Hi ,
tail -f /var/log/httpd/error_log
[Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in
set_certificate_attrs
[Wed Dec 14 10:45:46.672854 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] with api.Backend.ra_lightweight_ca as ca_api:
[Wed Dec 14 10:45:46.672858 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in
__enter__
[Wed Dec 14 10:45:46.672862 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] raise errors.RemoteRetrieveError(reason=_('Failed to
authenticate to CA REST API'))
[Wed Dec 14 10:45:46.672867 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST
API
[Wed Dec 14 10:45:46.672874 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182]
[Wed Dec 14 10:45:46.673000 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] ipa: INFO: [jsonserver_session] admin(a)WINGON.HK:
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Wed Dec 14 10:45:46.673047 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] ipa: DEBUG: [jsonserver_session] admin(a)WINGON.HK:
cert_show/1('1', version='2.245'): RemoteRetrieveError etime=569221770
[Wed Dec 14 10:45:46.673819 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] ipa: DEBUG: FINAL: Hits 0 Misses 2 Size 2
[Wed Dec 14 10:45:46.673911 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote
10.100.0.213:47182] ipa: DEBUG: Destroyed connection context.ldap2_140175871416696
[Wed Dec 14 10:46:58.533496 2022] [:warn] [pid 15505:tid 140175805597440] [client
10.100.0.213:45502] failed to set perms (3140) on file
(/run/ipa/ccaches/admin(a)WINGON.HK-sHvwu4)!, referer:
https://wocfreeipa.wingon.hk/ipa/xml
[Wed Dec 14 10:46:58.534621 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Dec 14 10:46:58.534727 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Dec 14 10:46:58.545384 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Created connection context.ldap2_140175871412600
[Wed Dec 14 10:46:58.545468 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Dec 14 10:46:58.545505 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Dec 14 10:46:58.551189 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: raw: cert_show('1', version='2.245')
[Wed Dec 14 10:46:58.551663 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: cert_show(1, cacn='ipa', chain=False, all=False,
raw=False, version='2.245', no_members=False)
[Wed Dec 14 10:46:58.552186 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: raw: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.552313 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.555552 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ra.get_certificate()
[Wed Dec 14 10:46:58.556893 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: request GET
https://wocfreeipa.wingon.hk:443/ca/rest/certs/1
[Wed Dec 14 10:46:58.556960 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: request body ''
[Wed Dec 14 10:46:58.585446 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response status 200
[Wed Dec 14 10:46:58.587038 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response headers Date: Wed, 14 Dec 2022 02:46:58 GMT
[Wed Dec 14 10:46:58.587058 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 Python/3.6
[Wed Dec 14 10:46:58.587064 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Content-Type: application/json
[Wed Dec 14 10:46:58.587069 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Vary: Accept-Encoding
[Wed Dec 14 10:46:58.587073 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Transfer-Encoding: chunked
[Wed Dec 14 10:46:58.587077 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502]
[Wed Dec 14 10:46:58.587084 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502]
[Wed Dec 14 10:46:58.587694 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response body (decoded):
b'{"id":"0x1","IssuerDN":"CN=Certificate
Authority,O=WINGON.HK","SubjectDN":"CN=Certificate
Authority,O=WINGON.HK","PrettyPrint":" Certificate: \\\\n
Data: \\\\n Version: v3\\\\n Serial Number: 0x1\\\\n
Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11\\\\n Issuer:
CN=Certificate Authority,O=WINGON.HK\\\\n Validity: \\\\n Not
Before: Wednesday, November 16, 2022 10:31:44 AM HKT Asia/Hong_Kong\\\\n
Not After: Sunday, November 16, 2042 10:31:44 AM HKT Asia/Hong_Kong\\\\n
Subject: CN=Certificate Authority,O=WINGON.HK\\\\n Subject Public Key Info:
\\\\n Algorithm: RSA - 1.2.840.113549.1.1.1\\\\n Public Key:
\\\\n Exponent: 65537\\\\n Public Key Modulus:
(3072 bits) :\\\\n
BB:84:36:6D:DE:4F:B1:18:49:17:2D:66:E6:8F:E6:BB:\\\\n
64:CA:03:53:4E:61:32:43:86:5A:19:BF:B2:54:CB:65:\\\\n
12:05:FB:B9:64:52:78:1A:60:18:BE:B8:AE:16:81:54:\\\\n
25:9C:51:67:BF:B6:9C:A9:E0:E5:3D:01:C2:E9:FD:51:\\\\n
7A:0A:83:A3:2D:E1:24:FB:44:10:FE:86:4D:5E:A9:F4:\\\\n
B8:FD:2D:CA:ED:08:7B:7A:21:81:88:CF:7D:BA:5A:1E:\\\\n
CA:3F:50:6C:61:75:35:DE:6A:DE:C3:E4:AA:E4:7B:4B:\\\\n
B3:80:64:F5:27:25:A3:93:EE:D2:38:0A:B8:FD:D0:31:\\\\n
F9:86:F0:86:6F:F4:37:67:8F:60:7F:44:73:1F:07:53:\\\\n
8D:61:A8:5B:FD:2C:E5:B1:C3:50:9F:76:BE:FC:50:69:\\\\n
A5:43:87:E0:93:8B:61:68:3E:80:CE:12:EB:2F:D5:29:\\\\n
BF:4A:FF:2C:85:90:3B:AE:4F:CD:A7:21:27:31:4B:CD:\\\\n
36:71:62:29:A3:81:A5:4C:96:DF:A
D:74:19:11:9E:13:\\\\n
1B:F6:2E:D1:E8:8B:64:81:0A:1B:A4:B8:2D:52:60:CE:\\\\n
37:C9:0B:44:78:3E:03:13:63:1D:41:1A:BD:10:C7:AC:\\\\n
84:F1:6E:73:31:6B:A0:AB:31:1D:C6:73:3B:FF:04:F9:\\\\n
11:8E:0A:3C:F2:7A:2A:75:71:D7:41:CE:0B:18:C8:F4:\\\\n
F0:6C:F8:80:C9:29:BE:3D:6A:6D:88:2D:04:10:A2:F3:\\\\n
D8:18:CD:0C:9C:66:A9:A6:A0:3F:9A:13:0C:6D:E5:C2:\\\\n
42:DD:F3:AC:3D:5A:F5:CC:81:B8:BF:7B:4B:9C:A2:7F:\\\\n
E8:0A:AD:BD:3A:D5:AD:38:84:5E:D2:68:F3:E8:A1:01:\\\\n
9B:93:01:E2:73:B7:BE:5F:C8:88:E5:F4:26:6F:E5:E8:\\\\n
EF:8D:7F:80:D4:BC:8D:A4:89:FE:D0:19:C0:A8:84:EE:\\\\n
BB:8C:1B:C0:24:49:B2:9F:05:38:74:D9:E8:69:0A:7D\\\\n Extensions: \\\\n
Identifier: Authority Key Identifier - 2.5.29.35\\\\n Critical:
n
o \\\\n Key Identifier: \\\\n
9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n
4F:EF:59:41\\\\n Identifier: Basic Constraints - 2.5.29.19\\\\n
Critical: yes \\\\n Is CA: yes \\\\n Path
Length Constraint: UNLIMITED\\\\n Identifier: Key Usage: - 2.5.29.15\\\\n
Critical: yes \\\\n Key Usage: \\\\n
Digital Signature \\\\n Non Repudiation \\\\n
Key CertSign \\\\n Crl Sign \\\\n Identifier:
Subject Key Identifier - 2.5.29.14\\\\n Critical: no \\\\n
Key Identifier: \\\\n
9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n
4F:EF:59:41\\\\n Identifier: Authority Info Access: - 1.3.6.1.5.5.7.1.1\\
\\n Critical: no \\\\n Access Description: \\\\n
Method #0: ocsp\\\\n Location #0: URIName:
http://ipa-ca.wingon.hk/ca/ocsp\\\\n Signature: \\\\n Algorithm:
SHA256withRSA - 1.2.840.113549.1.1.11\\\\n Signature: \\\\n
8A:4F:71:AC:55:7E:C5:A1:05:85:F3:C0:5D:86:57:EE:\\\\n
8C:A3:50:F7:A0:C6:C9:9D:8C:90:6C:1A:65:82:B3:9C:\\\\n
3D:58:32:4F:14:80:FF:84:AE:AC:43:5F:D7:A8:C6:1C:\\\\n
62:0F:BF:72:B5:C6:BC:D9:D8:D5:6F:2C:F5:FB:76:CE:\\\\n
73:16:87:A0:C9:4C:4E:5C:CA:FC:D9:A4:20:FF:1F:73:\\\\n
47:8D:7F:1A:15:0C:50:77:F3:AD:2D:F8:56:83:D9:F7:\\\\n
29:84:F0:24:12:0A:68:42:0B:A2:34:7F:08:4C:91:05:\\\\n
00:FC:49:CD:53:6F:13:9B:B5:84:BB:8A:1C:8B:5C:FD:\\\\n
8C:D7:07:6E:93:97:BA:02:C1:20:A1:94:67:67:9B:B6:\\\\n
D4:C4:74:62:4A:D2:F5:04:B3:35:2
F:A1:88:52:31:65:\\\\n
53:03:0F:EF:A4:B0:33:7B:10:36:41:05:80:73:E3:54:\\\\n
0D:86:9F:1B:71:62:57:F8:E5:96:0C:2C:EF:97:93:7F:\\\\n
F3:98:05:54:89:BD:E5:AD:EC:D7:F5:FE:C1:30:FF:E0:\\\\n
3D:C6:CE:9B:34:92:91:3E:98:14:8E:69:61:8D:3E:D5:\\\\n
