Ranbir via FreeIPA-users wrote:
Hello Everyone,
I'm running an updated CentOS 8 KVM on an up to date CentOS 7 host. My
freeipa servers CentOS 7 hosts and fully updated, too. In the KVM I'm
requesting a certificate from my freeipa CA, which in and of itself
works just find. But, when I add a post-save command, that command is
never executed.
Here's the request I'm making:
ipa-getcert request -g 2048 -k /etc/pki/containers/sabnzbd-
server/sabnzbd-server.key -f /etc/pki/containers/sabnzbd-
server/sabnzbd-server.cert -K HTTP/sabnzbd.theinside.rnr -N
"CN=sabnzbd.theinside.rnr,O=THEINSIDE.RNR" -D sabnzbd.theinside.rnr -C
/usr/local/sbin/sabnzbd-server-certs -v -w
The content of that script is just a one liner for podman to copy the
contents of the /etc/pki/containers/sabnzbd-server/ directory to my
container. The script works without issue if I run it manually. I'm
also able to successfully run the podman command at a terminal.
At first I had the command in the script entered directly in the
request, which also didn't work. The bash script was my last attempt at
getting the post-save command to work.
I don't see any errors in the logs or in the terminal. In fact, it
looks like certmonger doesn't even attempt to run the post-save
command. Here's a short snippet from the log:
-- Logs begin at Sat 2021-07-24 17:02:34 EDT, end at Mon 2021-07-26 00:43:48 EDT. --
Jul 26 00:16:16 containment01 certmonger[109481]: Certificate in file
"/etc/pki/containers/sabnzbd-server/sabnzbd-server.cert" issued by CA and
saved.
Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] No hooks set
for pre-save command.
Jul 26 00:16:16 containment01 certmonger[30743]: 2021-07-26 00:16:16 [30743] Certificate
issued (0 chain certificates, 0 roots).
Jul 26 00:16:16 containment01 certmonger[30743]: ".
Jul 26 00:16:16 containment01 certmonger[30743]: -----END CERTIFICATE-----
Am I doing something wrong or have I hit a bug?
Perhaps the command isn't executable?
It works fine for me, and IPA relies on it.
[root@ipa] # cat /usr/local/sbin/testme
#!/bin/sh
touch /tmp/hello
[root@ipa]# ls -l /tmp/hello
ls: cannot access '/tmp/hello': No such file or directory
[root@ipa]# ipa-getcert request -f /etc/pki/tls/certs/test.pem -k
/etc/pki/tls/private/test.key -D `hostname` -K host/`hostname` -C
/usr/local/sbin/testme -w -v
New signing request "20210726121048" added.
State NEWLY_ADDED_READING_KEYINFO, stuck: no.
State GENERATING_CSR, stuck: no.
State SUBMITTING, stuck: no.
State SAVING_CERT, stuck: no.
State MONITORING, stuck: no.
[root@ipa]# ls -l /tmp/hello
-rw-------. 1 root root 0 Jul 26 08:10 /tmp/hello
certmonger logging around hooks is not the best. It logs when it adds a
hook for a request (at level 3) and when there is no hook to execute for
a request, but it doesn't log when it executes a hook unless something
goes wrong.
rob