Bug 1130303 - certmonger failed to start tracking certificate
Summary: certmonger failed to start tracking certificate
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: ipa
Version: 6.6
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Martin Kosek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-08-14 19:36 UTC by Namita Soman
Modified: 2014-08-15 15:31 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-15 15:31:49 UTC


Attachments (Terms of Use)

Description Namita Soman 2014-08-14 19:36:18 UTC
Description of problem:
ipa-getcert start-tracking fails with error - The location "/tmp/certdb" could not be accessed due to insufficient permissions

Did not see this error on 6.5

# ipa-getcert start-tracking -d /tmp/certdb -n bz817080 -v
The location "/tmp/certdb" could not be accessed due to insufficient permissions.
Error org.fedorahosted.certmonger.bad_arg: The location "/tmp/certdb" could not be accessed due to insufficient permissions.


Ran into this when verifying bz817080 
Following steps to verify https://fedorahosted.org/freeipa/ticket/2702

# ls -lZ /tmp
<..snip..>
drwxr-xr-x. root    root    unconfined_u:object_r:user_tmp_t:s0 certdb
<..snip..>


Version-Release number of selected component (if applicable):
ipa-server-3.0.0-42.el6.x86_64
selinux-policy-3.7.19-250.el6.noarch

How reproducible:
always

Steps to Reproduce:
1. ipa host-add bz817080.testrelm.test --force
2. mkdir -p /tmp/certdb
3. echo Secret123 > /tmp/certdb/passwd1
4. certutil -f /tmp/certdb/passwd1 -N -d /tmp/certdb
5. certutil -f /tmp/certdb/passwd1 -R -s 'cn=bz817080.testrelm.test,o=testrelm.test' -d /tmp/certdb -z /etc/group -a > /tmp/certdb/bz817080.csr
6. ipa cert-request --add --principal bz817080/bz817080.testrelm.test /tmp/certdb/bz817080.csr > /tmp/certdb/bz817080.crt
8.  ipa cert-show --out=/tmp/certdb/bz817080.crt 12
9. certutil -f /tmp/certdb/passwd1 -A -n bz817080 -d /tmp/certdb -t u,u,u -a < /tmp/certdb/bz817080.crt
10.  ipa-getcert start-tracking -d /tmp/certdb -n bz817080

Actual results:
Got error:
The location "/tmp/certdb" could not be accessed due to insufficient permissions.

Expected results:
No error

Additional info:

Comment 2 Martin Kosek 2014-08-15 06:37:07 UTC
I bet this is caused by SELinux. Are there any related AVCs in audit.log?

I do not think that certmonger is allowed to manipulate with files with user_tmp_t context. You would need to label it for example with cert_t. You can check the HOWTO (including correct SELinux labeling) I put together on

http://www.freeipa.org/page/PKI#Automated_certificate_requests_with_Certmonger

Comment 3 Namita Soman 2014-08-15 15:31:49 UTC
Added steps as suggested above.

1. ipa host-add bz817080.testrelm.test --force
2. mkdir -p /etc/httpd/certdb
3. echo Secret123 > /etc/httpd/certdb/passwd1
4. certutil -f /etc/httpd/certdb/passwd1 -N -d /etc/httpd/certdb
5. chown :apache /etc/httpd/certdb/*.db
6. chmod g+rw /etc/httpd/certdb/*.db
7. semanage fcontext -a -t cert_t "/etc/httpd/certdb(/.*)?"
8. restorecon -FvvR /etc/httpd/certdb/
9. certutil -f /etc/httpd/certdb/passwd1 -R -s 'cn=bz817080.testrelm.test,o=testrelm.test'
10. certutil -f /etc/httpd/certdb/passwd1 -R -s 'cn=bz817080.testrelm.test,o=testrelm.test' -d /etc/httpd/certdb -z /etc/group -a > /etc/httpd/certdb/bz817080.csr
11.  ipa cert-request --add --principal bz817080/bz817080.testrelm.test /etc/httpd/certdb//bz817080.csr > /etc/httpd/certdb/bz817080.crt
12.  ipa cert-show --out=/etc/httpd/certdb/bz817080.crt 12
13.  certutil -f /etc/httpd/certdb/passwd1 -A -n bz817080 -d /etc/httpd/certdb -t u,u,u -a < /etc/httpd/certdb/bz817080.crt
14. ipa-getcert start-tracking -d /etc/httpd/certdb -n bz817080



# ls -lZ /etc/httpd/certdb/-rw-r--r--. root root   unconfined_u:object_r:cert_t:s0  bz817080.crt
-rw-r--r--. root root   unconfined_u:object_r:cert_t:s0  bz817080.csr
-rw-rw----. root apache system_u:object_r:cert_t:s0      cert8.db
-rw-rw----. root apache system_u:object_r:cert_t:s0      key3.db
-rw-r--r--. root root   system_u:object_r:cert_t:s0      passwd1
-rw-rw----. root apache system_u:object_r:cert_t:s0      secmod.db


And start_tracking was successful. 

# certutil -f /etc/httpd/certdb/passwd1 -A -n bz817080 -d /etc/httpd/certdb -t u,u,u -a < /etc/httpd/certdb/bz817080.crt
Notice: Trust flag u is set automatically if the private key is present.

# ipa-getcert start-tracking -d /etc/httpd/certdb -n bz817080
New tracking request "20140815151925" added.


Note You need to log in before you can comment on or make changes to this bug.