On to, 23 joulu 2021, Dungan, Scott A. via FreeIPA-users wrote:
Thanks for the link, Ferrão!
Using the information from that thread, I inspected the contents of
/etc/pki/pki-tomcat/server.xml and noticed that on lines 129 and 171, there were two
values listed: one for sectet= and one for requiredSecret=. In addition, the two secrets
were different. Only the “secret=” value matched what was located in the
/etc/httpd/conf.d/ipa-pki-proxy.conf for the ProxyPassMatch statements that Rob referred
to in the thread you linked. I went ahead and changed the value of “requiredSecret=” to be
the same in server.xml, restarted IPA services, and the error was resolved!
Questions unanswered: where did this other (incorrect) value for
requiredSecret come from? Some sort of failure in the upgrade script?
Having both secret and requiredSecret specified (both with the same
correct value) is now required in /etc/pki/pki-tomcat/server.xml?
Looking at the other not-yet-upgraded IPA servers, that line only lists
sectet=
As I said there, "is that both pki upgrade code and ipa upgrade
code triggered and pki upgrade code adds 'requiredSecret' part. IPA
upgrade code is present since FreeIPA 4.9.0, since March 2020, more than
1.5 years ago."
PKI added upgrade support code in their RHEL 8.5.0 update. As a result,
FreeIPA's code seems to stumble on some of the upgrade paths. Since it
is triggered during new IPA package upgrade, we get this mix of two
upgrade routines that create a conflicting configuration together.
PKI upgrade code refactoring ignores Tomcat version which is wrong.
tracks a fix for
this on PKI side and it will be out in next minor RHEL 8 version,
hopefully (and in CentOS 8 Stream before that).
Fixed line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-10:
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" address="localhost4" name="Connector1"
secret="123456789abcdefghijklmnopqrstuvwxyz"
requiredSecret="123456789abcdefghijklmnopqrstuvwxyz"/>
Line #129 in /etc/pki/pki-tomcat/server.xml for IPA server version 4.9.6-6:
<Connector port="8009" protocol="AJP/1.3"
redirectPort="8443" address="localhost4" name="Connector1"
secret="123456789abcdefghijklmnopqrstuvwxyz "/>
-Scott
From: Vinícius Ferrão <ferrao(a)versatushpc.com.br>
Sent: Wednesday, December 22, 2021 11:15 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Dungan, Scott A. <sdungan(a)caltech.edu>
Subject: Re: [Freeipa-users] IPA Server Upgrade: CA REST API: 403 error
Sorry. Wrong link. This is the one:
https://www.mail-archive.com/freeipa-users@lists.fedorahosted.org/msg1258...
Sent from my iPhone
On 22 Dec 2021, at 16:14, Vinícius Ferrão
<ferrao@versatushpc.com.br<mailto:ferrao@versatushpc.com.br>> wrote:
Is this related?
https://pagure.io/freeipa/issue/9041
Sent from my iPhone
On 22 Dec 2021, at 15:35, Dungan, Scott A. via FreeIPA-users
<freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>>
wrote:
Prior to running yum update on one of our IPA servers running RHEL8 version 4.9.6-6,
ipa-healthcheck showed no errors. After running the update to 4.9.6-10, healthcheck threw
“non-2xx response from CA REST API: 403” errors:
[root@ipa1 ~]# ipa-healthcheck --failures-only
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
ra.get_certificate(): Request failed with status 403: Non-2xx response from CA REST API:
403. (403)
[
{
"source": "ipahealthcheck.dogtag.ca",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "0fcf1f94-16d3-4f33-aabc-446403a8190f",
"when": "20211222175722Z",
"duration": "0.715360",
"kw": {
"msg": "Request for certificate failed, Certificate operation cannot
be completed: Request failed with status 403: Non-2xx response from CA REST API: 403.
(403)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "969b76e2-bda7-4d47-a76b-fa48b59e469f",
"when": "20211222175735Z",
"duration": "1.208329",
"kw": {
"key": "20210406003327",
"serial": 7,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "696f34d9-e965-4d23-8a60-192811cedd51",
"when": "20211222175735Z",
"duration": "1.479161",
"kw": {
"key": "20210406003320",
"serial": 5,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "bd716c75-de8b-4893-9e6e-f474dcf898a6",
"when": "20211222175735Z",
"duration": "1.747070",
"kw": {
"key": "20210406003321",
"serial": 2,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "59815cd0-e48c-47bf-965f-c089bcf0f2dd",
"when": "20211222175736Z",
"duration": "2.021750",
"kw": {
"key": "20210406003322",
"serial": 4,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "ea34c649-7823-4c35-b54d-7b3aaf8677c8",
"when": "20211222175736Z",
"duration": "2.291332",
"kw": {
"key": "20210406003323",
"serial": 1,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "8ed4da7b-dec9-4dc5-ad05-ac7064181481",
"when": "20211222175736Z",
"duration": "2.567577",
"kw": {
"key": "20210406003326",
"serial": 3,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "faf9b70b-333e-4e08-a211-bd887c346d13",
"when": "20211222175736Z",
"duration": "2.723022",
"kw": {
"key": "20211130180109",
"serial": 20,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "6f4097a7-c62a-4771-9019-90c3fa8d0e80",
"when": "20211222175737Z",
"duration": "2.985982",
"kw": {
"key": "20210406003328",
"serial": 8,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "1e7bfdc0-6dbf-4d0c-a102-86b312c8181e",
"when": "20211222175737Z",
"duration": "3.136052",
"kw": {
"key": "20201110192416",
"serial": 10,
"error": "Certificate operation cannot be completed: Request failed
with status 403: Non-2xx response from CA REST API: 403. (403)",
"msg": "Request for certificate serial number {serial} in request
{key} failed: {error}"
}
}
]
Logging into web ui works, but when clicking through to the Authentication tab, the
following error pops:
IPA Error 4301: CertificateOperationError
Certificate operation cannot be completed: Unable to communicate with CMS (403)
About three weeks ago, we had replication issues with this particular server but resolved
them with Rob’s help. See the thread here:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Any help would be appreciated. Thanks,
Scott
_______________________________________________
FreeIPA-users mailing list --
freeipa-users@lists.fedorahosted.org<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland