[Freeipa-users] Re: RA Agent certificate authorisation fails – how to debug?

Fri, 05 Nov 2021 03:41:29 -0700 

On Thu, Nov 04, 2021 at 08:45:17PM -0500, Endi Dewata via FreeIPA-users wrote:
> 
> I added some log messages into this file if you want to try again:
> https://github.com/edewata/pki/blob/debug-v10.10/base/acme/src/main/java/org/dogtagpki/acme/realm/LDAPRealm.java
> 
> The build is available from this repo:
> https://copr.fedorainfracloud.org/coprs/edewata/pki-10.10/builds/

  Thanks… For most problems, the root cause is almost always DNS.
For IPA, it's almost always certificate ;)

Verbose builds produced following logs:

2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: LDAP search:
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: - base DN: 
ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: - filter: 
(description=2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA 
RA,O=PIPEBREAKER.PL)
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: User: 
uid=ipara,ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] INFO: Validating cert data in 
uid=ipara,ou=people,o=ipaca
2021-11-05 11:15:14 [https-jsse-nio-8443-exec-26] WARNING: User 
uid=ipara,ou=people,o=ipaca has no certificates

  Impossible! I triple checked that. Let check again and compare with fresh 
install:

% ldapsearch -h kaitain.pipebreaker.pl -D cn=directory\ manager -W  -o 
ldif-wrap=no \
      -b uid=ipara,ou=people,o=ipaca

[…]
dn: uid=ipara,ou=people,o=ipaca
description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA 
RA,O=PIPEBREAKER.PL
userCertificate;binary:: MIIDajCCAlKgAw…
[…]


While fresh install gives:

dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=IPADEV.PIPEBREAKER.PL;CN=IPA 
RA,O=IPADEV.PIPEBREAKER.PL
userCertificate:: MIID/zCCAmegAwIBA…

  There's an additional ";binary" in certificate attribute on my prod server. 
And I was comparing
only base64 encoded part.
  And that was it. After removing ';binary' from attribute name, 
`pki-acme-manage` can authenticate.

Thank you very much for patience and assistance!

It is always a certificate.

-- 
Tomasz Torcz           “(…) today's high-end is tomorrow's embedded processor.”
[email protected]                      — Mitchell Blank on LKML
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to