[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Tuesday, 3 January 2023

Hi,
I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf
# matches for REST API of CA, KRA, and PKI
<LocationMatch "^/(ca|kra|pki)/rest/">
    SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
    SSLVerifyClient optional
    ProxyPassMatch ajp://localhost:8009
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
    ProxyPassReverse ajp://localhost:8009
</LocationMatch>

[root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

WINGON.HK IPA CA                                             CT,C,C
Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert                                                  u,u,u
[root@wocfreeipa ~]# certutil  -d /etc/httpd/alias/ -O -n Server-Cert
"Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc." [OU=Go
Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US]

  "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc." [CN=Go
Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US]

    "Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc." [CN=Go
Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US]

      "Server-Cert" [CN=*.wingon.hk]

[root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

CN=*.wingon.hk                                               u,u,u
WINGON.HK IPA CA                                             CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
Server-Cert cert-pki-ca                                      u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
Inc.,L=Scottsdale,ST=Arizona,C=US C,,

I use ipa-cacert-manage install to add the external CA

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API