Tomasz Torcz via FreeIPA-users wrote:
On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via
FreeIPA-users wrote:
> On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
>> Tomasz Torcz via FreeIPA-users wrote:
>>>> ACME also has a realm configuration:
>>>>
>>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
>>>>
>>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
>>>> so there could be an issue there.
>>>
>
> But IIRC in IPA case it's configured to reuse the internaldb connection
> defined in CS.cfg so these params don't need to be specified again.
> Is there a working IPA instance with ACME that can be compared
> against?
So I did a clean install of Fedora 34 and FreeIPA. Clean install works
as expected. I did comparison between fresh and mine install,
there were discrepancies I mostly fixed, but it didn't change my
problem.
Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log):
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by cert:
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: ou=people,o=ipaca
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter:
description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User:
uid=ipara,ou=people,o=ipaca
2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: Realm.authenticate() returned
false
Yeah, I noticed this in your logs as well. I have no insight into what
PKI does to authenticate beyond the things you've already checked. We
know that this cert is ok because you can authenticate to the CA using
it in other ways. It would be nice if they logged some reason for the
failure to authenticate but I'm not sure how to get that.
rob
While on _fresh install_ correct log looks like:
2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating user with client
certificate
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by cert:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA
RA,O=IPADEV.PIPEBREAKER.PL
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User:
uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
uniqueMember=uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate Manager
Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Registration Manager
Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise ACME
Administrators,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing ACMEApplication
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Session:
3DBCD2FB21ADFDD04ADC518C97AA07B4
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal:
GenericPrincipal[ipara(Certificate Manager Agents,Enterprise ACME
Administrators,Registration Manager Agents,)]
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal:
ipara
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Certificate
Manager Agents
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Enterprise
ACME Administrators
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Registration
Manager Agents
2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: search
ou=config,ou=acme,o=ipaca
2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: ACMERequestFilter: ACME
service is disabled
Things I've observed on fresh install, which I've implemented on my production
(it changed nothing, provided here for documentation only):
# in /etc/pki/pki-tomcat/ca/CS.cfg:
- added lines:
features.authority.description=Lightweight CAs
features.authority.enabled=true
features.authority.version=1.0
- 36 profile.* lines were missing; carefully added them, for example:
profile.AdminCert.class_id=caEnrollImpl
profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
- also copied a long line starting with profile.listprofile.list=
- /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 files, while
fresh install had over 90. I've copied missing ones from
/usr/share/pki/ca/profiles/ca/
# in LDAP
- ipaca / groups / Certificate Manager Agents had entry for pkidbuser; added on prod
uniqueMember: uid=pkidbuser,ou=People,o=ipaca
- pkidbuser had 3 userCertificate: entries, two of them were expired; removed those