Description of problem: On an IPA Master running on RHEL7.1, I upgrade to 7.2 and now I cannot by default request certs for service principals: [root@rhel7-9 ~]# ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance. For the new default CAACL created during upgrade I see this: [root@rhel7-9 ~]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE User category: all Host category: all Profiles: caIPAserviceCert ---------------------------- Number of entries returned 1 ---------------------------- Version-Release number of selected component (if applicable): ipa-server-4.2.0-3.el7.x86_64 How reproducible: always Steps to Reproduce: 1. Install IPA Master on RHEL7.1 2. Upgrade to IPA version 4.2 (update to RHEL7.2) 3. Attempt to request a service cert: cat > /tmp/cert-req.conf <<EOF [ req ] default_bits = 2048 default_keyfile = /tmp/cert-req.key distinguished_name = test_key_file prompt = no output_password = .. [ test_key_file ] C = US ST = CA L = SFO O = RedHat Technology OU = RedHat IT CN = rhel7-9.example.com EOF openssl req -new -config /tmp/cert-req.conf -out /tmp/cert-req.csr ipa cert-request --add --principal=EXAMPLE/$(hostname) /tmp/cert-req.csr Actual results: ipa: ERROR: Insufficient access: Principal 'EXAMPLE/rhel7-9.example.com' is not permitted to use CA '.' with profile 'caIPAserviceCert' for certificate issuance. Expected results: I expected this to work as it did in RHEL7.1 but, now I'm not sure. I need confirmation here. Additional info:
It's a bug; quite likely due to enforcing the caacl before the new service is added.
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5185
Fixed upstream master: https://fedorahosted.org/freeipa/changeset/9bbc798741c2872eaa6cc29d92c8b90104d65ee8 ipa-4-2: https://fedorahosted.org/freeipa/changeset/8685c0d7b2463d0eef05ff351137afcc291621ec
Verified. Version :: ipa-server-4.2.0-5.el7.x86_64 Results :: After yum update: [root@rhel7-8 yum.repos.d]# ipa caacl-find ---------------- 1 CA ACL matched ---------------- ACL name: hosts_services_caIPAserviceCert Enabled: TRUE Host category: all Service category: all Profiles: caIPAserviceCert ---------------------------- Number of entries returned 1 ----------------------------
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2015-2362.html