Dmitri Pal wrote:
On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
Исаев Виталий Анатольевич <[email protected]> has give me advise that the
problem may be in Selinux.
so I has stoped tracking previous request by
$ sudo ipa-getcert stop-tracking -i 20131106075356
and has generated new request
# ipa-getcert request -f /var/lib/certmonger/requests/server.crt
-k /var/lib/certmonger/requests/server.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com
that made desired files to appear at /var/lib/certmonger/requests/
that is okay! :)
but! I want them in /var/lib/pgsql/9.3/data/
so what is the problem? why not just copy them at that directory?
the problem is that when I list cert requests, I see this:
Request ID '20131106113520':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/certmonger/requests/server.key'
certificate:
type=FILE,location='/var/lib/certmonger/requests/server.crt'
CA: IPA
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=postgresql.example.com,O=EXAMPLE.COM
expires: 2015-11-07 11:35:20 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
we can see that file location in that list is defined at request time.
Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
there any other solution?
I think yes. And I recall this is not the first time this comes up.
My memory might be failing me but I vaguely remember that we discussed this.
However I could not find any bug or ticket on the matter so I created this
https://bugzilla.redhat.com/show_bug.cgi?id=1027265
Typically in Fedora and RHEL certs are expected to go into
/etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories
have the correct SELinux contexts.
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users
