When I run
ipa-getcert request -k /etc/the.key -f /etc/the.crt
the request result is
Request ID '20130808110311': status: NEED_KEY_PAIR stuck: no key pair storage: type=FILE,location='/etc/the.key' certificate: type=FILE,location='/etc/the.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes
The problem is caused by AVC denial:
type=AVC msg=audit(1375959791.139:612): avc: denied { write } for pid=11561 comm="certmonger" name="etc" dev="dm-1" ino=786433 scontext=system_u:system_r:certmonger_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir
It would be good if the status was clearer about the cause of the problem (permission) and maybe some additional client-error value had some details about the action that failed.
When the key can be written but the certificate cannot, the status is NEED_TO_SAVE_CERT -- again, it should be more specific about the fact that it already tried to save the certificate, that the operation failed, and why it failed.
In fact, is it correct that in these situations, the {{{stuck: no}}} is there -- shouldn't it be {{{yes}}}?
This should probably be moved to the certmonger trac instance.
This is a certmonger issue, I filed https://bugzilla.redhat.com/show_bug.cgi?id=996581.
Metadata Update from @adelton: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.