B7:5A:FD:B4:C5:50:4B:E1:DB:3F:BD:61:86:6A:3D:4B:\\\\n
A4:56:4D:03:AD:7F:17:32:EB:CB:C3:BE:4D:7E:E1:F0:\\\\n
0E:E6:8F:E9:05:F0:CA:B2:2E:88:3C:01:CB:37:CE:21:\\\\n
E8:5D:7D:36:27:D1:2C:3E:4A:0E:9B:94:C9:3C:60:1B:\\\\n
37:26:CB:84:E6:25:F0:D4:08:6F:3F:80:F5:75:C6:05:\\\\n
B3:AA:A2:AE:4C:0D:7E:BC:B9:F5:84:C5:89:0A:D1:B5:\\\\n
62:56:F4:9D:C9:FA:96:89:95:50:7A:E9:48:76:38:FC:\\\\n
75:3D:79:9D:CB:F0:3E:78:3D:36:DA:84:56:A2:9B:97:\\\\n
E7:DC:74:B9:AF:A1:E7:8F:EB:49:E1:3C:28:F6:A3:EF:\\\\n
16:E5:DD:5C:4B:A2:E4:9D:B2:AB:62:DB:C5:D9:20:7F\\\\n Fi
ngerPrint\\\\n MD2:\\\\n
72:FA:C5:52:3D:9D:C9:F9:81:E3:47:D5:D2:4A:D3:99\\\\n MD5:\\\\n
83:78:B6:62:C4:28:DF:5C:96:AB:85:48:B0:0A:BA:56\\\\n SHA-1:\\\\n
50:5D:03:72:FE:A6:A4:BC:CE:70:3A:95:67:41:8F:40:\\\\n 81:17:76:4A\\\\n
SHA-256:\\\\n 03:6B:AF:80:99:86:C0:AC:7D:88:7A:48:7D:11:79:4D:\\\\n
5E:C5:DC:C5:BE:06:F5:34:9E:AB:00:05:C3:4F:C0:3E\\\\n SHA-512:\\\\n
47:73:2F:2A:85:E6:BE:D0:F2:77:54:82:3E:02:FC:85:\\\\n
49:F9:26:FF:7B:F8:42:C8:3E:C0:9F:F6:BA:7D:C2:8D:\\\\n
2F:E2:9C:D9:38:BA:DC:AA:EE:F1:AC:48:F6:5A:C6:48:\\\\n
59:D5:60:46:F2:16:16:81:B1:E2:59:3F:60:94:C9:AC\\\\n","Encoded":"-----BEGIN
CERTIFICATE-----\\\\nMIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAc\\\\r\\\\nBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMxNDRaFw00MjExMTYwMjMx\\\\r\\\\nND
RaMDQxEjAQBgNVBAoMCVdJTkdPTi5ISzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\\\\r\\\\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu4Q2bd5PsRhJFy1m5o/mu2TKA1NOYTJD\\\\r\\\\nhloZv7JUy2USBfu5ZFJ4GmAYvriuFoFUJZxRZ7+2nKng5T0Bwun9UXoKg6Mt4ST7RBD+hk1eqfS4\\\\r\\\\n/S3K7Qh7eiGBiM99uloeyj9QbGF1Nd5q3sPkquR7S7OAZPUnJaOT7tI4Crj90DH5hvCGb/Q3Z49g\\\\r\\\\nf0RzHwdTjWGoW/0s5bHDUJ92vvxQaaVDh+CTi2FoPoDOEusv1Sm/Sv8shZA7rk/NpyEnMUvNNnFi\\\\r\\\\nKaOBpUyW3610GRGeExv2LtHoi2SBChukuC1SYM43yQtEeD4DE2MdQRq9EMeshPFuczFroKsxHcZz\\\\r\\\\nO/8E+RGOCjzyeip1cddBzgsYyPTwbPiAySm+PWptiC0EEKLz2BjNDJxmqaagP5oTDG3lwkLd86w9\\\\r\\\\nWvXMgbi/e0ucon/oCq29OtWtOIRe0mjz6KEBm5MB4nO3vl/IiOX0Jm/l6O+Nf4DUvI2kif7QGcCo\\\\r\\\\nhO67jBvAJEmynwU4dNnoaQp9AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUnxnJqOCKKMvE7YHAuI2n\\\\r\\\\njU/vWUEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFJ8ZyajgiijL\\\\r\\\\nxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53\\\\r\\\\naW5nb24uaGsvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAik9xr
FV+xaEFhfPAXYZX7oyjUPeg\\\\r\\\\nxsmdjJBsGmWCs5w9WDJPFID/hK6sQ1/XqMYcYg+/crXGvNnY1W8s9ft2znMWh6DJTE5cyvzZpCD/\\\\r\\\\nH3NHjX8aFQxQd/OtLfhWg9n3KYTwJBIKaEILojR/CEyRBQD8Sc1TbxObtYS7ihyLXP2M1wduk5e6\\\\r\\\\nAsEgoZRn
[Wed Dec 14 10:46:58.593066 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: IPA: virtual verify retrieve certificate
[Wed Dec 14 10:46:58.593525 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Cache lookup: cn=retrieve certificate,cn=virtual
operations,cn=etc,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.593849 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Requested attrs_list ['objectclass']
[Wed Dec 14 10:46:58.595776 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: DROP: cn=retrieve certificate,cn=virtual
operations,cn=etc,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.595866 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: DROP: not in cache cn=retrieve certificate,cn=virtual
operations,cn=etc,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.596087 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ADD: cn=retrieve certificate,cn=virtual
operations,cn=etc,dc=wingon,dc=hk: {'entrylevelrights',
'attributelevelrights', 'objectclass'} all=False
[Wed Dec 14 10:46:58.596154 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses 1 Size 1
[Wed Dec 14 10:46:58.596400 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: raw: ca_show('ipa', chain=False, all=False,
version='2.245')
[Wed Dec 14 10:46:58.596538 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ca_show('ipa', rights=False, chain=False,
all=False, raw=False, version='2.245')
[Wed Dec 14 10:46:58.596680 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: raw: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.596758 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.597793 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Cache lookup: cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.597867 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Requested attrs_list ['description',
'ipacasubjectdn', 'cn', 'ipacaid', 'ipacaissuerdn']
[Wed Dec 14 10:46:58.599055 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: DROP: cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.599146 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: DROP: not in cache cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
[Wed Dec 14 10:46:58.599368 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: ADD: cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk:
{'description', 'ipacasubjectdn', 'commonname', 'cn',
'ipacaid', 'ipacaissuerdn'} all=False
[Wed Dec 14 10:46:58.599434 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses 2 Size 2
[Wed Dec 14 10:46:58.600765 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: request GET
https://wocfreeipa.wingon.hk:443/ca/rest/account/login
[Wed Dec 14 10:46:58.600832 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: request body ''
[Wed Dec 14 10:46:58.626797 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response status 401
[Wed Dec 14 10:46:58.627246 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response headers Date: Wed, 14 Dec 2022 02:46:58 GMT
[Wed Dec 14 10:46:58.627257 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k mod_auth_gssapi/1.6.1
mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 Python/3.6
[Wed Dec 14 10:46:58.627262 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Cache-Control: private
[Wed Dec 14 10:46:58.627266 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Expires: Thu, 01 Jan 1970 00:00:00 GMT
[Wed Dec 14 10:46:58.627271 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] WWW-Authenticate: Basic realm="Certificate Authority"
[Wed Dec 14 10:46:58.627275 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Content-Type: text/html;charset=utf-8
[Wed Dec 14 10:46:58.627280 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Content-Language: en
[Wed Dec 14 10:46:58.627284 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] Content-Length: 669
[Wed Dec 14 10:46:58.627288 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502]
[Wed Dec 14 10:46:58.627294 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502]
[Wed Dec 14 10:46:58.627363 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: response body (decoded): b'<!doctype
html><html lang="en"><head><title>HTTP Status 401
\\xe2\\x80\\x93 Unauthorized</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3
{font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 401 \\xe2\\x80\\x93 Unauthorized</h1><hr class="line"
/><p><b>Type</b> Status
Report</p><p><b>Description</b> The request has not been applied
because it lacks valid authentication credentials for the target resource.</p><hr
class="line" /><h3>Apache
Tomcat/9.0.30</h3></body></html>'
[Wed Dec 14 10:46:58.629455 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call
last):
[Wed Dec 14 10:46:58.629481 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 407, in
wsgi_execute
