On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> Исаев Виталий Анатольевич <is...@fintech.ru> has give me advise that the
> problem may be in Selinux.
> so I has stoped tracking previous request by
> $ sudo ipa-getcert stop-tracking -i 20131106075356
>
> and has generated new request
> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> -k /var/lib/certmonger/requests/server.key -K
> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> postgresql.example.com
>
> that made desired files to appear at /var/lib/certmonger/requests/
> that is okay! :)
> but! I want them in /var/lib/pgsql/9.3/data/
> so what is the problem? why not just copy them at that directory?
> the problem is that when I list cert requests, I see this:
> Request ID '20131106113520':
>       status: MONITORING
>       stuck: no
>       key pair storage:
> type=FILE,location='/var/lib/certmonger/requests/server.key'
>       certificate:
> type=FILE,location='/var/lib/certmonger/requests/server.crt'
>       CA: IPA
>       issuer: CN=Certificate Authority,O=EXAMPLE.COM
>       subject: CN=postgresql.example.com,O=EXAMPLE.COM
>       expires: 2015-11-07 11:35:20 UTC
>       eku: id-kp-serverAuth,id-kp-clientAuth
>       pre-save command: 
>       post-save command: 
>       track: yes
>       auto-renew: yes
>
> we can see that file location in that list is defined at request time.
>
> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> there any other solution?

I think yes. And I recall this is not the first time this comes up.
My memory might be failing me but I vaguely remember that we discussed this.
However I could not find any bug or ticket on the matter so I created this
https://bugzilla.redhat.com/show_bug.cgi?id=1027265

>
> And I think that there mast be note at documentation about such
> situations with Selinux.
>
> В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет:
>> Hi, everyone!
>> I feel myself very uncomfortable asking this question, since usually I
>> found documentation easy to understand&read. (Thanks for that!)
>> But there is the point, that I could not understand.
>> That point is generating certificates using IPA CA.
>> I have read about this:
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html
>> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt
>> but I did not get the point! :(
>> So, I have build test environment as shown in attached document, if you
>> need details, you may look at it.
>> for short I have 2 servers:
>> 1. IPA-server:        ipaserver.example.com
>> 2. PostgreSQL-server: postgresql.example.com
>> PostgreSQL was chosen as an example (nor bad, nor good)
>> and I try to generate key&certificate:
>>
>> $ sudo ipa-getcert request -f /home/tuser/server.crt
>> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N
>> CN=postgresql.example.com -D postgresql.example.com
>>
>> I get this answer:
>>
>> New signing request "20131106075356" added.
>>
>> But what to do with this answer? I can get list of requests, but that
>> does not make it more clear:
>>
>> $ ipa-getcert list
>> Error connecting to DBus.
>> Please verify that the message bus (D-Bus) service is running.
>> [tuser@postgresql ~]$ sudo ipa-getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20131101115647':
>>      status: MONITORING
>>      stuck: no
>>      key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - postgresql.example.com',token='NSS Certificate DB'
>>      certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - postgresql.example.com',token='NSS Certificate DB'
>>      CA: IPA
>>      issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>      subject: CN=postgresql.example.com,O=EXAMPLE.COM
>>      expires: 2015-11-02 11:56:48 UTC
>>      eku: id-kp-serverAuth,id-kp-clientAuth
>>      pre-save command: 
>>      post-save command: 
>>      track: yes
>>      auto-renew: yes
>> Request ID '20131106075356':
>>      status: NEED_KEY_PAIR
>>      stuck: no
>>      key pair storage: type=FILE,location='/home/tuser/server.key'
>>      certificate: type=FILE,location='/home/tuser/server.crt'
>>      CA: IPA
>>      issuer: 
>>      subject: 
>>      expires: unknown
>>      pre-save command: 
>>      post-save command: 
>>      track: yes
>>      auto-renew: yes
>>
>> ______________________________
>> Best regards, Arthur Fayzullin
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/



_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to