Евгений Жиряков via FreeIPA-users wrote:
Is it matter that the SELinux is disabled?
# sestatus
SELinux status: disabled
Permissions I changed before.
I changed the group to ipaapi without luck.
# ls -la /var/lib/ipa
total 20
drw-r--r--. 11 root root 202 Oct 20 19:15 .
drwxr-xr-x. 51 root root 4096 Oct 15 14:02 ..
drwxr-xr-x 2 root root 31 Oct 20 11:11 auth_backup
drwx------. 5 root root 114 Oct 20 11:12 backup
-rw-------. 1 root root 1545 Oct 20 17:27 ca.csr
drwxr-xr-x. 2 root root 47 Oct 15 15:03 certs
drwx------. 2 root root 25 Jun 29 17:47 gssproxy
drwx------. 2 root root 41 Jun 29 17:47 passwds
drwxr-xr-x. 3 root root 21 Jun 29 17:47 pki-ca
drwx------. 2 root root 47 Oct 15 15:02 private
-r--r-----. 1 root ipaapi 1708 Oct 21 2020 ra-agent.key
-r--r-----. 1 root ipaapi 1419 Oct 21 2020 ra-agent.pem
drwx--x--x. 2 root root 4096 Jun 29 17:47 sysrestore
drwx------. 2 root root 30 Jun 29 17:47 sysupgrade
I'd check the permissions on /var and /lib too. You're seeing an EACCES
error which is basic permissions. Apache can't read the certificate
because the OS won't let it.
It's fine, though not recommended, if you have SELinux disabled.
rob