Hide Forgot
The getting-started.txt documentation that we bundle in the package includes an example of using the service to create a self-signed certificate in /tmp. The default SELinux policy, however, might not (and on Fedora and in 6.2, doesn't) allow the service to write to that location. We should update the doc to note that SELinux might not permit it, and call out an example where, in Fedora and Red Hat Enterprise Linux and their derivatives, we create a directory and label it "cert_t", which should allow it to work as suggested.
Verified. Certmonger Version: [root@dhcp201-197 selfsign-getcert_request]# rpm -qi certmonger Name : certmonger Relocations: (not relocatable) Version : 0.56 Vendor: Red Hat, Inc. Release : 1.el6 Build Date: Sat 03 Mar 2012 12:14:09 PM IST Install Date: Wed 07 Mar 2012 02:10:51 PM IST Build Host: x86-003.build.bos.redhat.com Group : System Environment/Daemons Source RPM: certmonger-0.56-1.el6.src.rpm Size : 1201570 License: GPLv3+ Signature : (none) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> URL : http://certmonger.fedorahosted.org Summary : Certificate status monitor and PKI enrollment client Description : Certmonger is a service which is primarily concerned with getting your system enrolled with a certificate authority (CA) and keeping it enrolled. [root@dhcp201-197 selfsign-getcert_request] Following text has been added in getting-started.txt to explain example for SELinux based systems. ================================================================= The daemon usually runs with sufficient privileges to be able to read and write to most locations that we might tell it to use for storing the certificate and key. However, as an added precaution, on systems where a mandatory access control system is in use, the daemon will typically be permitted to read and write only to a narrowly-defined set of locations. For example, on systems using SELinux, certmonger will often not be allowed to use /tmp because the directory is marked with the label "tmp_t". We would first need to create an alternate location with the label "cert_t" for certmonger's use: mkdir -p /tmp/certs chcon -t cert_t /tmp/certs cd /tmp/certs selfsign-getcert request -f ./server.crt -k ./server.key ==================================================================
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2012-0833.html