On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users wrote:
On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Tomasz Torcz via FreeIPA-users wrote:
ACME also has a realm configuration:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configur...
so there could be an issue there.
But IIRC in IPA case it's configured to reuse the internaldb connection defined in CS.cfg so these params don't need to be specified again. Is there a working IPA instance with ACME that can be compared against?
So I did a clean install of Fedora 34 and FreeIPA. Clean install works as expected. I did comparison between fresh and mine install, there were discrepancies I mostly fixed, but it didn't change my problem. Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log):
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by cert: 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: ou=people,o=ipaca 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter: description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: uid=ipara,ou=people,o=ipaca 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: Realm.authenticate() returned false
While on _fresh install_ correct log looks like:
2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating user with client certificate 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by cert: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA RA,O=IPADEV.PIPEBREAKER.PL 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: uid=ipara,ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: uniqueMember=uid=ipara,ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate Manager Agents,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Registration Manager Agents,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise ACME Administrators,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing ACMEApplication 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Enterprise ACME Administrators,Registration Manager Agents,)] 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal: ipara 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Certificate Manager Agents 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Enterprise ACME Administrators 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Registration Manager Agents 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: search ou=config,ou=acme,o=ipaca 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: ACMERequestFilter: ACME service is disabled
Things I've observed on fresh install, which I've implemented on my production (it changed nothing, provided here for documentation only):
# in /etc/pki/pki-tomcat/ca/CS.cfg: - added lines: features.authority.description=Lightweight CAs features.authority.enabled=true features.authority.version=1.0
- 36 profile.* lines were missing; carefully added them, for example: profile.AdminCert.class_id=caEnrollImpl profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
- also copied a long line starting with profile.listprofile.list=
- /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 files, while fresh install had over 90. I've copied missing ones from /usr/share/pki/ca/profiles/ca/
# in LDAP - ipaca / groups / Certificate Manager Agents had entry for pkidbuser; added on prod uniqueMember: uid=pkidbuser,ou=People,o=ipaca - pkidbuser had 3 userCertificate: entries, two of them were expired; removed those