On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:Tomasz Torcz via FreeIPA-users wrote:
>> ACME also has a realm configuration:
>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc
>> so there could be an issue there.
>
> This look to be configured, but I found a possible discrepancy in "password":
>
> $ cat /etc/pki/pki-tomcat/acme/realm.conf
> # VERSION 2 - DO NOT REMOVE THIS LINE
> authType=BasicAuth
> class=org.dogtagpki.acme.realm.DSRealm
> groupsDN=ou=groups,o=ipaca
> usersDN=ou=people,o=ipaca
> url=ldaps://kaitain.pipebreaker.pl:636
> configFile=/etc/pki/pki-tomcat/ca/CS.cfg
> username=acme-kaitain.pipebreaker.pl
> password=<40-character long text string>
>
> While userPassword:: field of uid=acme-kaitain.pipebreaker.pl,ou=people,o=ipaca
> contains very long base64 string, which decodes to 447 string starting
> with {PBKDF2_SHA256}. How to make sure it's corresponds to the same
> value?
>
This is the password for the username in the file. It is basically
unused by IPA as IPA uses client auth with the RA agent certificate.
robLooks like the realm is configured with BasicAuth, so it should beusing bindDN and bindPassword params as described here:If you want to use SslClientAuth, I think you would need tospecify the nickname param:https://github.com/dogtagpki/pki/wiki/Configuring-Client-Certificate-Authentication-to-Internal-DatabaseBut IIRC in IPA case it's configured to reuse the internaldb connectiondefined in CS.cfg so these params don't need to be specified again.Is there a working IPA instance with ACME that can be comparedagainst?