On Mon, Oct 25, 2021 at 10:09 AM Endi Dewata edewata@redhat.com wrote:
On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Tomasz Torcz via FreeIPA-users wrote:
ACME also has a realm configuration:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
so there could be an issue there.
This look to be configured, but I found a possible discrepancy in
"password":
$ cat /etc/pki/pki-tomcat/acme/realm.conf # VERSION 2 - DO NOT REMOVE THIS LINE authType=BasicAuth class=org.dogtagpki.acme.realm.DSRealm groupsDN=ou=groups,o=ipaca usersDN=ou=people,o=ipaca url=ldaps://kaitain.pipebreaker.pl:636 configFile=/etc/pki/pki-tomcat/ca/CS.cfg username=acme-kaitain.pipebreaker.pl password=<40-character long text string>
While userPassword:: field of uid=acme-kaitain.pipebreaker.pl
,ou=people,o=ipaca
contains very long base64 string, which decodes to 447 string starting with {PBKDF2_SHA256}. How to make sure it's corresponds to the same value?
This is the password for the username in the file. It is basically unused by IPA as IPA uses client auth with the RA agent certificate.
rob
Looks like the realm is configured with BasicAuth, so it should be using bindDN and bindPassword params as described here:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
If you want to use SslClientAuth, I think you would need to specify the nickname param:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dog...
https://github.com/dogtagpki/pki/blob/master/base/server/src/main/java/com/n...
https://github.com/dogtagpki/pki/wiki/Configuring-Client-Certificate-Authent...
But IIRC in IPA case it's configured to reuse the internaldb connection defined in CS.cfg so these params don't need to be specified again. Is there a working IPA instance with ACME that can be compared against?
Yeah, the realm config has a configFile param, so it will ignore the other params above, and use the params from CS.cfg instead: https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dog... https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/dog...