On Mon, Oct 25, 2021 at 10:09:56AM -0500, Endi Dewata via FreeIPA-users wrote:
On Mon, Oct 25, 2021 at 7:42 AM Rob Crittenden via FreeIPA-users
<
freeipa-users(a)lists.fedorahosted.org> wrote:
> Tomasz Torcz via FreeIPA-users wrote:
> >> ACME also has a realm configuration:
> >>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
> >>
>
https://github.com/dogtagpki/pki/blob/master/docs/installation/acme/Confi...
> >> so there could be an issue there.
> >
But IIRC in IPA case it's configured to reuse the internaldb connection
defined in CS.cfg so these params don't need to be specified again.
Is there a working IPA instance with ACME that can be compared
against?
So I did a clean install of Fedora 34 and FreeIPA. Clean install works
as expected. I did comparison between fresh and mine install,
there were discrepancies I mostly fixed, but it didn't change my
problem.
Failure looks like that in logs (pki-tomcat/acme/debug-<data>.log):
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: Finding user by cert:
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - base DN: ou=people,o=ipaca
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: - filter:
description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
2021-11-03 18:43:07 [https-jsse-nio-8443-exec-12] INFO: User: uid=ipara,ou=people,o=ipaca
2021-11-03 18:43:08 [https-jsse-nio-8443-exec-12] FINE: Realm.authenticate() returned
false
While on _fresh install_ correct log looks like:
2021-10-31 13:51:47 [https-jsse-nio-8443-exec-13] INFO: Authenticating user with client
certificate
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Finding user by cert:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
description=2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA
RA,O=IPADEV.PIPEBREAKER.PL
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: User: uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Getting user roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - base DN: ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - filter:
uniqueMember=uid=ipara,ou=people,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Certificate Manager
Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Registration Manager
Agents,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: - cn=Enterprise ACME
Administrators,ou=groups,o=ipaca
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: Initializing ACMEApplication
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Session:
3DBCD2FB21ADFDD04ADC518C97AA07B4
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal:
GenericPrincipal[ipara(Certificate Manager Agents,Enterprise ACME
Administrators,Registration Manager Agents,)]
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Principal:
ipara
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: Roles:
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Certificate
Manager Agents
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Enterprise
ACME Administrators
2021-10-31 13:51:48 [https-jsse-nio-8443-exec-13] INFO: ACMELoginService: - Registration
Manager Agents
2021-10-31 13:51:48 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAP: search
ou=config,ou=acme,o=ipaca
2021-10-31 13:51:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: ACMERequestFilter: ACME
service is disabled
Things I've observed on fresh install, which I've implemented on my production
(it changed nothing, provided here for documentation only):
# in /etc/pki/pki-tomcat/ca/CS.cfg:
- added lines:
features.authority.description=Lightweight CAs
features.authority.enabled=true
features.authority.version=1.0
- 36 profile.* lines were missing; carefully added them, for example:
profile.AdminCert.class_id=caEnrollImpl
profile.AdminCert.config=/var/lib/pki/pki-tomcat/ca/profiles/ca/AdminCert.cfg
- also copied a long line starting with profile.listprofile.list=
- /var/lib/pki/pki-tomcat/ca/profiles/ca on prod server contained 74 files, while
fresh install had over 90. I've copied missing ones from
/usr/share/pki/ca/profiles/ca/
# in LDAP
- ipaca / groups / Certificate Manager Agents had entry for pkidbuser; added on prod
uniqueMember: uid=pkidbuser,ou=People,o=ipaca
- pkidbuser had 3 userCertificate: entries, two of them were expired; removed those
--
Tomasz Torcz 72->| 80->|
tomek(a)pipebreaker.pl 72->| 80->|