Arthur Faizullin wrote:
I have found what that means. It is again something with access rights.
Rob Crittenden <> says that it is better to generate
certificates at:
and if these files owner is postgres then postgresql is starting well,
but I do not know if certmonger will keep be tracking these file in case
of owner changed.

It will be fine. certmonger runs as root.


В Чт, 07/11/2013 в 10:49 +0600, Arthur Faizullin пишет:
В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет:
On Wed, 06 Nov 2013, Arthur Faizullin wrote:
Исаев Виталий Анатольевич <> has give me advise that the
problem may be in Selinux.
so I has stoped tracking previous request by
$ sudo ipa-getcert stop-tracking -i 20131106075356

and has generated new request
# ipa-getcert request -f /var/lib/certmonger/requests/server.crt
-k /var/lib/certmonger/requests/server.key -K
postgresql/ -N -D

that made desired files to appear at /var/lib/certmonger/requests/
that is okay! :)
but! I want them in /var/lib/pgsql/9.3/data/
so what is the problem? why not just copy them at that directory?
the problem is that when I list cert requests, I see this:
Request ID '20131106113520':
        status: MONITORING
        stuck: no
        key pair storage:
        CA: IPA
        issuer: CN=Certificate Authority,O=EXAMPLE.COM
        expires: 2015-11-07 11:35:20 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

we can see that file location in that list is defined at request time.

Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
there any other solution?
certmonger does run under certmonger_t SELinux type and system_r role.
It can already write to file contexts named certmonger_*_t and cert_t. For
storing certificates you would need to use cert_t file context.

mkdir -p /var/lib/pgsql/9.3/data/certs
semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
restorecon -R -v /var/lib/pgsql/9.3/data/certs

I would advise you against placing the files directly in
/var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
specify path to the certificate in pgsql configuration.

I have tried it, but I still get this answer:
# ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt
-k /var/lib/pgsql/9.3/data/certs/server.key -K
postgresql/ -N -D
The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must
be a valid directory.

What does "valid directory" mean?

And I think that there mast be note at documentation about such
situations with Selinux.
Yes. You can also install selinux-policy-devel package and read
certmonger_selinux (8) manpage.

Can you open a ticket against FreeIPA documentation.

Is bug opened by Dmitri Pal enough?

Freeipa-users mailing list

Freeipa-users mailing list

Freeipa-users mailing list

Reply via email to