On Thu, Oct 21, 2021 at 5:36 AM Tomasz Torcz via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> On Wed, Oct 20, 2021 at 08:40:30PM -0500, Endi Dewata via FreeIPA-users > wrote: > > Hi, > > > > I think error 401 means that the client cert could not be mapped > > to the user in DS. > > > > Could you check the uid=ipara,ou=people,o=ipaca to make sure > > that the userCertificate and the description attributes contain the > > right certificate? > > That was the first thing I've checked. userCertificate:: (after base64 > decoding) is the same as /var/lib/ipa/ra-agent.pem - the same > description, fingerprint, etc. openssl x509 -serial return "69" for > both, and LDAP contains: > description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O= > PIPEBREAKER.PL > > 105 (dec) == 69 (hex) so this is correct, too. > > > > > You can also try setting the log level to INFO or FINE to see the > > authentication process on the server side: > > https://github.com/dogtagpki/pki/wiki/Configuring-Server-Logging > > This is something! There are new lines between starting certificate > authentication and returning failure. First I thought there are libraries > missing, but in the end all finish with "Loading class from parent": > > FINE: Calling authenticate() > INFO: PKIAuthenticator: Authenticate with client certificate authentication > INFO: Authenticating certificate chain: > INFO: - CN=IPA RA,O=PIPEBREAKER.PL > INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL > FINE: loadClass(org.mozilla.jss.netscape.security.util.Cert, false) > FINE: Searching local repositories > FINE: findClass(org.mozilla.jss.netscape.security.util.Cert) > FINE: --> Returning ClassNotFoundException > FINE: Delegating to parent classloader at end: > java.net.URLClassLoader@5fcfe4b2 > FINE: Loading class from parent > FINE: loadClass(netscape.ldap.LDAPSearchResults, false) > FINE: Searching local repositories > FINE: findClass(netscape.ldap.LDAPSearchResults) > FINE: --> Returning ClassNotFoundException > FINE: Delegating to parent classloader at end: > java.net.URLClassLoader@5fcfe4b2 > FINE: Loading class from parent > FINE: loadClass(netscape.ldap.LDAPEntry, false) > FINE: Searching local repositories > FINE: findClass(netscape.ldap.LDAPEntry) > FINE: --> Returning ClassNotFoundException > FINE: Delegating to parent classloader at end: > java.net.URLClassLoader@5fcfe4b2 > FINE: Loading class from parent > FINE: loadClass(com.netscape.cmscore.usrgrp.User, false) > FINE: Searching local repositories > FINE: findClass(com.netscape.cmscore.usrgrp.User) > FINE: Loading class from local repository > FINE: loadClass(netscape.ldap.LDAPAttribute, false) > FINE: Searching local repositories > FINE: findClass(netscape.ldap.LDAPAttribute) > FINE: --> Returning ClassNotFoundException > FINE: Delegating to parent classloader at end: > java.net.URLClassLoader@5fcfe4b2 > FINE: Loading class from parent > INFO: PKIAuthenticator: Result: false > FINE: Failed authenticate() test > > > Second invocation of "pki-acme-manage status" do not generate those class > messages: > > FINE: Calling hasUserDataPermission() > FINE: User data constraint already satisfied > FINE: Calling authenticate() > INFO: PKIAuthenticator: Authenticate with client certificate authentication > INFO: Authenticating certificate chain: > INFO: - CN=IPA RA,O=PIPEBREAKER.PL > INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL > INFO: PKIAuthenticator: Result: false > FINE: Failed authenticate() test > FINE: JSSEngine: > wrap(ssl_fd=org.mozilla.jss.nss.SSLFDProxy[1522605810@00079ea974550000]) > I think the class loading messages above were generated by Tomcat. That's probably how it resolves the classes, so I don't think that's an issue. Could you raise the debug level in the CA subsystem too? https://github.com/dogtagpki/pki/wiki/Configuring-Subsystem-Debug-Log The authenticator uses the LDAP connection in the CA to find the user in DS, so there might be an issue there. -- Endi S. Dewata
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure