On 11/06/2013 07:01 AM, Arthur Faizullin wrote: > Исаев Виталий Анатольевич <is...@fintech.ru> has give me advise that the > problem may be in Selinux. > so I has stoped tracking previous request by > $ sudo ipa-getcert stop-tracking -i 20131106075356 > > and has generated new request > # ipa-getcert request -f /var/lib/certmonger/requests/server.crt > -k /var/lib/certmonger/requests/server.key -K > postgresql/postgresql.example.com -N CN=postgresql.example.com -D > postgresql.example.com > > that made desired files to appear at /var/lib/certmonger/requests/ > that is okay! :) > but! I want them in /var/lib/pgsql/9.3/data/ > so what is the problem? why not just copy them at that directory? > the problem is that when I list cert requests, I see this: > Request ID '20131106113520': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/certmonger/requests/server.key' > certificate: > type=FILE,location='/var/lib/certmonger/requests/server.crt' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=postgresql.example.com,O=EXAMPLE.COM > expires: 2015-11-07 11:35:20 UTC > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > we can see that file location in that list is defined at request time. > > Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is > there any other solution?
I think yes. And I recall this is not the first time this comes up. My memory might be failing me but I vaguely remember that we discussed this. However I could not find any bug or ticket on the matter so I created this https://bugzilla.redhat.com/show_bug.cgi?id=1027265 > > And I think that there mast be note at documentation about such > situations with Selinux. > > В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет: >> Hi, everyone! >> I feel myself very uncomfortable asking this question, since usually I >> found documentation easy to understand&read. (Thanks for that!) >> But there is the point, that I could not understand. >> That point is generating certificates using IPA CA. >> I have read about this: >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html >> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html >> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt >> but I did not get the point! :( >> So, I have build test environment as shown in attached document, if you >> need details, you may look at it. >> for short I have 2 servers: >> 1. IPA-server: ipaserver.example.com >> 2. PostgreSQL-server: postgresql.example.com >> PostgreSQL was chosen as an example (nor bad, nor good) >> and I try to generate key&certificate: >> >> $ sudo ipa-getcert request -f /home/tuser/server.crt >> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N >> CN=postgresql.example.com -D postgresql.example.com >> >> I get this answer: >> >> New signing request "20131106075356" added. >> >> But what to do with this answer? I can get list of requests, but that >> does not make it more clear: >> >> $ ipa-getcert list >> Error connecting to DBus. >> Please verify that the message bus (D-Bus) service is running. >> [tuser@postgresql ~]$ sudo ipa-getcert list >> Number of certificates and requests being tracked: 2. >> Request ID '20131101115647': >> status: MONITORING >> stuck: no >> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA >> Machine Certificate - postgresql.example.com',token='NSS Certificate DB' >> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine >> Certificate - postgresql.example.com',token='NSS Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=EXAMPLE.COM >> subject: CN=postgresql.example.com,O=EXAMPLE.COM >> expires: 2015-11-02 11:56:48 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20131106075356': >> status: NEED_KEY_PAIR >> stuck: no >> key pair storage: type=FILE,location='/home/tuser/server.key' >> certificate: type=FILE,location='/home/tuser/server.crt' >> CA: IPA >> issuer: >> subject: >> expires: unknown >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> ______________________________ >> Best regards, Arthur Fayzullin >> _______________________________________________ >> Freeipa-users mailing list >> Freeipaemail@example.com >> https://www.redhat.com/mailman/listinfo/freeipa-users > > _______________________________________________ > Freeipa-users mailing list > Freeipafirstname.lastname@example.org > https://www.redhat.com/mailman/listinfo/freeipa-users -- Thank you, Dmitri Pal Sr. Engineering Manager for IdM portfolio Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipaemail@example.com https://www.redhat.com/mailman/listinfo/freeipa-users