lejeczek via FreeIPA-users wrote:

Hi guys.

I am thinking perhaps these things IPA does not allow, certs for hosts in "outside" domain which IPA serves? I do simple

-> $ ipa-getcert request -f /etc/pki/tls/certs/datastor.outside.crt -k /etc/pki/tls/private/datastor.outside.key --dns=DNSNAME=datastor.outside -K host/datastor.outside@PRIVATE.LOT

... Request ID '20211115180241':     status: CA_REJECTED     ca-error: Server at https://c8kubermaster1.private.lot/ipa/json denied our request, giving up: 2100 (Insufficient access: Insufficient 'write' privilege to the 'userCertificate' attribute of entry 'fqdn=datastor.outside,cn=computers,cn=accounts,dc=private,dc=lot'.).     stuck: yes

Or am I doing something silly there? This is for a host/service.

It's a security thing. IPA is a CA so needs to control who can request certificates for what. In this case some random host can't request a certificate for some other random host. Otherwise folks might get certs for www.google.com or worse.

So a host (or service) has to be known to IPA (have a host entry) and the requesting host (when using certmonger) needs to be allowed to manage it.

So in this case: ipa host-add-managedby --hosts c8kubermaster1.private.lot datastor.outside

rob