On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users wrote: > On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > Tomasz Torcz via FreeIPA-users wrote: > > >> ACME also has a realm configuration: > > >> > > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md > > >> > > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc > > >> so there could be an issue there. > > > > > But IIRC in IPA case it's configured to reuse the internaldb connection > defined in CS.cfg so these params don't need to be specified again. > Is there a working IPA instance with ACME that can be compared > against?
So I did a clean install of Fedora 34 and FreeIPA. Clean install works as expected. I did comparison between fresh and mine install, there were discrepancies I mostly fixed, but it didn't change my problem. Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log): 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by cert: 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: ou=people,o=ipaca 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter: description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: uid=ipara,ou=people,o=ipaca 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: Realm.authenticate() returned false While on _fresh install_ correct log looks like: 2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating user with client certificate 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by cert: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA RA,O=IPADEV.PIPEBREAKER.PL 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: uid=ipara,ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: uniqueMember=uid=ipara,ou=people,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate Manager Agents,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Registration Manager Agents,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise ACME Administrators,ou=groups,o=ipaca 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing ACMEApplication 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager Agents,Enterprise ACME Administrators,Registration Manager Agents,)] 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal: ipara 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Roles: 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Certificate Manager Agents 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Enterprise ACME Administrators 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Registration Manager Agents 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: search ou=config,ou=acme,o=ipaca 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: ACMERequestFilter: ACME service is disabled Things I've observed on fresh install, which I've implemented on my production (it changed nothing, provided here for documentation only): # in /etc/pki/pki-tomcat/ca/CS.cfg: - added lines: features.authority.description=Lightweight CAs features.authority.enabled=true features.authority.version=1.0 - 36 profile.* lines were missing; carefully added them, for example: profile.AdminCert.class_id=caEnrollImpl profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg - also copied a long line starting with profile.listprofile.list= - /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 files, while fresh install had over 90. I've copied missing ones from /usr/share/pki/ca/profiles/ca/ # in LDAP - ipaca / groups / Certificate Manager Agents had entry for pkidbuser; added on prod uniqueMember: uid=pkidbuser,ou=People,o=ipaca - pkidbuser had 3 userCertificate: entries, two of them were expired; removed those -- Tomasz Torcz 72->| 80->| to...@pipebreaker.pl 72->| 80->| _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
