Ian Pilcher via FreeIPA-users wrote: > I am setting up FreeRADIUS on my "network server" at home, which also > runs FreeIPA. Naturally, I would like to use certmonger to issue, > track, and renew the certificate(s) used by FreeRADIUS. > > Unfortunately, ipa-getcert only works when run as root, and it writes > the certificate and key files as root/0600, leaving them unreadable by > radiusd. I can obviously change the permissions of the files, but > certmonger will presumably reset them when it renews the certificate. > > I feel like I must be missing something obvious. certmonger must be > usable with services that run as a non-root user, right? >
You want a post-save command script (-C). It gets executed when a certificate is written to disk. In the script you can change permissions/ownership as appropriate and probably want to kick the service to pick up the new cert. You can add it via: ipa-getcert resubmit -C /path/to/command rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
