Hi,
We have a problem connecting with CA REST API (403). Any ideas how to troubleshoot?
Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers Only looking at the CA renewal master (ipa1.example.com)
# ipa cert-show 1 ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json ipa: ERROR: Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403)
# pki-healthcheck Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo [ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca", "when": "20220809080611Z", "duration": "0.164052", "kw": { "key": "ca_signing", "nickname": "caSigningCert cert-pki-ca", "directive": "ca.signing.cert", "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" } } ]
LDAP and IPA RA appear to have identical certificates and serial number:
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description dn: uid=ipara,ou=people,o=ipaca userCertificate:: MIID...Ovix8 description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM
# openssl x509 -text -in /var/lib/ipa/ra-agent.pem Serial Number: 1878982672 (0x6fff0010) Validity Not Before: Aug 8 10:02:19 2022 GMT Not After : Jul 28 10:02:19 2024 GMT -----BEGIN CERTIFICATE----- MIID...Ovix8 -----END CERTIFICATE-----
PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial Serial Number: 1878982665 (0x6fff0009) # ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso dn: uid=pkidbuser,ou=people,o=ipaca userCertificate:: MIID...eluPug== description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM seeAlso: CN=CA Subsystem,O=EXAMPLE.COM
And, the certificate in CS.cfg appears to match the caSigningCert in LDAP:
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg: ca.signing.cert=MIID...yfc5a
# ldapsearch -LLL -D 'cn=directory manager' -W \ -b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com' dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com userCertificate:: MIID...yfc5a
Additional details:
# ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca dn: ou=authorities,ou=ca,o=ipaca ou: authorities objectClass: top objectClass: organizationalUnit
dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca authoritySerial: 1878982673 description: Host authority authorityDN: CN=Certificate Authority,O=EXAMPLE.COM authorityEnabled: TRUE authorityKeyNickname: caSigningCert cert-pki-ca authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add objectClass: authority objectClass: top
# ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com cn: ipa ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM description: IPA CA
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA' 3 certificates
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca' 3 certificates (identical with above 3 certificates)
# pki ca-cert-show 1878982672 Serial Number: 0x6fff0010 Subject DN: CN=IPA RA,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Status: VALID Not Valid Before: Mon Aug 08 12:02:19 CEST 2022 Not Valid After: Sun Jul 28 12:02:19 CEST 2024