I have done as You said! # ipa-getcert request -f /etc/pki/tls/certs/postgresql.crt -k /etc/pki/tls/private/postgresql.key -K postgresql/postgresql.example.com -N CN=postgresql.example.com -D postgresql.example.com
# ipa-getcert list Request ID '20131107050729': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/postgresql.key' certificate: type=FILE,location='/etc/pki/tls/certs/postgresql.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=postgresql.example.com,O=EXAMPLE.COM expires: 2015-11-08 05:07:29 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes at startup a get such errors: < 2013-11-07 12:06:58.997 YEKT >FATAL: could not load server certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied < 2013-11-07 12:10:23.550 YEKT >FATAL: could not load server certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied but after I've changed owner: # chown postgres /etc/pki/tls/certs/postgresql.crt # chown postgres /etc/pki/tls/private/postgresql.key # ll /etc/pki/tls/certs/postgresql.crt -rw-------. 1 postgres root 1318 Ноя 7 11:07 /etc/pki/tls/certs/postgresql.crt # ll /etc/pki/tls/private/postgresql.key -rw-------. 1 postgres root 1704 Ноя 7 11:07 /etc/pki/tls/private/postgresql.key it seems to be starting well! But since I've changed the owner of key-file and certificate-file will certmonger still be monitoring these files? В Чт, 07/11/2013 в 10:53 +0600, Arthur Faizullin пишет: > В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет: > > Dmitri Pal wrote: > > > On 11/06/2013 07:01 AM, Arthur Faizullin wrote: > > >> Исаев Виталий Анатольевич <is...@fintech.ru> has give me advise that the > > >> problem may be in Selinux. > > >> so I has stoped tracking previous request by > > >> $ sudo ipa-getcert stop-tracking -i 20131106075356 > > >> > > >> and has generated new request > > >> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt > > >> -k /var/lib/certmonger/requests/server.key -K > > >> postgresql/postgresql.example.com -N CN=postgresql.example.com -D > > >> postgresql.example.com > > >> > > >> that made desired files to appear at /var/lib/certmonger/requests/ > > >> that is okay! :) > > >> but! I want them in /var/lib/pgsql/9.3/data/ > > >> so what is the problem? why not just copy them at that directory? > > >> the problem is that when I list cert requests, I see this: > > >> Request ID '20131106113520': > > >> status: MONITORING > > >> stuck: no > > >> key pair storage: > > >> type=FILE,location='/var/lib/certmonger/requests/server.key' > > >> certificate: > > >> type=FILE,location='/var/lib/certmonger/requests/server.crt' > > >> CA: IPA > > >> issuer: CN=Certificate Authority,O=EXAMPLE.COM > > >> subject: CN=postgresql.example.com,O=EXAMPLE.COM > > >> expires: 2015-11-07 11:35:20 UTC > > >> eku: id-kp-serverAuth,id-kp-clientAuth > > >> pre-save command: > > >> post-save command: > > >> track: yes > > >> auto-renew: yes > > >> > > >> we can see that file location in that list is defined at request time. > > >> > > >> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is > > >> there any other solution? > > > > > > I think yes. And I recall this is not the first time this comes up. > > > My memory might be failing me but I vaguely remember that we discussed > > > this. > > > However I could not find any bug or ticket on the matter so I created this > > > https://bugzilla.redhat.com/show_bug.cgi?id=1027265 > > > > Typically in Fedora and RHEL certs are expected to go into > > /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories > > have the correct SELinux contexts. > > > > rob > > as with krb5 keytab, which recomended to keep in specified directory > https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html > I thought that ssl keys also should be keeped in specified directory. > > > > > _______________________________________________ > > Freeipa-users mailing list > > Freeipa-users@redhat.com > > https://www.redhat.com/mailman/listinfo/freeipa-users > > > _______________________________________________ > Freeipa-users mailing list > Freeipa-users@redhat.com > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users