I have a CentOS 7 server running ipa-server-4.5.4, recently
installed. I find that operations related to the vault feature fail. For example:
> ipa -v vault-add test --type=standard
ipa: INFO: trying
https://ipa-01.example.com/ipa/session/json
ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server
'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server
'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server
'https://ipa-01.example.com/ipa/session/json'
ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server
'https://ipa-01.example.com/ipa/session/json'
ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate
agent with certificate Serial 0x7 Subject DN CN=IPA
RA,O=IPA.EXAMPLE.COM. Error: User not
found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor:
SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not
authenticated.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor:
SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping:
default
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required
auth methods: [*]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous
access allowed
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor:
SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no
authorization required
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping;
authz not required.
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor:
SystemCertResource.getTransportCert()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor:
content-type: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept:
[application/json]
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request
format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor:
response format: application/json
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating
certificate chain:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert:
certUID=CN=IPA RA,
O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA,
O=IPA.EXAMPLE.COM
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client
certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client
certificate
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client
certificate found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In
LdapBoundConnFactory::getConn()
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot
map certificate to any userUser not found
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?