On Tue, Oct 12, 2021 at 02:33:01PM -0400, Rob Crittenden via FreeIPA-users
wrote:
> Tomasz Torcz via FreeIPA-users wrote:
> > On Sat, Oct 02, 2021 at 04:38:34PM +0200, Tomasz Torcz via FreeIPA-users
> > wrote:
> >> $ ipa-acme-manage enable
> >> Failed to authenticate to CA REST API
> >> The ipa-acme-manage command failed.
> >>
> >
> >> Then SNIPPED portion is the same data as in /var/lib/ipa/ra-agent.pem.
> >> This is the same certificate; serial number matches, too.
> >
> >> What should I do next to resolve this authentication issue?
> >
> > No ideas how to proceed?
> > Most troubleshooting guides end at comparing certs on the filesystem and
> > in LDAP. What's the next step?
> >
>
> I'd suggest trying ipa-healthcheck. It does these comparisons and more.
Run that, some minor warnings, but nothing about RA cert.
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "WARNING",
"uuid": "10a0ad23-dc7a-4f43-a5f5-fac08c55a7b9",
"when": "20211014120305Z",
"duration": "0.392689",
"kw": {
"key": "DSREPLLE0002",
"items": [
"Replication",
"Conflict Entries"
],
"msg": "There were 1 conflict entries found under the replication suffix
\"dc=pipebreaker,dc=pl\"."
}
Not much actionable info here.
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertTracking",
"result": "WARNING",
"uuid": "e4a545a3-ad22-4b8e-b4f0-70287eae98a9",
"when": "20211014120309Z",
"duration": "2.828753",
"kw": {
"key": "20141107202922",
"msg": "certmonger tracking request {key} found and is not expected on an
IPA master."
}
},
$ getcert list -i 20141107202922
Number of certificates and requests being tracked: 10.
Request ID '20141107202922':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/pki/tls/private/kaitain.pipebreaker.pl.key'
certificate:
type=FILE,location='/etc/pki/tls/certs/kaitain.pipebreaker.pl.crt'
CA: IPA
issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
subject: CN=kaitain.pipebreaker.pl,O=PIPEBREAKER.PL
issued: 2020-08-24 06:23:58 CEST
expires: 2022-08-25 06:23:58 CEST
dns: kaitain.pipebreaker.pl
principal name: host/kaitain.pipebreaker...@pipebreaker.pl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Looks fine, I have this cert/key configured in systemd-journal-upload service,
this is not a part of FreeIPA.
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertDNSSAN",
"result": "ERROR",
"uuid": "87699232-f56d-47e4-802b-afab4f1d1b9b",
"when": "20211014120312Z",
"duration": "2.300274",
"kw": {
"key": "20200624045303",
"hostname": "kaitain.pipebreaker.pl",
"san": [],
"ca": "IPA",
"profile": "caIPAserviceCert",
"msg": "Certificate request id {key} with profile {profile} for CA {ca}
does not have a DNS SAN {san} matching name {hostname}"
}
}
]
$ getcert list -i 20200624045303
Number of certificates and requests being tracked: 10.
Request ID '20200624045303':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PIPEBREAKER-PL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PIPEBREAKER-PL/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PIPEBREAKER-PL',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
subject: CN=kaitain.pipebreaker.pl,O=PIPEBREAKER.PL
issued: 2021-08-18 14:27:32 CEST
expires: 2023-08-19 14:27:32 CEST
principal name: ldap/kaitain.pipebreaker...@pipebreaker.pl
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
PIPEBREAKER-PL
track: yes
auto-renew: y
Also looks fine, SAN requirement in certificates only appeared few years ago,
after
this particular server was installed. I doubt it is even used in context of
LDAP connection.
> Does the RA cert work in other contexts? Does ipa cert-find work? Can
> you request a test certificate?
It looks so:
root@kaitain ~$ ipa cert-find
ipa: ERROR: did not receive Kerberos credentials
root@kaitain ~$ kinit admin
Password for ad...@pipebreaker.pl:
root@kaitain ~$ ipa cert-find
ipa: WARNING: Search result has been truncated: Configured size limit exceeded
------------------------
100 certificates matched
------------------------
[ … hundred certificates listed … ]
When I check in WebUI I see that latest certificate was
Issued On
Tue Oct 05 20:27:05 2021 UTC
So it worked last week.
What would be next step?
--
Tomasz Torcz Only gods can safely risk perfection,
to...@pipebreaker.pl it's a dangerous thing for a man. — Alia
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
