I'm rolling out some servers providing a graphical desktop, and everything is fine except this: our desktop software of choice is XRDP which needs a certificate. It ships with a self-signed one, but that gives warnings on the clients, so I'd much rather go with a FreeIPA managed one.
So after installing XRDP, I issue the command:
ipa-getcert request -f /etc/xrdp/cert.pem -k /etc/xrdp/key.pem -r -w
Problem is, this fails with SELinux enabled, because ipa-getcert is not permitted to write to /etc/xrdp.
Proposed solution 1: Use a better dir, the certificate and key are configured in /etc/xrdp/xrdp.conf so I'm guessing certs can reside anywhere. What's a good default one? Somewhere in /etc/pki?
Proposed solution 2: Make and install a SELinux policy that allows ipa-getcert to access that directory.
Searching a bit, I can see that the issue comes up on occasion, with other software packages such as Puppet etc.
On 31/01/2024 13.28, Bo Lind via FreeIPA-users wrote:
I'm rolling out some servers providing a graphical desktop, and everything is fine except this: our desktop software of choice is XRDP which needs a certificate. It ships with a self-signed one, but that gives warnings on the clients, so I'd much rather go with a FreeIPA managed one.
So after installing XRDP, I issue the command:
ipa-getcert request -f /etc/xrdp/cert.pem -k /etc/xrdp/key.pem -r -w
Problem is, this fails with SELinux enabled, because ipa-getcert is not permitted to write to /etc/xrdp.
Proposed solution 1: Use a better dir, the certificate and key are configured in /etc/xrdp/xrdp.conf so I'm guessing certs can reside anywhere. What's a good default one? Somewhere in /etc/pki?
Yes, use /etc/pki/tls/certs/xrdp.pem and /etc/pki/tls/private/xrdp.key . The directories /etc/pki/tls/certs and /etc/pki/tls/private are writable by certmonger.
HTH,
Christian
freeipa-users@lists.fedorahosted.org