9:18 a.m.
Hello,
I've been searching for resolution on this issue for a while now, but it seems all of
the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of freeipa, nothing tricky like replication or anything. The
system authenticates fine, however when I went to add a host to it, for whatever reason
the client got the hostname wrong, thus samba authentication wasn't working. I deleted
the install on the client, and went to re-install, and it began asking for a password for
the host. I never set one up to my knowledge. So, I went to delete the client host
completely from the server, and that is where I got the above error.
I've examined 'getcert list', no error. I confirmed that all firewalls are
(currently) off, and ports are open. I've examined all logs under /var/log/pki, and
there's no errors that I could find. As far as I can tell, tomcat is working just
fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden
error. Any insights would be helpful.
10:59 a.m.
New subject: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 4:18 PM, Chris Bacott via FreeIPA-users wrote:
Hello,
I've been searching for resolution on this issue for a while now, but it seems all of
the issues others have encountered were unrelated.
Host OS: CentOS 8.1.1911
All packages up to date.
This is a stock installation of freeipa, nothing tricky like replication or anything. The
system authenticates fine, however when I went to add a host to it, for whatever reason
the client got the hostname wrong, thus samba authentication wasn't working. I deleted
the install on the client, and went to re-install, and it began asking for a password for
the host. I never set one up to my knowledge. So, I went to delete the client host
completely from the server, and that is where I got the above error.
I've examined 'getcert list', no error. I confirmed that all firewalls are
(currently) off, and ports are open. I've examined all logs under /var/log/pki, and
there's no errors that I could find. As far as I can tell, tomcat is working just
fine, all certs are fine, but ipa is saying it cannot connect, getting a 403 forbidden
error. Any insights would be helpful.
Hi,
"ipa host-del" is internally checking if there are any certificates
associated to the host that is being deleted. In order to do this
internal check, it needs to connect to the PKI server. The connection is
authenticated using the RA cert stored in /var/lib/ipa/ra-agent.pem.
To check that this authentication is OK, you can run
$ kinit admin
$ ipa cert-show 1
If this command fails, you need to check that the content of the cert in
/var/lib/ipa/ra-agent.pem is consistent with the entry
uid=ipara,ou=people,o=ipaca:
$ ldapsearch -D cn=directory\ manager -w Secret123 -b
uid=ipara,ou=people,o=ipaca -LLL -o ldif-wrap=no
- the usercertificate attribute must contain the same certificate as the
ra-agent.pem, in a single line and without header/footer, for instance
userCertificate:: MIIDyD...
- the description attribute must have the following content:
description: 2;<serial>;<issuer>;<subject>
with serial issuer and subject identical to the values that could be
seen in ra-agent.pem with
$ openssl x509 -noout -text -in ra-agent.pem
If there is a mismatch, you need to fix the inconsistency. Find which
certificate is the most recent (the one from ldap or the one from
ra-agent.pem file), keep this one and update the other with the right
values.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
11:25 a.m.
New subject: ipa host-del ERROR Unable to communicate with CMS (403)
Thank you for the reply. There is no errors with getting any certs at all, that's why
this is baffling me. The 403 error is making me think this is either an apache or tomcat
issue.
# ipa cert-show 1
Issuing CA: ipa
Certificate: <snip>
Subject: CN=Certificate Authority,O=<snip>
Issuer: CN=Certificate Authority,O=<snip>
Not Before: Fri Feb 07 17:29:50 2020 UTC
Not After: Tue Feb 07 17:29:50 2040 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: False
12:06 p.m.
New subject: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 6:25 PM, Chris Bacott via FreeIPA-users wrote:
Thank you for the reply. There is no errors with getting any certs at
all, that's why this is baffling me. The 403 error is making me think this is either
an apache or tomcat issue.
Strange issue, indeed. You can enable debug logs:
Create a config file:
$ cat /etc/ipa/server.conf
[global]
debug = True
Then restart apache with "systemctl restart httpd".
You may get more information in /var/log/httpd/error_log. The "ipa
host-del" command should also trigger a log like the following in
/var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt:
10.37.171.197 - - [25/Feb/2020:18:59:08 +0100] "POST
/ca/rest/certs/search?size=2147483647 HTTP/1.1" 200 142
and in /var/log/pki/pki-tomcat/ca/debug, the relevant log will start after
SessionContextInterceptor: CertResource.searchCerts()
and show if authentication is tried.
In my case I can see "AuthMethodInterceptor: anonymous access allowed".
Let's see if IPA framework is at least initiating a connection to PKI.
flo
# ipa cert-show 1
Issuing CA: ipa
Certificate: <snip>
Subject: CN=Certificate Authority,O=<snip>
Issuer: CN=Certificate Authority,O=<snip>
Not Before: Fri Feb 07 17:29:50 2020 UTC
Not After: Tue Feb 07 17:29:50 2040 UTC
Serial number: 1
Serial number (hex): 0x1
Revoked: False
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1:27 p.m.
