Hi, On Tue, Aug 9, 2022 at 11:13 AM Erling Andersen via FreeIPA-users < [email protected]> wrote:
> Hi, > > We have a problem connecting with CA REST API (403). > Any ideas how to troubleshoot? > > > Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers > Only looking at the CA renewal master (ipa1.example.com) > > # ipa cert-show 1 > ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json > ipa: ERROR: Certificate operation cannot be completed: Request failed with > status 403: Non-2xx response from CA REST API: 403. (403) > > # pki-healthcheck > Internal server error 403 Client Error: 403 for url: > http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo > [ > { > "source": "pki.server.healthcheck.meta.csconfig", > "check": "CADogtagCertsConfigCheck", > "result": "ERROR", > "uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca", > "when": "20220809080611Z", > "duration": "0.164052", > "kw": { > "key": "ca_signing", > "nickname": "caSigningCert cert-pki-ca", > "directive": "ca.signing.cert", > "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", > "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the > value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" > } > } > ] > This error means that the certificate with nickname 'caSigningCert cert-pki-ca' in /etc/pki/pki-tomcat/alias is not consistent with the one stored in the directive ca.signing.cert=... in the file /var/lib/pki/pki-tomcat/ca/conf/CS.cfg. > LDAP and IPA RA appear to have identical certificates and serial number: > > # ldapsearch -LLL -D 'cn=directory manager' -W -b > uid=ipara,ou=People,o=ipaca userCertificate description > dn: uid=ipara,ou=people,o=ipaca > userCertificate:: MIID...Ovix8 > description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA > RA,O=EXAMPLE.COM > > # openssl x509 -text -in /var/lib/ipa/ra-agent.pem > Serial Number: 1878982672 (0x6fff0010) > Validity > Not Before: Aug 8 10:02:19 2022 GMT > Not After : Jul 28 10:02:19 2024 GMT > -----BEGIN CERTIFICATE----- > MIID...Ovix8 > -----END CERTIFICATE----- > > PKI appear to have identical certificates in LDAP and > /etc/pki/pki-tomcat/alias: > > # certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' > |grep Serial > Serial Number: 1878982665 (0x6fff0009) > > # ldapsearch -LLL -D 'cn=directory manager' -W -b > uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso > dn: uid=pkidbuser,ou=people,o=ipaca > userCertificate:: MIID...eluPug== > description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA > Subsystem,O=EXAMPLE.COM > seeAlso: CN=CA Subsystem,O=EXAMPLE.COM > > And, the certificate in CS.cfg appears to match the caSigningCert in LDAP: > > /var/lib/pki/pki-tomcat/ca/conf/CS.cfg: > ca.signing.cert=MIID...yfc5a > > # ldapsearch -LLL -D 'cn=directory manager' -W \ > -b 'cn=caSigningCert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com' > dn: cn=caSigningCert > cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com > userCertificate:: MIID...yfc5a > > Additional details: > > # ldapsearch -LLL -D 'cn=directory manager' -W -b > ou=authorities,ou=ca,o=ipaca > dn: ou=authorities,ou=ca,o=ipaca > ou: authorities > objectClass: top > objectClass: organizationalUnit > > dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca > authoritySerial: 1878982673 > description: Host authority > authorityDN: CN=Certificate Authority,O=EXAMPLE.COM > authorityEnabled: TRUE > authorityKeyNickname: caSigningCert cert-pki-ca > authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add > cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add > objectClass: authority > objectClass: top > > # ldapsearch -LLL -D 'cn=directory manager' -W -b > cn=ipa,cn=cas,cn=ca,dc=example,dc=com > dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com > cn: ipa > ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add > ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM > objectClass: top > objectClass: ipaca > ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM > description: IPA CA > > # certutil -L -d /etc/pki/pki-tomcat/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > ocspSigningCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > EXAMPLE.COM IPA CA CTu,Cu,Cu > EXAMPLE.COM IPA CA CTu,Cu,Cu > > Since there are multiple certs for IPA CA and caSigningCert cert-pki-ca, I assume that the CA has already been renewed a few times. Is the most recent one consistent with the directive ca.signing.cert=... in the file /var/lib/pki/pki-tomcat/ca/conf/CS.cfg ? flo # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA' > 3 certificates > > # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert > cert-pki-ca' > 3 certificates (identical with above 3 certificates) > > # pki ca-cert-show 1878982672 > Serial Number: 0x6fff0010 > Subject DN: CN=IPA RA,O=EXAMPLE.COM > Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM > Status: VALID > Not Valid Before: Mon Aug 08 12:02:19 CEST 2022 > Not Valid After: Sun Jul 28 12:02:19 CEST 2024 > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
