I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
Peter Oliver via FreeIPA-users wrote:
I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I find that operations related to the vault feature fail. For example:
ipa -v vault-add test --type=standard
ipa: INFO: trying https://ipa-01.example.com/ipa/session/json ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server 'https://ipa-01.example.com/ipa/session/json' ipa: ERROR: an internal error has occurred
In /var/log/pki/pki-tomcat/kra/system I see the following message:
0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot authenticate agent with certificate Serial 0x7 Subject DN CN=IPA RA,O=IPA.EXAMPLE.COM. Error: User not found
In /var/log/pki/pki-tomcat/kra/debug is see the following messages:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SessionContextInterceptor: Not authenticated. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: mapping: default [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: required auth methods: [*] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: AuthMethodInterceptor: anonymous access allowed [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor.filter: no authorization required [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No ACL mapping; authz not required. [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: event AUTHZ [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: SystemCertResource.getTransportCert() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: content-type: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: accept: [application/json] [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: request format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: MessageFormatInterceptor: response format: application/json [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: Authenticating certificate chain: [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA RA, O=IPA.EXAMPLE.COM [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: started [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Retrieving client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got client certificate [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: client certificate found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In LdapBoundConnFactory::getConn() [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is connected: true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is connected true [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns now 2 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns now 3 [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
I'm not sure, cc'ing a dogtag developer.
rob
On Wed, Nov 07, 2018 at 01:05:24PM -0500, Rob Crittenden via FreeIPA-users wrote:
Peter Oliver via FreeIPA-users wrote:
[02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuthentication: cannot map certificate to any userUser not found [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: event AUTH
Any suggestions? Has something gone wrong with the setup?
I'm not sure, cc'ing a dogtag developer.
rob
Hi Peter,
Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
If not, update the entry to match the certificate.
Note that the second field of the 'description' attribute is the serial number (decimal), and the first field is always '2'.
Cheers, Fraser
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal@redhat.com wrote:
Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
If not, update the entry to match the certificate.
Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate for "CN=CA Subsystem", not "CN=IPA RA" as was found in /var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I received when trying to use vault, and additionally caused pki-tomcatd to be unable to restart ("Error netscape.ldap.LDAPException: Authentication failed (49)"). It seems like it's more than this one thing that's out of place.
On Thu, Nov 08, 2018 at 11:39:41AM +0000, Peter Oliver wrote:
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal@redhat.com wrote:
Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
If not, update the entry to match the certificate.
Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate for "CN=CA Subsystem", not "CN=IPA RA" as was found in /var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I received when trying to use vault, and additionally caused pki-tomcatd to be unable to restart ("Error netscape.ldap.LDAPException: Authentication failed (49)"). It seems like it's more than this one thing that's out of place.
I'm sorry Peter, I told you the wrong user entry. I should have said uid=ipara, not uid=pkidbuser. I'm sorry for the mistake. Please restore the uid=pkidbuser entry to its previous state, and perform the steps I mentioned against the uid=ipara entry instead. (Note that the ipara entry doesn't have or need the 'seeAlso' attribute).
(I got confused because both of these entries need to be in sync with a certificate. The pkidbuser entry is used by Dogtag to authenticate to the LDAP database).
Thanks, Fraser
-- Peter Oliver
On Thu, 8 Nov 2018, 22:29 Fraser Tweedale <ftweedal@redhat.com wrote:
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal@redhat.com wrote:
Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
If not, update the entry to match the certificate.
I'm sorry Peter, I told you the wrong user entry. I should have said uid=ipara, not uid=pkidbuser.
I find that uid=ipara already has the expected description and certificate.
On Fri, Nov 09, 2018 at 01:43:37PM +0000, Peter Oliver via FreeIPA-users wrote:
On Thu, 8 Nov 2018, 22:29 Fraser Tweedale <ftweedal@redhat.com wrote:
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale <ftweedal@redhat.com wrote:
Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
If not, update the entry to match the certificate.
I'm sorry Peter, I told you the wrong user entry. I should have said uid=ipara, not uid=pkidbuser.
I find that uid=ipara already has the expected description and certificate.
OK, and you restored the uid=pkidbuser entry to its previous contents?
Please convey the whole uid=ipara object, and the /var/lib/ipa/ra-agent.pem certificate, for examination.
Thanks, Fraser
Hi Peter,
Did you manage to resolve this issue back then? Because I face exactly the same one, appreciate if you can give me some hints.
Thanks!
--- Regards, Dmitry Perets
freeipa-users@lists.fedorahosted.org