[Freeipa-users] question about generating certificates

Arthur Faizullin arthur at deus.pro
Thu Nov 7 06:27:58 UTC 2013 

I have done as You said!
# ipa-getcert request -f /etc/pki/tls/certs/postgresql.crt
-k /etc/pki/tls/private/postgresql.key -K
postgresql/postgresql.example.com -N CN=postgresql.example.com -D
postgresql.example.com

# ipa-getcert list
Request ID '20131107050729':
	status: MONITORING
	stuck: no
	key pair storage:
type=FILE,location='/etc/pki/tls/private/postgresql.key'
	certificate: type=FILE,location='/etc/pki/tls/certs/postgresql.crt'
	CA: IPA
	issuer: CN=Certificate Authority,O=EXAMPLE.COM
	subject: CN=postgresql.example.com,O=EXAMPLE.COM
	expires: 2015-11-08 05:07:29 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes

at startup a get such errors:
< 2013-11-07 12:06:58.997 YEKT >FATAL:  could not load server
certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied
< 2013-11-07 12:10:23.550 YEKT >FATAL:  could not load server
certificate file "/etc/pki/tls/certs/postgresql.crt": Permission denied

but after I've changed owner:
# chown postgres /etc/pki/tls/certs/postgresql.crt
# chown postgres /etc/pki/tls/private/postgresql.key
# ll /etc/pki/tls/certs/postgresql.crt 
-rw-------. 1 postgres root 1318 Ноя  7
11:07 /etc/pki/tls/certs/postgresql.crt
# ll /etc/pki/tls/private/postgresql.key 
-rw-------. 1 postgres root 1704 Ноя  7
11:07 /etc/pki/tls/private/postgresql.key

it seems to be starting well!
But since I've changed the owner of key-file and certificate-file will
certmonger still be monitoring these files?


В Чт, 07/11/2013 в 10:53 +0600, Arthur Faizullin пишет:
> В Ср, 06/11/2013 в 08:44 -0500, Rob Crittenden пишет:
> > Dmitri Pal wrote:
> > > On 11/06/2013 07:01 AM, Arthur Faizullin wrote:
> > >> Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
> > >> problem may be in Selinux.
> > >> so I has stoped tracking previous request by
> > >> $ sudo ipa-getcert stop-tracking -i 20131106075356
> > >>
> > >> and has generated new request
> > >> # ipa-getcert request -f /var/lib/certmonger/requests/server.crt
> > >> -k /var/lib/certmonger/requests/server.key -K
> > >> postgresql/postgresql.example.com -N CN=postgresql.example.com -D
> > >> postgresql.example.com
> > >>
> > >> that made desired files to appear at /var/lib/certmonger/requests/
> > >> that is okay! :)
> > >> but! I want them in /var/lib/pgsql/9.3/data/
> > >> so what is the problem? why not just copy them at that directory?
> > >> the problem is that when I list cert requests, I see this:
> > >> Request ID '20131106113520':
> > >> 	status: MONITORING
> > >> 	stuck: no
> > >> 	key pair storage:
> > >> type=FILE,location='/var/lib/certmonger/requests/server.key'
> > >> 	certificate:
> > >> type=FILE,location='/var/lib/certmonger/requests/server.crt'
> > >> 	CA: IPA
> > >> 	issuer: CN=Certificate Authority,O=EXAMPLE.COM
> > >> 	subject: CN=postgresql.example.com,O=EXAMPLE.COM
> > >> 	expires: 2015-11-07 11:35:20 UTC
> > >> 	eku: id-kp-serverAuth,id-kp-clientAuth
> > >> 	pre-save command:
> > >> 	post-save command:
> > >> 	track: yes
> > >> 	auto-renew: yes
> > >>
> > >> we can see that file location in that list is defined at request time.
> > >>
> > >> Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
> > >> there any other solution?
> > >
> > > I think yes. And I recall this is not the first time this comes up.
> > > My memory might be failing me but I vaguely remember that we discussed this.
> > > However I could not find any bug or ticket on the matter so I created this
> > > https://bugzilla.redhat.com/show_bug.cgi?id=1027265
> > 
> > Typically in Fedora and RHEL certs are expected to go into 
> > /etc/pki/tls/certs and keys into /etc/pki/tls/private. These directories 
> > have the correct SELinux contexts.
> > 
> > rob
> 
> as with krb5 keytab, which recomended to keep in specified directory
> https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/services.html
> I thought that ssl keys also should be keeped in specified directory.
> 
> > 
> > _______________________________________________
> > Freeipa-users mailing list
> > Freeipa-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list