Tomasz Torcz via FreeIPA-users wrote:
>> ACME also has a realm configuration:
>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md
>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc
>> so there could be an issue there.
>
> This look to be configured, but I found a possible discrepancy in "password":
>
> $ cat /etc/pki/pki-tomcat/acme/realm.conf
> # VERSION 2 - DO NOT REMOVE THIS LINE
> authType=BasicAuth
> class=org.dogtagpki.acme.realm.DSRealm
> groupsDN=ou=groups,o=ipaca
> usersDN=ou=people,o=ipaca
> url=ldaps://kaitain.pipebreaker.pl:636
> configFile=/etc/pki/pki-tomcat/ca/CS.cfg
> username=acme-kaitain.pipebreaker.pl
> password=<40-character long text string>
>
> While userPassword:: field of uid=acme-kaitain.pipebreaker.pl,ou=people,o=ipaca
> contains very long base64 string, which decodes to 447 string starting
> with {PBKDF2_SHA256}. How to make sure it's corresponds to the same
> value?
>
This is the password for the username in the file. It is basically
unused by IPA as IPA uses client auth with the RA agent certificate.
rob