The following was reported on the centos-infra tracker but the issue appears to be with fasjson so I have moved it here.
I have been notified of the following behavior:
$ centos-cert -u clrkwllms [+] 20211118-14:46 centos-cert -> Validating user [clrkwllms] with realm [FEDORAPROJECT.ORG] against https://fasjson.fedoraproject.org [+] 20211118-14:46 centos-cert -> We can reach [https://fasjson.fedoraproject.org] with realm [clrkwllms@FEDORAPROJECT.ORG], so now asking for TLS cert ... Generating CSR... Uploading CSR for signature... Error: could not sign the CSR (400: Insufficient access: not allowed to perform operation: request certificate, {'message': 'Insufficient access: not allowed to perform operation: request certificate', 'code': 2100, 'source': 'RPC'}). [+] 20211118-14:46 centos-cert -> [ISSUE] : Unable to retrieve TLS cert
Could you look into it?
/cc @clrwllms @jcwillia
just a wild guess : there was a recent upgrade on the ipa server to 8.5 (so probably newer ipa-server pkgs). Wondering if there is a change for needed rights so that fasjson can request certs on behalf of users (using transmitted kerberos ticket). Worth investigating in the fasjson/ipa logs ?
I see in logs:
[Thu Nov 18 20:34:20.273596 2021] [wsgi:error] [pid 395872:tid 139685717235456] [remote 10.3.163.69:39580] ipa: INFO: [jsonserver_session] jcwillia@FEDORAPROJECT.ORG: cert_request('-----BEGIN CERTIFICATE REQUEST-----\\nredactedbykevin----END CERTIFICATE REQUEST-----\\n', request_type='pkcs10', profile_id='userCerts', cacn='ipa', principal='clrkwllms@FEDORAPROJECT.ORG', add=False, chain=False, all=True, raw=False, version='2.235'): ACIError
Note the request coming from jcwillia asking for a cert for clrkwllms ? It seems they have 2 accounts, but need to make sure to have a kerberos ticket for the one they are trying to get a cert for?
Metadata Update from @humaton: - Issue priority set to: Waiting on Reporter (was: Needs Review) - Issue tagged with: low-gain, low-trouble, ops
They definitely have two accounts and that would make sense. I'll let them know, thanks!
Great. Let us know if there's anything further to do here.
Metadata Update from @kevin: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Oh sorry, I completely forgot to come back to this ticket. The mismatch in names between the kerberos ticket and the centos-cert command was indeed the issue.
Thanks for spotting it!
Log in to comment on this ticket.