I'm rolling out some servers providing a graphical desktop, and everything is fine except this: our desktop software of choice is XRDP which needs a certificate. It ships with a self-signed one, but that gives warnings on the clients, so I'd much rather go with a FreeIPA managed one.
So after installing XRDP, I issue the command: ipa-getcert request -f /etc/xrdp/cert.pem -k /etc/xrdp/key.pem -r -w Problem is, this fails with SELinux enabled, because ipa-getcert is not permitted to write to /etc/xrdp. Proposed solution 1: Use a better dir, the certificate and key are configured in /etc/xrdp/xrdp.conf so I'm guessing certs can reside anywhere. What's a good default one? Somewhere in /etc/pki? Proposed solution 2: Make and install a SELinux policy that allows ipa-getcert to access that directory. Searching a bit, I can see that the issue comes up on occasion, with other software packages such as Puppet etc. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
