On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users
<
freeipa-users(a)lists.fedorahosted.org> wrote:
> Tomasz Torcz via FreeIPA-users wrote:
> >> ACME also has a realm configuration:
> >>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
> >>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
> >> so there could be an issue there.
> >
> > This look to be configured, but I found a possible discrepancy in
> "password":
> >
> > $ cat /etc/pki/pki-tomcat/acme/realm.conf
> > # VERSION 2 - DO NOT REMOVE THIS LINE
> > authType=BasicAuth
> > class=org.dogtagpki.acme.realm.DSRealm
> > groupsDN=ou=groups,o=ipaca
> > usersDN=ou=people,o=ipaca
> > url=ldaps://kaitain.pipebreaker.pl:636
> > configFile=/etc/pki/pki-tomcat/ca/CS.cfg
> > username=acme-kaitain.pipebreaker.pl
> > password=<40-character long text string>
> >
> > While userPassword:: field of uid=acme-kaitain.pipebreaker.pl
> ,ou=people,o=ipaca
> > contains very long base64 string, which decodes to 447 string starting
> > with {PBKDF2_SHA256}. How to make sure it's corresponds to the same
> > value?
> >
>
> This is the password for the username in the file. It is basically
> unused by IPA as IPA uses client auth with the RA agent certificate.
>
> rob
>
Looks like the realm is configured with BasicAuth, so it should be
using bindDN and bindPassword params as described here:
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
If you want to use SslClientAuth, I think you would need to
specify the nickname param:
https://github.com/dogtagpki/pki/blob/master/base/acme/src/main/java/org/...
https://github.com/dogtagpki/pki/blob/master/base/server/src/main/java/co...
https://github.com/dogtagpki/pki/wiki/Configuring-Client-Certificate-Auth...
But IIRC in IPA case it's configured to reuse the internaldb connection
defined in CS.cfg so these params don't need to be specified again.
Is there a working IPA instance with ACME that can be compared
against?
Yeah, the realm config has a configFile param, so it will ignore the
other params above, and use the params from CS.cfg instead:
--
Endi S. Dewata