I have found what that means. It is again something with access rights. Rob Crittenden <[email protected]> says that it is better to generate certificates at: /etc/pki/tls/private/postgresql.key /etc/pki/tls/certs/postgresql.crt and if these files owner is postgres then postgresql is starting well, but I do not know if certmonger will keep be tracking these file in case of owner changed.
В Чт, 07/11/2013 в 10:49 +0600, Arthur Faizullin пишет: > В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет: > > On Wed, 06 Nov 2013, Arthur Faizullin wrote: > > >Исаев Виталий Анатольевич <[email protected]> has give me advise that the > > >problem may be in Selinux. > > >so I has stoped tracking previous request by > > >$ sudo ipa-getcert stop-tracking -i 20131106075356 > > > > > >and has generated new request > > ># ipa-getcert request -f /var/lib/certmonger/requests/server.crt > > >-k /var/lib/certmonger/requests/server.key -K > > >postgresql/postgresql.example.com -N CN=postgresql.example.com -D > > >postgresql.example.com > > > > > >that made desired files to appear at /var/lib/certmonger/requests/ > > >that is okay! :) > > >but! I want them in /var/lib/pgsql/9.3/data/ > > >so what is the problem? why not just copy them at that directory? > > >the problem is that when I list cert requests, I see this: > > >Request ID '20131106113520': > > > status: MONITORING > > > stuck: no > > > key pair storage: > > >type=FILE,location='/var/lib/certmonger/requests/server.key' > > > certificate: > > >type=FILE,location='/var/lib/certmonger/requests/server.crt' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > > subject: CN=postgresql.example.com,O=EXAMPLE.COM > > > expires: 2015-11-07 11:35:20 UTC > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > > track: yes > > > auto-renew: yes > > > > > >we can see that file location in that list is defined at request time. > > > > > >Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is > > >there any other solution? > > certmonger does run under certmonger_t SELinux type and system_r role. > > It can already write to file contexts named certmonger_*_t and cert_t. For > > storing certificates you would need to use cert_t file context. > > > > mkdir -p /var/lib/pgsql/9.3/data/certs > > semanage fcontext -a -t cert_t '/var/lib/pgsql/9.3/data/certs(/.*)?' > > restorecon -R -v /var/lib/pgsql/9.3/data/certs > > > > I would advise you against placing the files directly in > > /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to > > specify path to the certificate in pgsql configuration. > > I have tried it, but I still get this answer: > # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt > -k /var/lib/pgsql/9.3/data/certs/server.key -K > postgresql/postgresql.example.com -N CN=postgresql.example.com -D > postgresql.example.com > The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must > be a valid directory. > > What does "valid directory" mean? > > > > > >And I think that there mast be note at documentation about such > > >situations with Selinux. > > Yes. You can also install selinux-policy-devel package and read > > certmonger_selinux (8) manpage. > > > > Can you open a ticket against FreeIPA documentation. > > Is bug opened by Dmitri Pal enough? > https://bugzilla.redhat.com/show_bug.cgi?id=1027265 > > > > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
