server will manage renewals and
the container just sees the cert files as normal.
On xstorage1 I used the following process to create the host, service and
request the certificate:
ipa host-add omada.i.xrs444.net
ipa service-add HTTP://omada.i.xrs444.net
ipa service-add-host --hosts xstorage1.i.xrs444.net
ipa-getcert request -f /nasstore/containers/omada-data/cert.crt -k
/nasstore/containers/omada-data/tls.key -r -K HTTP/
omada.i.xrs444.net(a)I.XRS444.NET -N 'CN=omada.i.xrs444.net,O=I.XRS444.NET'
(The -C is calling a script to concatenate the cert change into one file)
This appears to process without error, but when I run ipa-getcert list I
see the following error:
Request ID '20201019194610':
ca-error: Server at https://xipa1.i.xrs444.net/ipa/xml
denied our request,
giving up: 2100 (RPC failed at server. Insufficient access: Insufficient
'add' privilege to add the entry 'krbprincipalname=HTTP/
In the GUI of xipa1 (IPA Server) I can see the host and service, with
xstorage1 listed in the 'managed by' tab for both.
I tried from another host with the same results.
What have I missed? I'm sure I've done this before a while back, but I
can't recall how I did it. Looking through guides online I can't see a step