Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1269089
Description of problem: When trying to resubmit (or let the certmonger to resubmit before exp.) certificate of the host/service which is managed by the local host, it fails with ACI error. Version-Release number of selected component (if applicable): ipa-server-4.1.0 How reproducible: Always Steps to Reproduce: 1. ipa-server-install -r test.com -n novalocal -p passwd123 -a passwd123 --ip-address=172.30.41.25 --ssh-trust-dns --hostname testsrv.novalocal --setup-dns --no-host-dns --no-forwarders 2. kinit admin 3. ipa host-add testhost --force 4. ipa host-add-managedby testhost.novalocal --host=testsrv.novalocal 5. ipa-getcert request -k /etc/ssl/certs/testhost.novalocal.key -f /etc/ssl/certs/testhost.novalocal.cert -N testhost.novalocal -K host/testhost.novalocal 6. ipa-getcert list ... Request ID '20151005150737': ... status MONITORING ... 7. ipa-getcert resubmit -i 20151005150737 8. ipa-getcert list -i 20151005150737 Actual results: Request ID '20151005150737': status: MONITORING ca-error: Server at https://testsrv.novalocal/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: not allowed to perform this command) Expected results: no ca-error Additional info: Whey remove userCertificate attribute from the mentioned host (woks also when kinited to the identity of the host/testsrv.novalocal). The next ipa-getcert resubmit works well.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1269947 (Red Hat Enterprise Linux 7)
I'm able to reproduce with 4.1.5 but not with 4.2.4 and later. Returning to triage to decide whether to move the ticket into 4.1.6 or close as FIXED in 4.2.
Closing according to the comment above.
Metadata Update from @pvoborni: - Issue assigned to dkupka - Issue set to the milestone: FreeIPA 4.2.4
Login to comment on this ticket.