[Freeipa-users] question about generating certificates

Thu Nov 7 14:03:22 UTC 2013

Arthur Faizullin wrote:
> I have found what that means. It is again something with access rights.
> Rob Crittenden <rcritten at redhat.com> says that it is better to generate
> certificates at:
> /etc/pki/tls/private/postgresql.key
> /etc/pki/tls/certs/postgresql.crt
> and if these files owner is postgres then postgresql is starting well,
> but I do not know if certmonger will keep be tracking these file in case
> of owner changed.

It will be fine. certmonger runs as root.

rob

>
> В Чт, 07/11/2013 в 10:49 +0600, Arthur Faizullin пишет:
>> В Ср, 06/11/2013 в 14:52 +0200, Alexander Bokovoy пишет:
>>> On Wed, 06 Nov 2013, Arthur Faizullin wrote:
>>>> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
>>>> problem may be in Selinux.
>>>> so I has stoped tracking previous request by
>>>> $ sudo ipa-getcert stop-tracking -i 20131106075356
>>>>
>>>> and has generated new request
>>>> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
>>>> -k /var/lib/certmonger/requests/server.key -K
>>>> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
>>>> postgresql.example.com
>>>>
>>>> that made desired files to appear at /var/lib/certmonger/requests/
>>>> that is okay! :)
>>>> but! I want them in /var/lib/pgsql/9.3/data/
>>>> so what is the problem? why not just copy them at that directory?
>>>> the problem is that when I list cert requests, I see this:
>>>> Request ID '20131106113520':
>>>> 	status: MONITORING
>>>> 	stuck: no
>>>> 	key pair storage:
>>>> type=FILE,location='/var/lib/certmonger/requests/server.key'
>>>> 	certificate:
>>>> type=FILE,location='/var/lib/certmonger/requests/server.crt'
>>>> 	CA: IPA
>>>> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
>>>> 	subject: CN=postgresql.example.com,O=EXAMPLE.COM
>>>> 	expires: 2015-11-07 11:35:20 UTC
>>>> 	eku: id-kp-serverAuth,id-kp-clientAuth
>>>> 	pre-save command:
>>>> 	post-save command:
>>>> 	track: yes
>>>> 	auto-renew: yes
>>>>
>>>> we can see that file location in that list is defined at request time.
>>>>
>>>> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
>>>> there any other solution?
>>> certmonger does run under certmonger_t SELinux type and system_r role.
>>> It can already write to file contexts named certmonger_*_t and cert_t. For
>>> storing certificates you would need to use cert_t file context.
>>>
>>> mkdir -p /var/lib/pgsql/9.3/data/certs
>>> semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
>>> restorecon -R -v /var/lib/pgsql/9.3/data/certs
>>>
>>> I would advise you against placing the files directly in
>>> /var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
>>> specify path to the certificate in pgsql configuration.
>>
>> I have tried it, but I still get this answer:
>> # ipa-getcert request -f /var/lib/pgsql/9.3/data/certs/server.crt
>> -k /var/lib/pgsql/9.3/data/certs/server.key -K
>> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
>> postgresql.example.com
>> The parent of location "/var/lib/pgsql/9.3/data/certs/server.crt" must
>> be a valid directory.
>>
>> What does "valid directory" mean?
>>
>>>
>>>> And I think that there mast be note at documentation about such
>>>> situations with Selinux.
>>> Yes. You can also install selinux-policy-devel package and read
>>> certmonger_selinux (8) manpage.
>>>
>>> Can you open a ticket against FreeIPA documentation.
>>
>> Is bug opened by Dmitri Pal enough?
>> https://bugzilla.redhat.com/show_bug.cgi?id=1027265
>>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>