On Thu, Nov 4, 2021 at 12:32 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Tomasz Torcz via FreeIPA-users wrote: > > On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users > wrote: > >> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < > >> freeipa-users@lists.fedorahosted.org> wrote: > >> > >>> Tomasz Torcz via FreeIPA-users wrote: > >>>>> ACME also has a realm configuration: > >>>>> > >>> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md > >>>>> > >>> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc > >>>>> so there could be an issue there. > >>>> > >> > >> But IIRC in IPA case it's configured to reuse the internaldb connection > >> defined in CS.cfg so these params don't need to be specified again. > >> Is there a working IPA instance with ACME that can be compared > >> against? > > > > So I did a clean install of Fedora 34 and FreeIPA. Clean install works > > as expected. I did comparison between fresh and mine install, > > there were discrepancies I mostly fixed, but it didn't change my > > problem. > > Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log): > > > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by > cert: > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: > ou=people,o=ipaca > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter: > description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O= > PIPEBREAKER.PL > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: > uid=ipara,ou=people,o=ipaca > > 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: > Realm.authenticate() returned false > > Yeah, I noticed this in your logs as well. I have no insight into what > PKI does to authenticate beyond the things you've already checked. We > know that this cert is ok because you can authenticate to the CA using > it in other ways. It would be nice if they logged some reason for the > failure to authenticate but I'm not sure how to get that. > > rob > > > > > > > While on _fresh install_ correct log looks like: > > > > 2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating > user with client certificate > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by > cert: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA > RA,O=IPADEV.PIPEBREAKER.PL > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: > uid=ipara,ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user > roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > uniqueMember=uid=ipara,ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate > Manager Agents,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - > cn=Registration Manager Agents,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise > ACME Administrators,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing > ACMEApplication > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4 > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager > Agents,Enterprise ACME Administrators,Registration Manager Agents,)] > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Principal: ipara > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Certificate Manager Agents > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Enterprise ACME Administrators > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Registration Manager Agents > > 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: > search ou=config,ou=acme,o=ipaca > > 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: > ACMERequestFilter: ACME service is disabled > > > > > > Things I've observed on fresh install, which I've implemented on my > production > > (it changed nothing, provided here for documentation only): > > > > # in /etc/pki/pki-tomcat/ca/CS.cfg: > > - added lines: > > features.authority.description=Lightweight CAs > > features.authority.enabled=true > > features.authority.version=1.0 > > > > - 36 profile.* lines were missing; carefully added them, for example: > > profile.AdminCert.class_id=caEnrollImpl > > > profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg > > > > - also copied a long line starting with profile.listprofile.list= > > > > - /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 > files, while > > fresh install had over 90. I've copied missing ones from > /usr/share/pki/ca/profiles/ca/ > > > > # in LDAP > > - ipaca / groups / Certificate Manager Agents had entry for pkidbuser; > added on prod > > uniqueMember: uid=pkidbuser,ou=People,o=ipaca > > - pkidbuser had 3 userCertificate: entries, two of them were expired; > removed those > I added some log messages into this file if you want to try again: https://github.com/edewata/pki/blob/debug-v10.10/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java The build is available from this repo: https://copr.fedorainfracloud.org/coprs/edewata/pki-10.10/builds/ -- Endi S. Dewata On Thu, Nov 4, 2021 at 12:32 PM Rob Crittenden via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Tomasz Torcz via FreeIPA-users wrote: > > On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users > wrote: > >> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users < > >> freeipa-users@lists.fedorahosted.org> wrote: > >> > >>> Tomasz Torcz via FreeIPA-users wrote: > >>>>> ACME also has a realm configuration: > >>>>> > >>> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring_ACME_Realm.md > >>>>> > >>> > https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Configuring-ACME-with-DS-Realm.adoc > >>>>> so there could be an issue there. > >>>> > >> > >> But IIRC in IPA case it's configured to reuse the internaldb connection > >> defined in CS.cfg so these params don't need to be specified again. > >> Is there a working IPA instance with ACME that can be compared > >> against? > > > > So I did a clean install of Fedora 34 and FreeIPA. Clean install works > > as expected. I did comparison between fresh and mine install, > > there were discrepancies I mostly fixed, but it didn't change my > > problem. > > Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log): > > > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by > cert: > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: > ou=people,o=ipaca > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter: > description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O= > PIPEBREAKER.PL > > 2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: > uid=ipara,ou=people,o=ipaca > > 2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: > Realm.authenticate() returned false > > Yeah, I noticed this in your logs as well. I have no insight into what > PKI does to authenticate beyond the things you've already checked. We > know that this cert is ok because you can authenticate to the CA using > it in other ways. It would be nice if they logged some reason for the > failure to authenticate but I'm not sure how to get that. > > rob > > > > > > > While on _fresh install_ correct log looks like: > > > > 2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating > user with client certificate > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by > cert: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA > RA,O=IPADEV.PIPEBREAKER.PL > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: > uid=ipara,ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user > roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: > ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter: > uniqueMember=uid=ipara,ou=people,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate > Manager Agents,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - > cn=Registration Manager Agents,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise > ACME Administrators,ou=groups,o=ipaca > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing > ACMEApplication > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Session: 3DBCD2FB21ADFDD04ADC518C97AA07B4 > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Principal: GenericPrincipal[ipara(Certificate Manager > Agents,Enterprise ACME Administrators,Registration Manager Agents,)] > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Principal: ipara > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: Roles: > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Certificate Manager Agents > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Enterprise ACME Administrators > > 2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: > ACMELoginService: - Registration Manager Agents > > 2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: > search ou=config,ou=acme,o=ipaca > > 2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: > ACMERequestFilter: ACME service is disabled > > > > > > Things I've observed on fresh install, which I've implemented on my > production > > (it changed nothing, provided here for documentation only): > > > > # in /etc/pki/pki-tomcat/ca/CS.cfg: > > - added lines: > > features.authority.description=Lightweight CAs > > features.authority.enabled=true > > features.authority.version=1.0 > > > > - 36 profile.* lines were missing; carefully added them, for example: > > profile.AdminCert.class_id=caEnrollImpl > > > profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg > > > > - also copied a long line starting with profile.listprofile.list= > > > > - /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 > files, while > > fresh install had over 90. I've copied missing ones from > /usr/share/pki/ca/profiles/ca/ > > > > # in LDAP > > - ipaca / groups / Certificate Manager Agents had entry for pkidbuser; > added on prod > > uniqueMember: uid=pkidbuser,ou=People,o=ipaca > > - pkidbuser had 3 userCertificate: entries, two of them were expired; > removed those > > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Endi S. Dewata
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
