Hi,
We have a problem connecting with CA REST API (403).
Any ideas how to troubleshoot?
Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers
Only looking at the CA renewal master (ipa1.example.com)
# ipa cert-show 1
ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json
ipa: ERROR: Certificate operation cannot be completed: Request failed with
status 403: Non-2xx response from CA REST API: 403. (403)
# pki-healthcheck
Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo
[
{
"source": "pki.server.healthcheck.meta.csconfig",
"check": "CADogtagCertsConfigCheck",
"result": "ERROR",
"uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca",
"when": "20220809080611Z",
"duration": "0.164052",
"kw": {
"key": "ca_signing",
"nickname": "caSigningCert cert-pki-ca",
"directive": "ca.signing.cert",
"configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg",
"msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg"
}
}
]
This error means that the certificate with nickname 'caSigningCert cert-pki-ca' in /etc/pki/pki-tomcat/alias is not consistent with the one stored in the directive ca.signing.cert=... in the file /var/lib/pki/pki-tomcat/ca/conf/CS.cfg.
LDAP and IPA RA appear to have identical certificates and serial number:
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description
dn: uid=ipara,ou=people,o=ipaca
userCertificate:: MIID...Ovix8
description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM
# openssl x509 -text -in /var/lib/ipa/ra-agent.pem
Serial Number: 1878982672 (0x6fff0010)
Validity
Not Before: Aug 8 10:02:19 2022 GMT
Not After : Jul 28 10:02:19 2024 GMT
-----BEGIN CERTIFICATE-----
MIID...Ovix8
-----END CERTIFICATE-----
PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial
Serial Number: 1878982665 (0x6fff0009)
# ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso
dn: uid=pkidbuser,ou=people,o=ipaca
userCertificate:: MIID...eluPug==
description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM
seeAlso: CN=CA Subsystem,O=EXAMPLE.COM
And, the certificate in CS.cfg appears to match the caSigningCert in LDAP:
/var/lib/pki/pki-tomcat/ca/conf/CS.cfg:
ca.signing.cert=MIID...yfc5a
# ldapsearch -LLL -D 'cn=directory manager' -W \
-b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com'
dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com
userCertificate:: MIID...yfc5a
Additional details:
# ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca
dn: ou=authorities,ou=ca,o=ipaca
ou: authorities
objectClass: top
objectClass: organizationalUnit
dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca
authoritySerial: 1878982673
description: Host authority
authorityDN: CN=Certificate Authority,O=EXAMPLE.COM
authorityEnabled: TRUE
authorityKeyNickname: caSigningCert cert-pki-ca
authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add
cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add
objectClass: authority
objectClass: top
# ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com
dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com
cn: ipa
ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add
ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM
objectClass: top
objectClass: ipaca
ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM
description: IPA CA
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
EXAMPLE.COM IPA CA CTu,Cu,Cu
Since there are multiple certs for IPA CA and caSigningCert cert-pki-ca, I assume that the CA has already been renewed a few times.
Is the most recent one consistent with the directive ca.signing.cert=... in the file /var/lib/pki/pki-tomcat/ca/conf/CS.cfg ?
flo
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA'
3 certificates
# certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca'
3 certificates (identical with above 3 certificates)
# pki ca-cert-show 1878982672
Serial Number: 0x6fff0010
Subject DN: CN=IPA RA,O=EXAMPLE.COM
Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM
Status: VALID
Not Valid Before: Mon Aug 08 12:02:19 CEST 2022
Not Valid After: Sun Jul 28 12:02:19 CEST 2024
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue