[Freeipa-users] question about generating certificates

Alexander Bokovoy abokovoy at redhat.com
Wed Nov 6 12:52:01 UTC 2013


On Wed, 06 Nov 2013, Arthur Faizullin wrote:
>Исаев Виталий Анатольевич <isaev at fintech.ru> has give me advise that the
>problem may be in Selinux.
>so I has stoped tracking previous request by
>$ sudo ipa-getcert stop-tracking -i 20131106075356
>
>and has generated new request
># ipa-getcert request -f /var/lib/certmonger/requests/server.crt
>-k /var/lib/certmonger/requests/server.key -K
>postgresql/postgresql.example.com -N CN=postgresql.example.com -D
>postgresql.example.com
>
>that made desired files to appear at /var/lib/certmonger/requests/
>that is okay! :)
>but! I want them in /var/lib/pgsql/9.3/data/
>so what is the problem? why not just copy them at that directory?
>the problem is that when I list cert requests, I see this:
>Request ID '20131106113520':
>	status: MONITORING
>	stuck: no
>	key pair storage:
>type=FILE,location='/var/lib/certmonger/requests/server.key'
>	certificate:
>type=FILE,location='/var/lib/certmonger/requests/server.crt'
>	CA: IPA
>	issuer: CN=Certificate Authority,O=EXAMPLE.COM
>	subject: CN=postgresql.example.com,O=EXAMPLE.COM
>	expires: 2015-11-07 11:35:20 UTC
>	eku: id-kp-serverAuth,id-kp-clientAuth
>	pre-save command:
>	post-save command:
>	track: yes
>	auto-renew: yes
>
>we can see that file location in that list is defined at request time.
>
>Shall I make Selinux to let certmonger to access /var/lib/pgsql ? or is
>there any other solution?
certmonger does run under certmonger_t SELinux type and system_r role.
It can already write to file contexts named certmonger_*_t and cert_t. For
storing certificates you would need to use cert_t file context.

mkdir -p /var/lib/pgsql/9.3/data/certs
semanage fcontext -a -t cert_t  '/var/lib/pgsql/9.3/data/certs(/.*)?'
restorecon -R -v /var/lib/pgsql/9.3/data/certs

I would advise you against placing the files directly in
/var/lib/pgsql/9.3/data as opposed to the subdirectory. It is safer to
specify path to the certificate in pgsql configuration.

>And I think that there mast be note at documentation about such
>situations with Selinux.
Yes. You can also install selinux-policy-devel package and read
certmonger_selinux (8) manpage.

Can you open a ticket against FreeIPA documentation.

-- 
/ Alexander Bokovoy




More information about the Freeipa-users mailing list