junhou he via FreeIPA-users wrote:
> Hi ,
>
> tail -f /var/log/httpd/error_log
> [Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in
> set_certificate_attrs
> [Wed Dec 14 10:45:46.672854 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] with
> api.Backend.ra_lightweight_ca as ca_api:
> [Wed Dec 14 10:45:46.672858 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in
> __enter__
> [Wed Dec 14 10:45:46.672862 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] raise
> errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
> [Wed Dec 14 10:45:46.672867 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182]
> ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST API
> [Wed Dec 14 10:45:46.672874 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182]
> [Wed Dec 14 10:45:46.673000 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] ipa: INFO: [jsonserver_session]
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError
> [Wed Dec 14 10:45:46.673047 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: [jsonserver_session]
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError
> etime=569221770
> [Wed Dec 14 10:45:46.673819 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: FINAL: Hits 0 Misses
> 2 Size 2
> [Wed Dec 14 10:45:46.673911 2022] [wsgi:error] [pid 15502:tid
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: Destroyed connection
> context.ldap2_140175871416696
> [Wed Dec 14 10:46:58.533496 2022] [:warn] [pid 15505:tid 140175805597440]
> [client 10.100.0.213:45502] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-sHvwu4)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Wed Dec 14 10:46:58.534621 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI
> wsgi_dispatch.__call__:
> [Wed Dec 14 10:46:58.534727 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI
> jsonserver_session.__call__:
> [Wed Dec 14 10:46:58.545384 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Created connection
> context.ldap2_140175871412600
> [Wed Dec 14 10:46:58.545468 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI
> jsonserver.__call__:
> [Wed Dec 14 10:46:58.545505 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI
> WSGIExecutioner.__call__:
> [Wed Dec 14 10:46:58.551189 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: cert_show('1',
> version='2.245')
> [Wed Dec 14 10:46:58.551663 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: cert_show(1,
> cacn='ipa', chain=False, all=False, raw=False, version='2.245',
> no_members=False)
> [Wed Dec 14 10:46:58.552186 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw:
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.552313 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG:
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.555552 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ra.get_certificate()
> [Wed Dec 14 10:46:58.556893 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request GET
> https://wocfreeipa.wingon.hk:443/ca/rest/certs/1
> [Wed Dec 14 10:46:58.556960 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request body ''
> [Wed Dec 14 10:46:58.585446 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response status 200
> [Wed Dec 14 10:46:58.587038 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response headers
> Date: Wed, 14 Dec 2022 02:46:58 GMT
> [Wed Dec 14 10:46:58.587058 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky)
> OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4
> Python/3.6
> [Wed Dec 14 10:46:58.587064 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Content-Type: application/json
> [Wed Dec 14 10:46:58.587069 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Vary: Accept-Encoding
> [Wed Dec 14 10:46:58.587073 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Transfer-Encoding: chunked
