Hi,
On Mon, Dec 12, 2022 at 8:55 AM junhou he via FreeIPA-users <
[email protected]> wrote:
> ipactl status shows that the services are running normally
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
> but ipa cert-show prompts an error:
> ipa: ERROR: Failed to authenticate to CA REST API
>
>
When a user executes the command "ipa cert-show <cert number>", the process
contacts httpd and then httpd needs to contact the Certificate Server. This
error usually happens when the authentication step between httpd and the
Certificate Server fails. Authentication is done using the certificate
ra-agent stored in /var/lib/ipa/ra-agent.{pem|key} for recent versions or
in the NSS database /etc/pki/pki-tomcat/alias/.
The authentication may fail for multiple reasons:
- the ra-agent cert is expired
- the SSL server cert used by the Certificate Server is expired
- the entry uid=ipara,ou=people,o=ipaca hasn't been updated
The validity of certificates can be checked using "*getcert list*": ensure
that all the certificates are displayed with "status: MONITORING" and have
a date "expires: xxx" that is not already past.
The content of the entry uid=ipara,ou=people,o=ipaca can be checked with:
*ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
uid=ipara,ou=people,o=ipaca description usercertificate*
dn: uid=ipara,ou=people,o=ipaca
description: 2;22;CN=Certificate Authority,O=IPA.TEST;CN=IPA RA,O=IPA.TEST
usercertificate:: MIID...JN4Q==
The field "description" must contain 2;<serial number>;<issuer>;<subject>
corresponding to the ra certificate. Compare the values with the output of:
(if the cert is stored in /var/lib/ipa/ra-agent.pem)
*openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in
/var/lib/ipa/ra-agent.pem *
subject=CN=IPA RA,O=IPA.TEST
serial=16 <<< here the serial is displayed in hex
format, 0x16 = 22
issuer=CN=Certificate Authority,O=IPA.TEST
issuer=O = IPA.TEST, CN = Certificate Authority
or (if the cert is stored in /etc/pki/pki-tomcat/alias)
*certutil -L -d /etc/pki/pki-tomcat/alias -n ipaCert*
The field "userCertificate" must contain the same cert as the file
/var/lib/ipa/ra-agent.pem, minus the header and footer, or the same value
as returned by the command
*certutil -L -d /etc/pki/pki-tomcat/alias -n ipaCert -a*
If you see any inconsistency, please provide the output of the above
commands and we'll be able to guide you how to fix the issue.
HTH,
flo
I can't find the relevant error in the ipa log file, does anyone know how
> to debug this problem?
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