[Wed Dec 14 10:46:58.629487 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] result = command(*args, **options)
[Wed Dec 14 10:46:58.629491 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
[Wed Dec 14 10:46:58.629496 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] return self.__do_call(*args, **options)
[Wed Dec 14 10:46:58.629501 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
[Wed Dec 14 10:46:58.629506 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ret = self.run(*args, **options)
[Wed Dec 14 10:46:58.629510 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
[Wed Dec 14 10:46:58.629515 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] return self.execute(*args, **options)
[Wed Dec 14 10:46:58.629519 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 1388, in
execute
[Wed Dec 14 10:46:58.629524 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] chain=chain,
[Wed Dec 14 10:46:58.629529 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
[Wed Dec 14 10:46:58.629533 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] return self.__do_call(*args, **options)
[Wed Dec 14 10:46:58.629538 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
[Wed Dec 14 10:46:58.629547 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ret = self.run(*args, **options)
[Wed Dec 14 10:46:58.629728 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
[Wed Dec 14 10:46:58.629734 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] return self.execute(*args, **options)
[Wed Dec 14 10:46:58.629739 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in
execute
[Wed Dec 14 10:46:58.629744 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] msg = set_certificate_attrs(result['result'], options)
[Wed Dec 14 10:46:58.629748 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in
set_certificate_attrs
[Wed Dec 14 10:46:58.629757 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] with api.Backend.ra_lightweight_ca as ca_api:
[Wed Dec 14 10:46:58.629761 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] File
"/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in
__enter__
[Wed Dec 14 10:46:58.629766 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] raise errors.RemoteRetrieveError(reason=_('Failed to
authenticate to CA REST API'))
[Wed Dec 14 10:46:58.629771 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST
API
[Wed Dec 14 10:46:58.629796 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502]
[Wed Dec 14 10:46:58.629954 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: INFO: [jsonserver_session] admin(a)WINGON.HK:
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Wed Dec 14 10:46:58.630022 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: [jsonserver_session] admin(a)WINGON.HK:
cert_show/1('1', version='2.245'): RemoteRetrieveError etime=84348352
[Wed Dec 14 10:46:58.630767 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: FINAL: Hits 0 Misses 2 Size 2
[Wed Dec 14 10:46:58.630882 2022] [wsgi:error] [pid 15499:tid 140175850501888] [remote
10.100.0.213:45502] ipa: DEBUG: Destroyed connection context.ldap2_140175871412600
Seems to just confirm that the CA is returning a 401.
Early on in the thread Flo asked you to check on something in LDAP and
you had a stray character (*). Did you ever double-check that?
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
uid=ipara,ou=people,o=ipaca description usercertificate
You want to make sure that the certificate value in
/var/lib/ipa/ra-agent.pem is in the usercertificate attribute in LDAP.
The CA uses TLS client authentication to validate the cert. It also does
a subject and key comparison (description) and the certificate blob
itself (usercertificate).
rob