Hi,
Let's restart from scratch this investigation.
When you run "ipa cert-show 1", does it trigger any log in
/var/log/httpd/access_log and /var/log/httpd/ssl_request_log? On a working
instance I have the following:
in access_log:
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1
HTTP/1.1" 200 9973
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/login
HTTP/1.1" 200 304
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1"
200 1158
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/logout
HTTP/1.1" 204 -
in ssl_request_log:
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/certs/1 HTTP/1.1" 9973
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/account/login HTTP/1.1" 304
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert
HTTP/1.1" 1158
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/account/logout HTTP/1.1" -
We can see the first operation that is not authenticated (ca/rest/certs/1)
then the second one requires authentication (/ca/rest/account/login
executed before /ca/rest/authorities/xxx).
Is there a corresponding log in
/var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt ? When the AJP
connector is properly set, the operation should also be visible here, for
instance:
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1
HTTP/1.1" 200 9973
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/account/login HTTP/1.1" 200 304
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1"
200 1158
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/account/logout HTTP/1.1" 204 -
Then the logs in /var/log/pki/pki-tomcat/ca/debug.$DATE.log should show the
operations with:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Getting
certificate 0x1
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
Authenticating certificate chain:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
CN=IPA RA, O=IPA.TEST
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:
CertUserDBAuthentication: UID ipara authenticated.
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
User ID: ipara
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:
UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
User DN: uid=ipara,ou=people,o=ipaca
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
Roles:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Certificate Manager Agents
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Registration Manager Agents
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Security Domain Administrators
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Enterprise ACME Administrators
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: AAclAuthz:
Granting login permission for certServer.ca.account
As the authentication is done with the RA cert, and we saw that your ra
cert has serial=7, we need to ensure that the cert is valid: what is the
output of
ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository,
ou=ca,o=ipaca"
The output should display certStatus: VALID and userCertificate;binary
should contain the same cert as /var/lib/ipa/ra-agent.pem
flo
On Thu, Dec 15, 2022 at 3:34 AM junhou he via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
we disable selinux
ls -lZ /var/lib/ipa/ra-agent.*
-rwxrwxrwx 1 root ipaapi ? 1704 Nov 16 10:33 /var/lib/ipa/ra-agent.key
-rwxrwxrwx 1 root ipaapi ? 1399 Nov 16 10:33 /var/lib/ipa/ra-agent.pem
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue