On Wed, Oct 20, 2021 at 08:40:30PM -0500, Endi Dewata via FreeIPA-users wrote:
> Hi,
>
> I think error 401 means that the client cert could not be mapped
> to the user in DS.
>
> Could you check the uid=ipara,ou=people,o=ipaca to make sure
> that the userCertificate and the description attributes contain the
> right certificate?
That was the first thing I've checked. userCertificate:: (after base64
decoding) is the same as /var/lib/ipa/ra-agent.pem - the same
description, fingerprint, etc. openssl x509 -serial return "69" for
both, and LDAP contains:
description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
105 (dec) == 69 (hex) so this is correct, too.
>
> You can also try setting the log level to INFO or FINE to see the
> authentication process on the server side:
> https://github.com/dogtagpki/pki/wiki/Configuring-Server-Logging
This is something! There are new lines between starting certificate
authentication and returning failure. First I thought there are libraries
missing, but in the end all finish with "Loading class from parent":
FINE: Calling authenticate()
INFO: PKIAuthenticator: Authenticate with client certificate authentication
INFO: Authenticating certificate chain:
INFO: - CN=IPA RA,O=PIPEBREAKER.PL
INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL
FINE: loadClass(org.mozilla.jss.netscape.security.util.Cert, false)
FINE: Searching local repositories
FINE: findClass(org.mozilla.jss.netscape.security.util.Cert)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(netscape.ldap.LDAPSearchResults, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPSearchResults)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(netscape.ldap.LDAPEntry, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPEntry)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(com.netscape.cmscore.usrgrp.User, false)
FINE: Searching local repositories
FINE: findClass(com.netscape.cmscore.usrgrp.User)
FINE: Loading class from local repository
FINE: loadClass(netscape.ldap.LDAPAttribute, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPAttribute)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
INFO: PKIAuthenticator: Result: false
FINE: Failed authenticate() test
Second invocation of "pki-acme-manage status" do not generate those class messages:
FINE: Calling hasUserDataPermission()
FINE: User data constraint already satisfied
FINE: Calling authenticate()
INFO: PKIAuthenticator: Authenticate with client certificate authentication
INFO: Authenticating certificate chain:
INFO: - CN=IPA RA,O=PIPEBREAKER.PL
INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL
INFO: PKIAuthenticator: Result: false
FINE: Failed authenticate() test
FINE: JSSEngine: wrap(ssl_fd=org.mozilla.jss.nss.SSLFDProxy[1522605810@00079ea974550000])
I think the class loading messages above were generated
by Tomcat. That's probably how it resolves the classes, so
I don't think that's an issue.
Could you raise the debug level in the CA subsystem too?
The authenticator uses the LDAP connection in the CA to
find the user in DS, so there might be an issue there.