> [Wed Dec 14 10:46:58.587077 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> [Wed Dec 14 10:46:58.587084 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> [Wed Dec 14 10:46:58.587694 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response body
> (decoded): b'{"id":"0x1","IssuerDN":"CN=Certificate
> Authority,O=WINGON.HK","SubjectDN":"CN=Certificate
> Authority,O=WINGON.HK","PrettyPrint":" Certificate: \\\\n Data:
> \\\\n Version: v3\\\\n Serial Number: 0x1\\\\n
> Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11\\\\n
> Issuer: CN=Certificate Authority,O=WINGON.HK\\\\n Validity: \\\\n
> Not Before: Wednesday, November 16, 2022 10:31:44 AM HKT
> Asia/Hong_Kong\\\\n Not After: Sunday, November 16, 2042
> 10:31:44 AM HKT Asia/Hong_Kong\\\\n Subject: CN=Certificate
> Authority,O=WINGON.HK\\\\n Subject Public Key Info: \\\\n
> Algorithm: RSA - 1.2.840.113549.1.1.1\\\\n Public Key:
> \\\\n Exponent: 65537\\\\n Public Key
> Modulus:
> (3072 bits) :\\\\n
> BB:84:36:6D:DE:4F:B1:18:49:17:2D:66:E6:8F:E6:BB:\\\\n
> 64:CA:03:53:4E:61:32:43:86:5A:19:BF:B2:54:CB:65:\\\\n
> 12:05:FB:B9:64:52:78:1A:60:18:BE:B8:AE:16:81:54:\\\\n
> 25:9C:51:67:BF:B6:9C:A9:E0:E5:3D:01:C2:E9:FD:51:\\\\n
> 7A:0A:83:A3:2D:E1:24:FB:44:10:FE:86:4D:5E:A9:F4:\\\\n
> B8:FD:2D:CA:ED:08:7B:7A:21:81:88:CF:7D:BA:5A:1E:\\\\n
> CA:3F:50:6C:61:75:35:DE:6A:DE:C3:E4:AA:E4:7B:4B:\\\\n
> B3:80:64:F5:27:25:A3:93:EE:D2:38:0A:B8:FD:D0:31:\\\\n
> F9:86:F0:86:6F:F4:37:67:8F:60:7F:44:73:1F:07:53:\\\\n
> 8D:61:A8:5B:FD:2C:E5:B1:C3:50:9F:76:BE:FC:50:69:\\\\n
> A5:43:87:E0:93:8B:61:68:3E:80:CE:12:EB:2F:D5:29:\\\\n
> BF:4A:FF:2C:85:90:3B:AE:4F:CD:A7:21:27:31:4B:CD:\\\\n
> 36:71:62:29:A3:81:A5:4C:96:DF:A
> D:74:19:11:9E:13:\\\\n
> 1B:F6:2E:D1:E8:8B:64:81:0A:1B:A4:B8:2D:52:60:CE:\\\\n
> 37:C9:0B:44:78:3E:03:13:63:1D:41:1A:BD:10:C7:AC:\\\\n
> 84:F1:6E:73:31:6B:A0:AB:31:1D:C6:73:3B:FF:04:F9:\\\\n
> 11:8E:0A:3C:F2:7A:2A:75:71:D7:41:CE:0B:18:C8:F4:\\\\n
> F0:6C:F8:80:C9:29:BE:3D:6A:6D:88:2D:04:10:A2:F3:\\\\n
> D8:18:CD:0C:9C:66:A9:A6:A0:3F:9A:13:0C:6D:E5:C2:\\\\n
> 42:DD:F3:AC:3D:5A:F5:CC:81:B8:BF:7B:4B:9C:A2:7F:\\\\n
> E8:0A:AD:BD:3A:D5:AD:38:84:5E:D2:68:F3:E8:A1:01:\\\\n
> 9B:93:01:E2:73:B7:BE:5F:C8:88:E5:F4:26:6F:E5:E8:\\\\n
> EF:8D:7F:80:D4:BC:8D:A4:89:FE:D0:19:C0:A8:84:EE:\\\\n
> BB:8C:1B:C0:24:49:B2:9F:05:38:74:D9:E8:69:0A:7D\\\\n Extensions:
> \\\\n Identifier: Authority Key Identifier - 2.5.29.35\\\\n
> Critical: n
> o \\\\n Key Identifier: \\\\n
> 9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n
> 4F:EF:59:41\\\\n Identifier: Basic Constraints -
> 2.5.29.19\\\\n Critical: yes \\\\n Is
> CA: yes \\\\n Path Length Constraint: UNLIMITED\\\\n
> Identifier: Key Usage: - 2.5.29.15\\\\n Critical:
> yes \\\\n Key Usage: \\\\n Digital
> Signature \\\\n Non Repudiation \\\\n
> Key CertSign \\\\n Crl Sign \\\\n
> Identifier: Subject Key Identifier - 2.5.29.14\\\\n
> Critical: no \\\\n Key Identifier: \\\\n
> 9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n
> 4F:EF:59:41\\\\n Identifier: Authority Info Access: -
> 1.3.6.1.5.5.7.1.1\\
> \\n Critical: no \\\\n Access
> Description: \\\\n Method #0: ocsp\\\\n
> Location #0: URIName: http://ipa-ca.wingon.hk/ca/ocsp\\\\n
> Signature: \\\\n Algorithm: SHA256withRSA -
> 1.2.840.113549.1.1.11\\\\n Signature: \\\\n
> 8A:4F:71:AC:55:7E:C5:A1:05:85:F3:C0:5D:86:57:EE:\\\\n
> 8C:A3:50:F7:A0:C6:C9:9D:8C:90:6C:1A:65:82:B3:9C:\\\\n
> 3D:58:32:4F:14:80:FF:84:AE:AC:43:5F:D7:A8:C6:1C:\\\\n
> 62:0F:BF:72:B5:C6:BC:D9:D8:D5:6F:2C:F5:FB:76:CE:\\\\n
> 73:16:87:A0:C9:4C:4E:5C:CA:FC:D9:A4:20:FF:1F:73:\\\\n
> 47:8D:7F:1A:15:0C:50:77:F3:AD:2D:F8:56:83:D9:F7:\\\\n
> 29:84:F0:24:12:0A:68:42:0B:A2:34:7F:08:4C:91:05:\\\\n
> 00:FC:49:CD:53:6F:13:9B:B5:84:BB:8A:1C:8B:5C:FD:\\\\n
> 8C:D7:07:6E:93:97:BA:02:C1:20:A1:94:67:67:9B:B6:\\\\n
> D4:C4:74:62:4A:D2:F5:04:B3:35:2
> F:A1:88:52:31:65:\\\\n
> 53:03:0F:EF:A4:B0:33:7B:10:36:41:05:80:73:E3:54:\\\\n
> 0D:86:9F:1B:71:62:57:F8:E5:96:0C:2C:EF:97:93:7F:\\\\n
> F3:98:05:54:89:BD:E5:AD:EC:D7:F5:FE:C1:30:FF:E0:\\\\n
> 3D:C6:CE:9B:34:92:91:3E:98:14:8E:69:61:8D:3E:D5:\\\\n
> B7:5A:FD:B4:C5:50:4B:E1:DB:3F:BD:61:86:6A:3D:4B:\\\\n
> A4:56:4D:03:AD:7F:17:32:EB:CB:C3:BE:4D:7E:E1:F0:\\\\n
> 0E:E6:8F:E9:05:F0:CA:B2:2E:88:3C:01:CB:37:CE:21:\\\\n
> E8:5D:7D:36:27:D1:2C:3E:4A:0E:9B:94:C9:3C:60:1B:\\\\n
> 37:26:CB:84:E6:25:F0:D4:08:6F:3F:80:F5:75:C6:05:\\\\n
> B3:AA:A2:AE:4C:0D:7E:BC:B9:F5:84:C5:89:0A:D1:B5:\\\\n
> 62:56:F4:9D:C9:FA:96:89:95:50:7A:E9:48:76:38:FC:\\\\n
> 75:3D:79:9D:CB:F0:3E:78:3D:36:DA:84:56:A2:9B:97:\\\\n
> E7:DC:74:B9:AF:A1:E7:8F:EB:49:E1:3C:28:F6:A3:EF:\\\\n
> 16:E5:DD:5C:4B:A2:E4:9D:B2:AB:62:DB:C5:D9:20:7F\\\\n Fi
> ngerPrint\\\\n MD2:\\\\n
> 72:FA:C5:52:3D:9D:C9:F9:81:E3:47:D5:D2:4A:D3:99\\\\n MD5:\\\\n
> 83:78:B6:62:C4:28:DF:5C:96:AB:85:48:B0:0A:BA:56\\\\n
> SHA-1:\\\\n
> 50:5D:03:72:FE:A6:A4:BC:CE:70:3A:95:67:41:8F:40:\\\\n
> 81:17:76:4A\\\\n SHA-256:\\\\n
> 03:6B:AF:80:99:86:C0:AC:7D:88:7A:48:7D:11:79:4D:\\\\n
> 5E:C5:DC:C5:BE:06:F5:34:9E:AB:00:05:C3:4F:C0:3E\\\\n SHA-512:\\\\n
> 47:73:2F:2A:85:E6:BE:D0:F2:77:54:82:3E:02:FC:85:\\\\n
> 49:F9:26:FF:7B:F8:42:C8:3E:C0:9F:F6:BA:7D:C2:8D:\\\\n
> 2F:E2:9C:D9:38:BA:DC:AA:EE:F1:AC:48:F6:5A:C6:48:\\\\n
> 59:D5:60:46:F2:16:16:81:B1:E2:59:3F:60:94:C9:AC\\\\n","Encoded":"-----BEGIN
> CERTIFICATE-----\\\\nMIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAc\\\\r\\\\nBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMxNDRaFw00MjExMTYwMjMx\\\\r\\\\nND
>
> RaMDQxEjAQBgNVBAoMCVdJTkdPTi5ISzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\\\\r\\\\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu4Q2bd5PsRhJFy1m5o/mu2TKA1NOYTJD\\\\r\\\\nhloZv7JUy2USBfu5ZFJ4GmAYvriuFoFUJZxRZ7+2nKng5T0Bwun9UXoKg6Mt4ST7RBD+hk1eqfS4\\\\r\\\\n/S3K7Qh7eiGBiM99uloeyj9QbGF1Nd5q3sPkquR7S7OAZPUnJaOT7tI4Crj90DH5hvCGb/Q3Z49g\\\\r\\\\nf0RzHwdTjWGoW/0s5bHDUJ92vvxQaaVDh+CTi2FoPoDOEusv1Sm/Sv8shZA7rk/NpyEnMUvNNnFi\\\\r\\\\nKaOBpUyW3610GRGeExv2LtHoi2SBChukuC1SYM43yQtEeD4DE2MdQRq9EMeshPFuczFroKsxHcZz\\\\r\\\\nO/8E+RGOCjzyeip1cddBzgsYyPTwbPiAySm+PWptiC0EEKLz2BjNDJxmqaagP5oTDG3lwkLd86w9\\\\r\\\\nWvXMgbi/e0ucon/oCq29OtWtOIRe0mjz6KEBm5MB4nO3vl/IiOX0Jm/l6O+Nf4DUvI2kif7QGcCo\\\\r\\\\nhO67jBvAJEmynwU4dNnoaQp9AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUnxnJqOCKKMvE7YHAuI2n\\\\r\\\\njU/vWUEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFJ8ZyajgiijL\\\\r\\\\nxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53\\\\r\\\\naW5nb24uaGsvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAik9xr
>
> FV+xaEFhfPAXYZX7oyjUPeg\\\\r\\\\nxsmdjJBsGmWCs5w9WDJPFID/hK6sQ1/XqMYcYg+/crXGvNnY1W8s9ft2znMWh6DJTE5cyvzZpCD/\\\\r\\\\nH3NHjX8aFQxQd/OtLfhWg9n3KYTwJBIKaEILojR/CEyRBQD8Sc1TbxObtYS7ihyLXP2M1wduk5e6\\\\r\\\\nAsEgoZRn
> [Wed Dec 14 10:46:58.593066 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: IPA: virtual verify
> retrieve certificate
> [Wed Dec 14 10:46:58.593525 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Cache lookup:
> cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.593849 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Requested attrs_list
> ['objectclass']
> [Wed Dec 14 10:46:58.595776 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: cn=retrieve
> certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.595866 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: not in cache
> cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.596087 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ADD: cn=retrieve
> certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk:
> {'entrylevelrights', 'attributelevelrights', 'objectclass'} all=False
> [Wed Dec 14 10:46:58.596154 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses
> 1 Size 1
> [Wed Dec 14 10:46:58.596400 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: ca_show('ipa',
> chain=False, all=False, version='2.245')
> [Wed Dec 14 10:46:58.596538 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ca_show('ipa',
> rights=False, chain=False, all=False, raw=False, version='2.245')
> [Wed Dec 14 10:46:58.596680 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw:
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.596758 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG:
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.597793 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Cache lookup:
> cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.597867 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Requested attrs_list
> ['description', 'ipacasubjectdn', 'cn', 'ipacaid', 'ipacaissuerdn']
> [Wed Dec 14 10:46:58.599055 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP:
> cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.599146 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: not in cache
> cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk
> [Wed Dec 14 10:46:58.599368 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ADD:
> cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk: {'description', 'ipacasubjectdn',
> 'commonname', 'cn', 'ipacaid', 'ipacaissuerdn'} all=False
> [Wed Dec 14 10:46:58.599434 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses
> 2 Size 2
> [Wed Dec 14 10:46:58.600765 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request GET
> https://wocfreeipa.wingon.hk:443/ca/rest/account/login
> [Wed Dec 14 10:46:58.600832 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request body ''
> [Wed Dec 14 10:46:58.626797 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response status 401
> [Wed Dec 14 10:46:58.627246 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response headers
> Date: Wed, 14 Dec 2022 02:46:58 GMT
> [Wed Dec 14 10:46:58.627257 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky)
> OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4
> Python/3.6
> [Wed Dec 14 10:46:58.627262 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Cache-Control: private
> [Wed Dec 14 10:46:58.627266 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Expires: Thu, 01 Jan 1970
> 00:00:00 GMT
> [Wed Dec 14 10:46:58.627271 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] WWW-Authenticate: Basic
> realm="Certificate Authority"
> [Wed Dec 14 10:46:58.627275 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Content-Type:
> text/html;charset=utf-8
> [Wed Dec 14 10:46:58.627280 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Content-Language: en
> [Wed Dec 14 10:46:58.627284 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] Content-Length: 669
> [Wed Dec 14 10:46:58.627288 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> [Wed Dec 14 10:46:58.627294 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> [Wed Dec 14 10:46:58.627363 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response body
> (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 401
> \\xe2\\x80\\x93 Unauthorized</title><style type="text/css">body
> {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b
> {color:white;background-color:#525D76;} h1 {font-size:22px;} h2
> {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;}
> .line
> {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP
> Status 401 \\xe2\\x80\\x93 Unauthorized</h1><hr class="line"
> /><p><b>Type</b> Status Report</p><p><b>Description</b> The request has not
> been applied because it lacks valid authentication credentials for the target
> resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>'
> [Wed Dec 14 10:46:58.629455 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI wsgi_execute
> PublicError: Traceback (most recent call last):
> [Wed Dec 14 10:46:58.629481 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 407, in
> wsgi_execute
> [Wed Dec 14 10:46:58.629487 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] result = command(*args,
> **options)
> [Wed Dec 14 10:46:58.629491 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
> [Wed Dec 14 10:46:58.629496 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] return self.__do_call(*args,
> **options)
> [Wed Dec 14 10:46:58.629501 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
> [Wed Dec 14 10:46:58.629506 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ret = self.run(*args,
> **options)
> [Wed Dec 14 10:46:58.629510 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
> [Wed Dec 14 10:46:58.629515 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] return self.execute(*args,
> **options)
> [Wed Dec 14 10:46:58.629519 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 1388, in
> execute
> [Wed Dec 14 10:46:58.629524 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] chain=chain,
> [Wed Dec 14 10:46:58.629529 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__
> [Wed Dec 14 10:46:58.629533 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] return self.__do_call(*args,
> **options)
> [Wed Dec 14 10:46:58.629538 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call
> [Wed Dec 14 10:46:58.629547 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ret = self.run(*args,
> **options)
> [Wed Dec 14 10:46:58.629728 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run
> [Wed Dec 14 10:46:58.629734 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] return self.execute(*args,
> **options)
> [Wed Dec 14 10:46:58.629739 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in
> execute
> [Wed Dec 14 10:46:58.629744 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] msg =
> set_certificate_attrs(result['result'], options)
> [Wed Dec 14 10:46:58.629748 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in
> set_certificate_attrs
> [Wed Dec 14 10:46:58.629757 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] with
> api.Backend.ra_lightweight_ca as ca_api:
> [Wed Dec 14 10:46:58.629761 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] File
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in
> __enter__
> [Wed Dec 14 10:46:58.629766 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] raise
> errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
> [Wed Dec 14 10:46:58.629771 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST API
> [Wed Dec 14 10:46:58.629796 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502]
> [Wed Dec 14 10:46:58.629954 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: INFO: [jsonserver_session]
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError
> [Wed Dec 14 10:46:58.630022 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: [jsonserver_session]
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError
> etime=84348352
> [Wed Dec 14 10:46:58.630767 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: FINAL: Hits 0 Misses
> 2 Size 2
> [Wed Dec 14 10:46:58.630882 2022] [wsgi:error] [pid 15499:tid
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Destroyed connection
> context.ldap2_140175871412600
Seems to just confirm that the CA is returning a 401.
Early on in the thread Flo asked you to check on something in LDAP and
you had a stray character (*). Did you ever double-check that?
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
uid=ipara,ou=people,o=ipaca description usercertificate
You want to make sure that the certificate value in
/var/lib/ipa/ra-agent.pem is in the usercertificate attribute in LDAP.
The CA uses TLS client authentication to validate the cert. It also does
a subject and key comparison (description) and the certificate blob
itself (usercertificate).
rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
