[Freeipa-users] question about generating certificates

Thu Nov 7 06:33:28 UTC 2013

I have found what that means. It is again something with access rights.
Rob Crittenden <rcritten at redhat.com> says that it is better to generate
certificates at:
/etc/pki/tls/private/postgresql.key
/etc/pki/tls/certs/postgresql.crt
and if these files owner is postgres then postgresql is starting well,
but I do not know if certmonger will keep be tracking these file in case
of owner changed.

В Чт, 07/11/2013 в 10:49 +0600, Arthur Faizullin пишет:
> В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет:
> > On Wed, 06 Nov 2013, Arthur Faizullin wrote:
> > >Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
> > >problem may be in Selinux.
> > >so I has stoped tracking previous request by
> > >$ sudo ipa-getcert stop-tracking -i 20131106075356
> > >
> > >and has generated new request
> > ># ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> > >-k /var/lib/certmonger/requests/server.key -K
> > >postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> > >postgresql.example.com
> > >
> > >that made desired files to appear at /var/lib/certmonger/requests/
> > >that is okay! :)
> > >but! I want them in /var/lib/pgsql/9.3/data/
> > >so what is the problem? why not just copy them at that directory?
> > >the problem is that when I list cert requests, I see this:
> > >Request ID '20131106113520':
> > >	status: MONITORING
> > >	stuck: no
> > >	key pair storage:
> > >type=FILE,location='/var/lib/certmonger/requests/server.key'
> > >	certificate:
> > >type=FILE,location='/var/lib/certmonger/requests/server.crt'
> > >	CA: IPA
> > >	issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > >	subject: CN=postgresql.example.com,O=EXAMPLE.COM
> > >	expires: 2015-11-07 11:35:20 UTC
> > >	eku: id-kp-serverAuth,id-kp-clientAuth
> > >	pre-save command:
> > >	post-save command:
> > >	track: yes
> > >	auto-renew: yes
> > >
> > >we can see that file location in that list is defined at request time.
> > >
> > >Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> > >there any other solution?
> > certmonger does run under certmonger_t SELinux type and system_r role.
> > It can already write to file contexts named certmonger_*_t and cert_t. For
> > storing certificates you would need to use cert_t file context.
> > 
> > mkdir -p /var/lib/pgsql/9.3/data/certs
> > semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
> > restorecon -R -v /var/lib/pgsql/9.3/data/certs
> > 
> > I would advise you against placing the files directly in
> > /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
> > specify path to the certificate in pgsql configuration.
> 
> I have tried it, but I still get this answer:
> # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt
> -k /var/lib/pgsql/9.3/data/certs/server.key -K
> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> postgresql.example.com
> The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must
> be a valid directory.
> 
> What does "valid directory" mean?
> 
> > 
> > >And I think that there mast be note at documentation about such
> > >situations with Selinux.
> > Yes. You can also install selinux-policy-devel package and read
> > certmonger_selinux (8) manpage.
> > 
> > Can you open a ticket against FreeIPA documentation.
> 
> Is bug opened by Dmitri Pal enough?
> https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> > 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users