On Wed, Oct 20, 2021 at 08:40:30PM -0500, Endi Dewata via FreeIPA-users wrote:
Hi,
I think error 401 means that the client cert could not be mapped
to the user in DS.
Could you check the uid=ipara,ou=people,o=ipaca to make sure
that the userCertificate and the description attributes contain the
right certificate?
That was the first thing I've checked. userCertificate:: (after base64
decoding) is the same as /var/lib/ipa/ra-agent.pem - the same
description, fingerprint, etc. openssl x509 -serial return "69" for
both, and LDAP contains:
description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
105 (dec) == 69 (hex) so this is correct, too.
You can also try setting the log level to INFO or FINE to see the
authentication process on the server side:
https://github.com/dogtagpki/pki/wiki/Configuring-Server-Logging
This is something! There are new lines between starting certificate
authentication and returning failure. First I thought there are libraries
missing, but in the end all finish with "Loading class from parent":
FINE: Calling authenticate()
INFO: PKIAuthenticator: Authenticate with client certificate authentication
INFO: Authenticating certificate chain:
INFO: - CN=IPA RA,O=PIPEBREAKER.PL
INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL
FINE: loadClass(org.mozilla.jss.netscape.security.util.Cert, false)
FINE: Searching local repositories
FINE: findClass(org.mozilla.jss.netscape.security.util.Cert)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(netscape.ldap.LDAPSearchResults, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPSearchResults)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(netscape.ldap.LDAPEntry, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPEntry)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
FINE: loadClass(com.netscape.cmscore.usrgrp.User, false)
FINE: Searching local repositories
FINE: findClass(com.netscape.cmscore.usrgrp.User)
FINE: Loading class from local repository
FINE: loadClass(netscape.ldap.LDAPAttribute, false)
FINE: Searching local repositories
FINE: findClass(netscape.ldap.LDAPAttribute)
FINE: --> Returning ClassNotFoundException
FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2
FINE: Loading class from parent
INFO: PKIAuthenticator: Result: false
FINE: Failed authenticate() test
Second invocation of "pki-acme-manage status" do not generate those class
messages:
FINE: Calling hasUserDataPermission()
FINE: User data constraint already satisfied
FINE: Calling authenticate()
INFO: PKIAuthenticator: Authenticate with client certificate authentication
INFO: Authenticating certificate chain:
INFO: - CN=IPA RA,O=PIPEBREAKER.PL
INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL
INFO: PKIAuthenticator: Result: false
FINE: Failed authenticate() test
FINE: JSSEngine: wrap(ssl_fd=org.mozilla.jss.nss.SSLFDProxy[1522605810@00079ea974550000])
--
Tomasz Torcz Once you've read the dictionary,
@ttorcz:pipebreaker.pl every other book is just a remix.