On Tue, Oct 12, 2021 at 02:33:01PM -0400, Rob Crittenden via FreeIPA-users wrote: > Tomasz Torcz via FreeIPA-users wrote: > > On Sat, Oct 02, 2021 at 04:38:34PM +0200, Tomasz Torcz via FreeIPA-users > > wrote: > >> $ ipa-acme-manage enable > >> Failed to authenticate to CA REST API > >> The ipa-acme-manage command failed. > >> > > > >> Then SNIPPED portion is the same data as in /var/lib/ipa/ra-agent.pem. > >> This is the same certificate; serial number matches, too. > > > >> What should I do next to resolve this authentication issue? > > > > No ideas how to proceed? > > Most troubleshooting guides end at comparing certs on the filesystem and > > in LDAP. What's the next step? > > > > I'd suggest trying ipa-healthcheck. It does these comparisons and more.
Run that, some minor warnings, but nothing about RA cert. "source": "ipahealthcheck.ds.replication", "check": "ReplicationCheck", "result": "WARNING", "uuid": "10a0ad23-dc7a-4f43-a5f5-fac08c55a7b9", "when": "20211014120305Z", "duration": "0.392689", "kw": { "key": "DSREPLLE0002", "items": [ "Replication", "Conflict Entries" ], "msg": "There were 1 conflict entries found under the replication suffix \"dc=pipebreaker,dc=pl\"." } Not much actionable info here. { "source": "ipahealthcheck.ipa.certs", "check": "IPACertTracking", "result": "WARNING", "uuid": "e4a545a3-ad22-4b8e-b4f0-70287eae98a9", "when": "20211014120309Z", "duration": "2.828753", "kw": { "key": "20141107202922", "msg": "certmonger tracking request {key} found and is not expected on an IPA master." } }, $ getcert list -i 20141107202922 Number of certificates and requests being tracked: 10. Request ID '20141107202922': status: MONITORING stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/kaitain.pipebreaker.pl.key' certificate: type=FILE,location='/etc/pki/tls/certs/kaitain.pipebreaker.pl.crt' CA: IPA issuer: CN=Certificate Authority,O=PIPEBREAKER.PL subject: CN=kaitain.pipebreaker.pl,O=PIPEBREAKER.PL issued: 2020-08-24 06:23:58 CEST expires: 2022-08-25 06:23:58 CEST dns: kaitain.pipebreaker.pl principal name: host/kaitain.pipebreaker...@pipebreaker.pl key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Looks fine, I have this cert/key configured in systemd-journal-upload service, this is not a part of FreeIPA. { "source": "ipahealthcheck.ipa.certs", "check": "IPACertDNSSAN", "result": "ERROR", "uuid": "87699232-f56d-47e4-802b-afab4f1d1b9b", "when": "20211014120312Z", "duration": "2.300274", "kw": { "key": "20200624045303", "hostname": "kaitain.pipebreaker.pl", "san": [], "ca": "IPA", "profile": "caIPAserviceCert", "msg": "Certificate request id {key} with profile {profile} for CA {ca} does not have a DNS SAN {san} matching name {hostname}" } } ] $ getcert list -i 20200624045303 Number of certificates and requests being tracked: 10. Request ID '20200624045303': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PIPEBREAKER-PL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PIPEBREAKER-PL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PIPEBREAKER-PL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=PIPEBREAKER.PL subject: CN=kaitain.pipebreaker.pl,O=PIPEBREAKER.PL issued: 2021-08-18 14:27:32 CEST expires: 2023-08-19 14:27:32 CEST principal name: ldap/kaitain.pipebreaker...@pipebreaker.pl key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv PIPEBREAKER-PL track: yes auto-renew: y Also looks fine, SAN requirement in certificates only appeared few years ago, after this particular server was installed. I doubt it is even used in context of LDAP connection. > Does the RA cert work in other contexts? Does ipa cert-find work? Can > you request a test certificate? It looks so: root@kaitain ~$ ipa cert-find ipa: ERROR: did not receive Kerberos credentials root@kaitain ~$ kinit admin Password for ad...@pipebreaker.pl: root@kaitain ~$ ipa cert-find ipa: WARNING: Search result has been truncated: Configured size limit exceeded ------------------------ 100 certificates matched ------------------------ [ … hundred certificates listed … ] When I check in WebUI I see that latest certificate was Issued On Tue Oct 05 20:27:05 2021 UTC So it worked last week. What would be next step? -- Tomasz Torcz Only gods can safely risk perfection, to...@pipebreaker.pl it's a dangerous thing for a man. — Alia _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure