[Freeipa-users] question about generating certificates
Dmitri Pal
dpal at redhat.com
Wed Nov 6 12:55:45 UTC 2013
On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
> problem may be in Selinux.
> so I has stoped tracking previous request by
> $ sudo ipa-getcert stop-tracking -i 20131106075356
>
> and has generated new request
> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> -k /var/lib/certmonger/requests/server.key -K
> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> postgresql.example.com
>
> that made desired files to appear at /var/lib/certmonger/requests/
> that is okay! :)
> but! I want them in /var/lib/pgsql/9.3/data/
> so what is the problem? why not just copy them at that directory?
> the problem is that when I list cert requests, I see this:
> Request ID '20131106113520':
> status: MONITORING
> stuck: no
> key pair storage:
> type=FILE,location='/var/lib/certmonger/requests/server.key'
> certificate:
> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> CA: IPA
> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> subject: CN=postgresql.example.com,O=EXAMPLE.COM
> expires: 2015-11-07 11:35:20 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> we can see that file location in that list is defined at request time.
>
> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> there any other solution?
I think yes. And I recall this is not the first time this comes up.
My memory might be failing me but I vaguely remember that we discussed this.
However I could not find any bug or ticket on the matter so I created this
https://bugzilla.redhat.com/show_bug.cgi?id=1027265
>
> And I think that there mast be note at documentation about such
> situations with Selinux.
>
> В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет:
>> Hi, everyone!
>> I feel myself very uncomfortable asking this question, since usually I
>> found documentation easy to understand&read. (Thanks for that!)
>> But there is the point, that I could not understand.
>> That point is generating certificates using IPA CA.
>> I have read about this:
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html
>> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt
>> but I did not get the point! :(
>> So, I have build test environment as shown in attached document, if you
>> need details, you may look at it.
>> for short I have 2 servers:
>> 1. IPA-server: ipaserver.example.com
>> 2. PostgreSQL-server: postgresql.example.com
>> PostgreSQL was chosen as an example (nor bad, nor good)
>> and I try to generate key&certificate:
>>
>> $ sudo ipa-getcert request -f /home/tuser/server.crt
>> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N
>> CN=postgresql.example.com -D postgresql.example.com
>>
>> I get this answer:
>>
>> New signing request "20131106075356" added.
>>
>> But what to do with this answer? I can get list of requests, but that
>> does not make it more clear:
>>
>> $ ipa-getcert list
>> Error connecting to DBus.
>> Please verify that the message bus (D-Bus) service is running.
>> [tuser at postgresql ~]$ sudo ipa-getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20131101115647':
>> status: MONITORING
>> stuck: no
>> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - postgresql.example.com',token='NSS Certificate DB'
>> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - postgresql.example.com',token='NSS Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> subject: CN=postgresql.example.com,O=EXAMPLE.COM
>> expires: 2015-11-02 11:56:48 UTC
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>> Request ID '20131106075356':
>> status: NEED_KEY_PAIR
>> stuck: no
>> key pair storage: type=FILE,location='/home/tuser/server.key'
>> certificate: type=FILE,location='/home/tuser/server.crt'
>> CA: IPA
>> issuer:
>> subject:
>> expires: unknown
>> pre-save command:
>> post-save command:
>> track: yes
>> auto-renew: yes
>>
>> ______________________________
>> Best regards, Arthur Fayzullin
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list