Hi,
I've encountered some authentication problems with my FreeIPA
installation, which I've traced to RA Agent certification auth problems.
I've done typical steps to verify certs in LDAP and hit a wall.
Please suggest further steps.
My setup is 2 masters on Fedora 34:
freeipa-server-4.9.6-2.fc34.x86_64
pki-base-10.10.6-1.fc34.noarch
Steps I've done:
First I noticed problems when enabling ACME:
$ ipa-acme-manage enable
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.
This is caused by authentication failure (401 return code), which
I confirmed using curl:
$ curl -X POST
https://kaitain.pipebreaker.pl:8443/acme/enable --cert
/var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key
<!doctype html><html lang="en"><head><title>HTTP Status
401 – Unauthorized</title><style type="text/css">body
{font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
{color:white;background-color:#525D76;} h1 {font-size:22px;} h2
{font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line
{height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
Status 401 – Unauthorized</h1><hr class="line"
/><p><b>Type</b> Status
Report</p><p><b>Description</b> The request has not been applied
because
it lacks valid authentication credentials for the target resource.</p><hr
class="line" /><h3>Apache
Tomcat/9.0.52</h3></body></html>
Errors from catalina.out:
02-Oct-2021 16:29:39.618 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke ExternalAuthenticationValve:
authType: null
02-Oct-2021 16:29:39.618 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke ExternalAuthenticationValve:
principal: null
02-Oct-2021 16:29:39.620 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate PKIAuthenticator:
Authenticate with client certificate authentication
02-Oct-2021 16:29:39.620 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.ProxyRealm.authenticate Authenticating certificate chain:
02-Oct-2021 16:29:39.621 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.ProxyRealm.authenticate - CN=IPA RA,O=PIPEBREAKER.PL
02-Oct-2021 16:29:39.621 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.ProxyRealm.authenticate - CN=Certificate
Authority,O=PIPEBREAKER.PL
02-Oct-2021 16:29:39.624 INFO [https-jsse-nio-8443-exec-6]
com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate PKIAuthenticator: Result:
false
I've made sure that /var/lib/ipa/ra-agent.pem is the same as in LDAP.
$ openssl x509 -in /var/lib/ipa/ra-agent.pem -noout -text | grep Serial
Serial Number: 105 (0x69)
$ ldapsearch -o ldif_wrap=no -D "cn=directory manager" -W -b o=ipaca
"(uid=ipara)"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <o=ipaca> with scope subtree
# filter: (uid=ipara)
# requesting: ALL
#
# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL
userCertificate;binary:: <SNIPPED>
cn: ipara
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: cmsuser
usertype: agentType
sn: ipara
uid: ipara
userstate: 1
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Then SNIPPED portion is the same data as in /var/lib/ipa/ra-agent.pem.
This is the same certificate; serial number matches, too.
Certificate is NOT expired:
$ openssl x509 -in /var/lib/ipa/ra-agent.pem -noout -dates
notBefore=Jun 16 04:34:42 2021 GMT
notAfter=Jun 6 04:34:42 2023 GMT
What should I do next to resolve this authentication issue?
--
Tomasz Torcz Morality must always be based on practicality.
tomek(a)pipebreaker.pl — Baron Vladimir Harkonnen