On Thu, Nov 4, 2021 at 12:32 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Tomasz Torcz via FreeIPA-users wrote:
On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users
wrote:
On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
Tomasz Torcz via FreeIPA-users wrote:
ACME also has a realm configuration:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
so there could be an issue there.
But IIRC in IPA case it's configured to reuse the internaldb connection
defined in CS.cfg so these params don't need to be specified again.
Is there a working IPA instance with ACME that can be compared
against?
So I did a clean install of Fedora 34 and FreeIPA. Clean install works
as expected. I did comparison between fresh and mine install,
there were discrepancies I mostly fixed, but it didn't change my
problem.
Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log):
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by
cert:
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN:
ou=people,o=ipaca
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter:
description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=
PIPEBREAKER.PL
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User:
uid=ipara,ou=people,o=ipaca
2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE:
Realm.authenticate() returned false
Yeah, I noticed this in your logs as well. I have no insight into what
PKI does to authenticate beyond the things you've already checked. We
know that this cert is ok because you can authenticate to the CA using
it in other ways. It would be nice if they logged some reason for the
failure to authenticate but I'm not sure how to get that.
rob
While on _fresh install_ correct log looks like:
2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating
user with client certificate
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by
cert:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN:
ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA
RA,O=IPADEV.PIPEBREAKER.PL
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User:
uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user
roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN:
ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
uniqueMember=uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate
Manager Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: -
cn=Registration Manager Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise
ACME Administrators,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing
ACMEApplication
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager
Agents,Enterprise ACME Administrators,Registration Manager Agents,)]
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: Principal: ipara
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: - Certificate Manager Agents
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: - Enterprise ACME Administrators
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
ACMELoginService: - Registration Manager Agents
2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP:
search ou=config,ou=acme,o=ipaca
2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO:
ACMERequestFilter: ACME service is disabled
Things I've observed on fresh install, which I've implemented on my
production
(it changed nothing, provided here for documentation only):
# in /etc/pki/pki-tomcat/ca/CS.cfg:
features.authority.description=Lightweight CAs
features.authority.enabled=true
features.authority.version=1.0
- 36 profile.* lines were missing; carefully added them, for example:
profile.AdminCert.class_id=caEnrollImpl
profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
files, while
fresh install had over 90. I've copied missing ones from
/usr/share/pki/ca/profiles/ca/
# in LDAP
- ipaca / groups / Certificate Manager Agents had entry for pkidbuser;
added on prod
uniqueMember: uid=pkidbuser,ou=People,o=ipaca
- pkidbuser had 3 userCertificate: entries, two of them were expired;
removed those
--
Endi S. Dewata
On Thu, Nov 4, 2021 at 12:32 PM Rob Crittenden via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Tomasz Torcz via FreeIPA-users wrote:
> > On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users
> wrote:
> >> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users <
> >> freeipa-users@lists.fedorahosted.org> wrote:
> >>
> >>> Tomasz Torcz via FreeIPA-users wrote:
> >>>>> ACME also has a realm configuration:
> >>>>>
> >>>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
> >>>>>
> >>>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
> >>>>> so there could be an issue there.
> >>>>
> >>
> >> But IIRC in IPA case it's configured to reuse the internaldb connection
> >> defined in CS.cfg so these params don't need to be specified again.
> >> Is there a working IPA instance with ACME that can be compared
> >> against?
> >
> > So I did a clean install of Fedora 34 and FreeIPA. Clean install works
> > as expected. I did comparison between fresh and mine install,
> > there were discrepancies I mostly fixed, but it didn't change my
> > problem.
> > Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log):
> >
> > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by
> cert:
> > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN:
> ou=people,o=ipaca
> > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter:
> description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=
> PIPEBREAKER.PL
> > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User:
> uid=ipara,ou=people,o=ipaca
> > 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE:
> Realm.authenticate() returned false
>
> Yeah, I noticed this in your logs as well. I have no insight into what
> PKI does to authenticate beyond the things you've already checked. We
> know that this cert is ok because you can authenticate to the CA using
> it in other ways. It would be nice if they logged some reason for the
> failure to authenticate but I'm not sure how to get that.
>
> rob
>
> >
> >
> > While on _fresh install_ correct log looks like:
> >
> > 2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating
> user with client certificate
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by
> cert:
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN:
> ou=people,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
> description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA
> RA,O=IPADEV.PIPEBREAKER.PL
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User:
> uid=ipara,ou=people,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user
> roles:
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN:
> ou=groups,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
> uniqueMember=uid=ipara,ou=people,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles:
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate
> Manager Agents,ou=groups,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: -
> cn=Registration Manager Agents,ou=groups,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise
> ACME Administrators,ou=groups,o=ipaca
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing
> ACMEApplication
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager
> Agents,Enterprise ACME Administrators,Registration Manager Agents,)]
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: Principal: ipara
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: Roles:
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: - Certificate Manager Agents
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: - Enterprise ACME Administrators
> > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO:
> ACMELoginService: - Registration Manager Agents
> > 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP:
> search ou=config,ou=acme,o=ipaca
> > 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO:
> ACMERequestFilter: ACME service is disabled
> >
> >
> > Things I've observed on fresh install, which I've implemented on my
> production
> > (it changed nothing, provided here for documentation only):
> >
> > # in /etc/pki/pki-tomcat/ca/CS.cfg:
> > - added lines:
> > features.authority.description=Lightweight CAs
> > features.authority.enabled=true
> > features.authority.version=1.0
> >
> > - 36 profile.* lines were missing; carefully added them, for example:
> > profile.AdminCert.class_id=caEnrollImpl
> >
> profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
> >
> > - also copied a long line starting with profile.listprofile.list=
> >
> > - /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74
> files, while
> > fresh install had over 90. I've copied missing ones from
> /usr/share/pki/ca/profiles/ca/
> >
> > # in LDAP
> > - ipaca / groups / Certificate Manager Agents had entry for pkidbuser;
> added on prod
> > uniqueMember: uid=pkidbuser,ou=People,o=ipaca
> > - pkidbuser had 3 userCertificate: entries, two of them were expired;
> removed those
> >
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>
--
Endi S. Dewata