Tomasz Torcz via FreeIPA-users wrote: > On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users wrote: >> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < >> freeipa-users@lists.fedorahosted.org> wrote: >> >>> Tomasz Torcz via FreeIPA-users wrote: >>>>> ACME also has a realm configuration: >>>>> >>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md >>>>> >>> https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc >>>>> so there could be an issue there. >>>> >> >> But IIRC in IPA case it's configured to reuse the internaldb connection >> defined in CS.cfg so these params don't need to be specified again. >> Is there a working IPA instance with ACME that can be compared >> against? > > So I did a clean install of Fedora 34 and FreeIPA. Clean install works > as expected. I did comparison between fresh and mine install, > there were discrepancies I mostly fixed, but it didn't change my > problem. > Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log): > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by cert: > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: > ou=people,o=ipaca > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter: > description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA > RA,O=PIPEBREAKER.PL > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: > uid=ipara,ou=people,o=ipaca > 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: > Realm.authenticate() returned false
Yeah, I noticed this in your logs as well. I have no insight into what PKI does to authenticate beyond the things you've already checked. We know that this cert is ok because you can authenticate to the CA using it in other ways. It would be nice if they logged some reason for the failure to authenticate but I'm not sure how to get that. rob > > > While on _fresh install_ correct log looks like: > > 2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating user > with client certificate > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by cert: > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=people,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA > RA,O=IPADEV.PIPEBREAKER.PL > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: > uid=ipara,ou=people,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user roles: > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=groups,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > uniqueMember=uid=ipara,ou=people,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles: > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate > Manager Agents,ou=groups,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Registration > Manager Agents,ou=groups,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise ACME > Administrators,ou=groups,o=ipaca > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing > ACMEApplication > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: > Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4 > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: > Principal: GenericPrincipal[ipara(Certificate Manager Agents,Enterprise ACME > Administrators,Registration Manager Agents,)] > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: > Principal: ipara > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: > Roles: > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - > Certificate Manager Agents > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - > Enterprise ACME Administrators > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - > Registration Manager Agents > 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: search > ou=config,ou=acme,o=ipaca > 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: > ACMERequestFilter: ACME service is disabled > > > Things I've observed on fresh install, which I've implemented on my > production > (it changed nothing, provided here for documentation only): > > # in /etc/pki/pki-tomcat/ca/CS.cfg: > - added lines: > features.authority.description=Lightweight CAs > features.authority.enabled=true > features.authority.version=1.0 > > - 36 profile.* lines were missing; carefully added them, for example: > profile.AdminCert.class_id=caEnrollImpl > profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg > > - also copied a long line starting with profile.listprofile.list= > > - /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 files, > while > fresh install had over 90. I've copied missing ones from > /usr/share/pki/ca/profiles/ca/ > > # in LDAP > - ipaca / groups / Certificate Manager Agents had entry for pkidbuser; added > on prod > uniqueMember: uid=pkidbuser,ou=People,o=ipaca > - pkidbuser had 3 userCertificate: entries, two of them were expired; removed > those > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure