[Freeipa-users] Re: IPA Server Upgrade: CA REST API: 403 error

[Alexander Bokovoy via FreeIPA-users]

On to, 23 joulu 2021, Dungan, Scott A. via FreeIPA-users wrote:

Thanks for the link, Ferrão!

Using the information from that thread, I inspected the contents of 
/etc/pki/pki-tomcat/server.xml and noticed that on lines 129 and 171, there 
were two values listed: one for sectet= and one for requiredSecret=. In 
addition, the two secrets were different. Only the “secret=” value matched what 
was located in the /etc/httpd/conf.d/ipa-pki-proxy.conf for the ProxyPassMatch 
statements that Rob referred to in the thread you linked. I went ahead and 
changed the value of “requiredSecret=” to be the same in server.xml, restarted 
IPA services, and the error was resolved!

Questions unanswered: where did this other (incorrect) value for
requiredSecret come from? Some sort of failure in the upgrade script?
Having both secret and requiredSecret specified (both with the same
correct value) is now required in /etc/pki/pki-tomcat/server.xml?
Looking at the other not-yet-upgraded IPA servers, that line only lists
sectet=

The right thread to watch is 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/NZLD5WHI4GCM2B437WPPD4HIHSCJT45F/
As I said there, "is that both pki upgrade code and ipa upgrade
code triggered and pki upgrade code adds 'requiredSecret' part. IPA
upgrade code is present since FreeIPA 4.9.0, since March 2020, more than
1.5 years ago."

PKI added upgrade support code in their RHEL 8.5.0 update. As a result,
FreeIPA's code seems to stumble on some of the upgrade paths. Since it
is triggered during new IPA package upgrade, we get this mix of two
upgrade routines that create a conflicting configuration together.
PKI upgrade code refactoring ignores Tomcat version which is wrong.

https://bugzilla.redhat.com/show_bug.cgi?id=2006070 tracks a fix for
this on PKI side and it will be out in next minor RHEL 8 version,
hopefully (and in CentOS 8 Stream before that).

Fixed line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 
4.9.6-10:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" name="Connector1" 
secret="123456789abcdefghijklmnopqrstuvwxyz" requiredSecret="123456789abcdefghijklmnopqrstuvwxyz"/>

Line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-6:

<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" address="localhost4" 
name="Connector1" secret="123456789abcdefghijklmnopqrstuvwxyz "/>

-Scott

From: Vinícius Ferrão <fer...@versatushpc.com.br>
Sent: Wednesday, December 22, 2021 11:15 AM
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Dungan, Scott A. <sdun...@caltech.edu>
Subject: Re: [Freeipa-users] IPA Server Upgrade: CA REST API: 403 error

Sorry. Wrong link. This is the one: 
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg12583.html
Sent from my iPhone


On 22 Dec 2021, at 16:14, Vinícius Ferrão 
<fer...@versatushpc.com.br<mailto:fer...@versatushpc.com.br>> wrote:
 Is this related?

https://pagure.io/freeipa/issue/9041
Sent from my iPhone


On 22 Dec 2021, at 15:35, Dungan, Scott A. via FreeIPA-users 
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
 wrote:

Prior to running yum update on one of our IPA servers running RHEL8 version 
4.9.6-6, ipa-healthcheck showed no errors. After running the update to 
4.9.6-10, healthcheck threw “non-2xx response from CA REST API: 403” errors:

[root@ipa1 ~]# ipa-healthcheck --failures-only
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA 
REST API: 403.  (403)
[
 {
   "source": "ipahealthcheck.dogtag.ca",
   "check": "DogtagCertsConnectivityCheck",
   "result": "ERROR",
   "uuid": "0fcf1f94-16d3-4f33-aabc-446403a8190f",
   "when": "20211222175722Z",
   "duration": "0.715360",
   "kw": {
     "msg": "Request for certificate failed, Certificate operation cannot be 
completed: Request failed with status 403: Non-2xx response from CA REST API: 403.  (403)"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "969b76e2-bda7-4d47-a76b-fa48b59e469f",
   "when": "20211222175735Z",
   "duration": "1.208329",
   "kw": {
     "key": "20210406003327",
     "serial": 7,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "696f34d9-e965-4d23-8a60-192811cedd51",
   "when": "20211222175735Z",
   "duration": "1.479161",
   "kw": {
     "key": "20210406003320",
     "serial": 5,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "bd716c75-de8b-4893-9e6e-f474dcf898a6",
   "when": "20211222175735Z",
   "duration": "1.747070",
   "kw": {
     "key": "20210406003321",
     "serial": 2,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "59815cd0-e48c-47bf-965f-c089bcf0f2dd",
   "when": "20211222175736Z",
   "duration": "2.021750",
   "kw": {
     "key": "20210406003322",
     "serial": 4,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "ea34c649-7823-4c35-b54d-7b3aaf8677c8",
   "when": "20211222175736Z",
   "duration": "2.291332",
   "kw": {
     "key": "20210406003323",
     "serial": 1,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "8ed4da7b-dec9-4dc5-ad05-ac7064181481",
   "when": "20211222175736Z",
   "duration": "2.567577",
   "kw": {
     "key": "20210406003326",
     "serial": 3,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "faf9b70b-333e-4e08-a211-bd887c346d13",
   "when": "20211222175736Z",
   "duration": "2.723022",
   "kw": {
     "key": "20211130180109",
     "serial": 20,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "6f4097a7-c62a-4771-9019-90c3fa8d0e80",
   "when": "20211222175737Z",
   "duration": "2.985982",
   "kw": {
     "key": "20210406003328",
     "serial": 8,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 },
 {
   "source": "ipahealthcheck.ipa.certs",
   "check": "IPACertRevocation",
   "result": "ERROR",
   "uuid": "1e7bfdc0-6dbf-4d0c-a102-86b312c8181e",
   "when": "20211222175737Z",
   "duration": "3.136052",
   "kw": {
     "key": "20201110192416",
     "serial": 10,
     "error": "Certificate operation cannot be completed: Request failed with status 
403: Non-2xx response from CA REST API: 403.  (403)",
     "msg": "Request for certificate serial number {serial} in request {key} failed: 
{error}"
   }
 }
]

Logging into web ui works, but when clicking through to the Authentication tab, 
the following error pops:

IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)

About three weeks ago, we had replication issues with this particular server 
but resolved them with Rob’s help.  See the thread here: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/message/NXOVGLHLZWU7GQJTPNLSWYYNLHZVF6UT/

Any help would be appreciated. Thanks,

Scott

_______________________________________________
FreeIPA-users mailing list -- 
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to 
freeipa-users-le...@lists.fedorahosted.org<mailto:freeipa-users-le...@lists.fedorahosted.org>
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure