Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-3997

SELinux is preventing /usr/libexec/certmonger/ipa-submit from name_connect access on tcp_socket port 443

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Minor Minor
    • None
    • None
    • certmonger
    • None
    • Low
    • rhel-sst-cockpit
    • ssg_front_door
    • None
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Release Note Not Required
    • None

      Description of problem:

      I was following this guide to set up SSL for cockpit based on the FreeIPA host, and issuing the `ipa-getcert request` command, the request status says CA_UNAVAILABLE.
      While debugging the problem, I stumbled across SELinux complaining about ipa-submit (which is not able to talk to the CA Server).

      Version-Release number of selected component (if applicable): 0.79.14-5.el9

      How reproducible: Always

      Steps to Reproduce:
      1. Install ipa-client
      2. Try to request a certificate using ipa-getcert to a host on the IPA server

      Actual results:
      certmonger/ipa-submit can't talk to the IPA server

      Expected results:
      Certificate should be issued and TRACKED by certmonger.

      Additional info:
      FreeIPA server is living on another host.

              Unassigned Unassigned
              r3pek Carlos Mogas da Silva (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

                Created:
                Updated: