Description of problem: The getcert (ipa-getcert) seems to ignore the -X option. It always requests for the main CA (ipa) instead of the specified sub-CA (vpn). Version-Release number of selected component (if applicable): Client: Fedora 26 ipa --version VERSION: 4.4.4, API_VERSION: 2.215 certmonger.x86_64 0.79.3-1.fc26 freeipa-client.x86_64 4.4.4-4.fc26 Server: CentOS Linux release 7.3.1611 (Core) ipa --version VERSION: 4.4.0, API_VERSION: 2.213 certmonger.x86_64 0.78.4-3.el7 ipa-server.x86_64 4.4.0-14.el7.centos.7 How reproducible: Request a certificate for the host. ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caVPNhostCert -X vpn Actual results: status: CA_REJECTED ca-error: Server at https://<ipa server fqdn>/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Principal 'host/<hostname>@<REALM>' is not permitted to use CA 'ipa' with profile 'caVPNhostCert' for certificate issuance.). ... CA: IPA issuer: Expected results: status: MONITORING ... CA: IPA issuer: CN=VPN CA,O=<REALM> Additional info: The same command works on CentOS Linux release 7.3.1611 (Core) clients. It is also possible to issue a certificate for the "rejected principal" in the web ui of the ipa server where I can select the correct sub-CA.
I've duplicated this in a Fedora-26 system running against an IdM install on RHEL 7.4 (ipa-server-4.5.0-21.el7.x86_64) On the 7.4 server itself I created a new sub-ca named vpn with the subject CN=VPN. I requested a cert similar to the reporter, just using the standard profile: ipa-getcert request -r -f /etc/pki/tls/certs/`hostname`.crt -k /etc/pki/tls/private/`hostname`.key -N CN=`hostname` -D `hostname` -K host/`hostname` -T caIPAserviceCert -X vpn And the subject is correct. I did the same in an enrolled Fedora 26 client and the subject is from the primary CA. The problem is: [Fri Aug 04 16:13:28.812095 2017] [:error] [pid 14347] ipa: INFO: exception OptionError caught when converting options: Unknown option: ca The correct option is cacn. AFAICT he problem has been in certmonger since the introduction of the feature with commit 20a6536febf0815d0b3d301133820a46fdd6ef21 A patch that fixes this is in RHEL but apparently was never merged upstream.
Fixed upstream: https://pagure.io/certmonger/c/e3fb587c5911efbef1d1bb8738f109886a8a11a4?branch=master
Submitted to updates-testing, https://bodhi.fedoraproject.org/updates/certmonger-0.79.4-1.fc26