[Freeipa-users] question about generating certificates

Dmitri Pal dpal at redhat.com
Wed Nov 6 12:55:45 UTC 2013 

On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
> problem may be in Selinux.
> so I has stoped tracking previous request by
> $ sudo ipa-getcert stop-tracking -i 20131106075356
>
> and has generated new request
> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> -k /var/lib/certmonger/requests/server.key -K
> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> postgresql.example.com
>
> that made desired files to appear at /var/lib/certmonger/requests/
> that is okay! :)
> but! I want them in /var/lib/pgsql/9.3/data/
> so what is the problem? why not just copy them at that directory?
> the problem is that when I list cert requests, I see this:
> Request ID '20131106113520':
> 	status: MONITORING
> 	stuck: no
> 	key pair storage:
> type=FILE,location='/var/lib/certmonger/requests/server.key'
> 	certificate:
> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> 	CA: IPA
> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
> 	subject: CN=postgresql.example.com,O=EXAMPLE.COM
> 	expires: 2015-11-07 11:35:20 UTC
> 	eku: id-kp-serverAuth,id-kp-clientAuth
> 	pre-save command: 
> 	post-save command: 
> 	track: yes
> 	auto-renew: yes
>
> we can see that file location in that list is defined at request time.
>
> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> there any other solution?

I think yes. And I recall this is not the first time this comes up.
My memory might be failing me but I vaguely remember that we discussed this.
However I could not find any bug or ticket on the matter so I created this
https://bugzilla.redhat.com/show_bug.cgi?id=1027265

>
> And I think that there mast be note at documentation about such
> situations with Selinux.
>
> В Ср, 06/11/2013 в 14:16 +0600, Arthur Faizullin пишет:
>> Hi, everyone!
>> I feel myself very uncomfortable asking this question, since usually I
>> found documentation easy to understand&read. (Thanks for that!)
>> But there is the point, that I could not understand.
>> That point is generating certificates using IPA CA.
>> I have read about this:
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/request-service-service.html
>> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/certmongerX.html
>> https://git.fedorahosted.org/cgit/certmonger.git/tree/doc/getting-started.txt
>> but I did not get the point! :(
>> So, I have build test environment as shown in attached document, if you
>> need details, you may look at it.
>> for short I have 2 servers:
>> 1. IPA-server:        ipaserver.example.com
>> 2. PostgreSQL-server: postgresql.example.com
>> PostgreSQL was chosen as an example (nor bad, nor good)
>> and I try to generate key&certificate:
>>
>> $ sudo ipa-getcert request -f /home/tuser/server.crt
>> -k /home/tuser/server.key -K postgresql/postgresql.example.com -N
>> CN=postgresql.example.com -D postgresql.example.com
>>
>> I get this answer:
>>
>> New signing request "20131106075356" added.
>>
>> But what to do with this answer? I can get list of requests, but that
>> does not make it more clear:
>>
>> $ ipa-getcert list
>> Error connecting to DBus.
>> Please verify that the message bus (D-Bus) service is running.
>> [tuser at postgresql ~]$ sudo ipa-getcert list
>> Number of certificates and requests being tracked: 2.
>> Request ID '20131101115647':
>> 	status: MONITORING
>> 	stuck: no
>> 	key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA
>> Machine Certificate - postgresql.example.com',token='NSS Certificate DB'
>> 	certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine
>> Certificate - postgresql.example.com',token='NSS Certificate DB'
>> 	CA: IPA
>> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
>> 	subject: CN=postgresql.example.com,O=EXAMPLE.COM
>> 	expires: 2015-11-02 11:56:48 UTC
>> 	eku: id-kp-serverAuth,id-kp-clientAuth
>> 	pre-save command: 
>> 	post-save command: 
>> 	track: yes
>> 	auto-renew: yes
>> Request ID '20131106075356':
>> 	status: NEED_KEY_PAIR
>> 	stuck: no
>> 	key pair storage: type=FILE,location='/home/tuser/server.key'
>> 	certificate: type=FILE,location='/home/tuser/server.crt'
>> 	CA: IPA
>> 	issuer: 
>> 	subject: 
>> 	expires: unknown
>> 	pre-save command: 
>> 	post-save command: 
>> 	track: yes
>> 	auto-renew: yes
>>
>> ______________________________
>> Best regards, Arthur Fayzullin
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager for IdM portfolio
Red Hat Inc.


-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/

More information about the Freeipa-users mailing list