New subject: ipa host-del ERROR Unable to communicate with CMS (403)
Oh wow. Well, thank you very much for showing me how to enable the debug logging for the
whole app stack, that proved to reveal exactly what the issue was.
Turns out, apache mod_security was blocking the access from "ipa host-del".
[Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match
"(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))"
at ARGS:size. [file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "208"] [id "942220"] [rev "2"] [msg "Looking for
intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is
the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found
within ARGS:size: 2147483647"] [severity "CRITICAL"] [ver
"OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-sqli"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c
erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase
2). Operator GE matched 5 at TX:anomaly_score. [file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded
(Total Score: 5)"] [severity "CRITICAL"] [tag
"application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-generic"] [hostname "SNIP"]
[uri "/ca/rest/certs/search"] [unique_id
"XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5 at
TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line
"73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for
intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is
the \\"magic number\\" crash"] [tag "event-correlation"]
[hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id
"XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512] [remote
10.39.42.117:53934] ipa: DEBUG: response status 403
I didn't specifically install or set up mod_security, I believe it's a default
package, but I normally just disable it as it causes all sorts of random headaches like
this. Once I disabled it, I was able to delete the host via "ipa host-del".
That at least solves that problem. Thank you for the suggestions!
1:28 a.m.
New subject: ipa host-del ERROR Unable to communicate with CMS (403)
On 2/25/20 8:27 PM, Chris Bacott via FreeIPA-users wrote:
Oh wow. Well, thank you very much for showing me how to enable the
debug logging for the whole app stack, that proved to reveal exactly what the issue was.
Turns out, apache mod_security was blocking the access from "ipa host-del".
[Tue Feb 25 13:04:59.559181 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Pattern match
"(?i:(?:^(-0000023456|4294967295|4294967296|2147483648|2147483647|0000012345|-2147483648|-2147483649|0000023456|3.0.00738585072007e-308|1e309)$))"
at ARGS:size. [file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-942-APPLICATION-ATTACK-SQLI.conf"]
[line "208"] [id "942220"] [rev "2"] [msg "Looking for
intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is
the \\"magic number\\" crash"] [data "Matched Data: 2147483647 found
within ARGS:size: 2147483647"] [severity "CRITICAL"] [ver
"OWASP_CRS/3.0.0"] [maturity "9"] [accuracy "8"] [tag
"application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-sqli"] [tag
"OWASP_CRS/WEB_ATTACK/SQL_INJECTION"] [tag "WASCTC/WASC-19"] [tag
"OWASP_TOP_10/A1"] [tag "OWASP_AppSensor/CIE1"] [tag
"PCI/6.5.2"] [hostname "SNIP"] [uri "/ca/rest/c
erts/search"] [unique_id "XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559335 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Access denied with code 403 (phase
2). Operator GE matched 5 at TX:anomaly_score. [file
"/etc/httpd/modsecurity.d/activated_rules/REQUEST-949-BLOCKING-EVALUATION.conf"]
[line "57"] [id "949110"] [msg "Inbound Anomaly Score Exceeded
(Total Score: 5)"] [severity "CRITICAL"] [tag
"application-multi"] [tag "language-multi"] [tag
"platform-multi"] [tag "attack-generic"] [hostname "SNIP"]
[uri "/ca/rest/certs/search"] [unique_id
"XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.559524 2020] [:error] [pid 26434:tid 139810169677568] [client
10.39.42.117:53938] [client 10.39.42.117] ModSecurity: Warning. Operator GE matched 5 at
TX:inbound_anomaly_score. [file
"/etc/httpd/modsecurity.d/activated_rules/RESPONSE-980-CORRELATION.conf"] [line
"73"] [id "980130"] [msg "Inbound Anomaly Score Exceeded (Total
Inbound Score: 5 - SQLI=5,XSS=0,RFI=0,LFI=0,RCE=0,PHPI=0,HTTP=0,SESS=0): Looking for
intiger overflow attacks, these are taken from skipfish, except 3.0.00738585072007e-308 is
the \\"magic number\\" crash"] [tag "event-correlation"]
[hostname "SNIP"] [uri "/ca/rest/certs/search"] [unique_id
"XlVv2yNlIktD1-cw0Xy6cQAAAAE"]
[Tue Feb 25 13:04:59.560660 2020] [wsgi:error] [pid 26430:tid 139810400032512] [remote
10.39.42.117:53934] ipa: DEBUG: response status 403
I didn't specifically install or set up mod_security, I believe it's a default
package, but I normally just disable it as it causes all sorts of random headaches like
this. Once I disabled it, I was able to delete the host via "ipa host-del".
That at least solves that problem. Thank you for the suggestions!
Hi,
thanks for the update, glad you could solve the issue.
Mod_security is not installed by default with httpd, and is not required
by IPA either. Unless httpd is used by other apps on the master (which
is not recommended), you are safe to remove mod_security package.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
1530
days inactive
1531
days old
freeipa-users@lists.fedorahosted.org
5 comments
2 participants
participants (2)
-
Chris Bacott -
Florence Blanc-Renaud