Исаев Виталий Анатольевич <is...@fintech.ru> has give me advise that the
problem may be in Selinux.
so I has stoped tracking previous request by
$ sudo ipa-getcert stop-tracking -i 20131106075356

and has generated new request
# ipa-getcert request -f /var/lib/certmonger/requests/server.crt
-k /var/lib/certmonger/requests/server.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com

that made desired files to appear at /var/lib/certmonger/requests/
that is okay! :)
but! I want them in /var/lib/pgsql/9.3/data/
so what is the problem? why not just copy them at that directory?
the problem is that when I list cert requests, I see this:
Request ID '20131106113520':
        status: MONITORING
        stuck: no
        key pair storage:
type=FILE,location='/var/lib/certmonger/requests/server.key'
        certificate:
type=FILE,location='/var/lib/certmonger/requests/server.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        subject: CN=postgresql.example.com,O=EXAMPLE.COM
        expires: 2015-11-07 11:35:20 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: 
        track: yes
        auto-renew: yes

we can see that file location in that list is defined at request time.

Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
there any other solution?

And I think that there mast be note at documentation about such
situations with Selinux.

В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет:
> Hi, everyone!
> I feel myself very uncomfortable asking this question, since usually I
> found documentation easy to understand&read. (Thanks for that!)
> But there is the point, that I could not understand.
> That point is generating certificates using IPA CA.
> I have read about this:
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html
> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt
> but I did not get the point! :(
> So, I have build test environment as shown in attached document, if you
> need details, you may look at it.
> for short I have 2 servers:
> 1. IPA-server:        ipaserver.example.com
> 2. PostgreSQL-server: postgresql.example.com
> PostgreSQL was chosen as an example (nor bad, nor good)
> and I try to generate key&certificate:
> 
> $ sudo ipa-getcert request -f /home/tuser/server.crt
> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N
> CN=postgresql.example.com -D postgresql.example.com
> 
> I get this answer:
> 
> New signing request "20131106075356" added.
> 
> But what to do with this answer? I can get list of requests, but that
> does not make it more clear:
> 
> $ ipa-getcert list
> Error connecting to DBus.
> Please verify that the message bus (D-Bus) service is running.
> [tuser@postgresql ~]$ sudo ipa-getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20131101115647':
>       status: MONITORING
>       stuck: no
>       key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
> Machine Certificate - postgresql.example.com',token='NSS Certificate DB'
>       certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
> Certificate - postgresql.example.com',token='NSS Certificate DB'
>       CA: IPA
>       issuer: CN=Certificate Authority,O=EXAMPLE.COM
>       subject: CN=postgresql.example.com,O=EXAMPLE.COM
>       expires: 2015-11-02 11:56:48 UTC
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command: 
>       post-save command: 
>       track: yes
>       auto-renew: yes
> Request ID '20131106075356':
>       status: NEED_KEY_PAIR
>       stuck: no
>       key pair storage: type=FILE,location='/home/tuser/server.key'
>       certificate: type=FILE,location='/home/tuser/server.crt'
>       CA: IPA
>       issuer: 
>       subject: 
>       expires: unknown
>       pre-save command: 
>       post-save command: 
>       track: yes
>       auto-renew: yes
> 
> ______________________________
> Best regards, Arthur Fayzullin
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to