My client-side certificate is expired. I tried to generate a new one on the Fedora Account System, but I get an error saying "Your certificate could not be generated.". Not very helpful as an error message.
Regards,
Andrea.
Can one of you guys take a look at this?
Same problem here, so probably not account specific. Flash message show success.png image, which make the message bit confusing too and easy to miss on the first try ;).
This is probably what we get for running OpenSSL's "The ca command is effectively a single user command" CA on the FAS server :-(
{{{ Write out database with 1 new entries unable to rename ./serial to ./serial.old reason: Permission denied unable to write 'random state' }}}
A second look indicates that this might be an SELinux problem. CCing lmacken.
{{{ audit.log:node=10.8.34.190 type=PATH msg=audit(1244133173.940:70912): item=2 name="./serial" inode=622940 dev=fd:00 mode=0100644 ouid=437 ogid=437 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 audit.log:node=10.8.34.190 type=PATH msg=audit(1244133173.940:70912): item=3 name="./serial.old" inode=629676 dev=fd:00 mode=0100644 ouid=437 ogid=437 rdev=00:00 obj=system_u:object_r:var_lib_t:s0 }}}
Sorry, I pasted the wrong lines: {{{ node=10.8.34.190 type=AVC msg=audit(1244133173.940:70912): avc: denied { rename } for pid=27881 comm="openssl" name="serial" dev=dm-0 ino=622940 scontext=user_u:system_r:httpd_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=file }}}
Thanks for reporting this - this should be fixed now (SELinux has temporarily been set permissive on fas1). We'll need to get some rules in for permissions for the FAS user on /var/lib/fedora-ca, which lmacken is working on for after the change freeze.
Login to comment on this ticket.