junhou he via FreeIPA-users wrote: > Hi , > > tail -f /var/log/httpd/error_log > [Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in > set_certificate_attrs > [Wed Dec 14 10:45:46.672854 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] with > api.Backend.ra_lightweight_ca as ca_api: > [Wed Dec 14 10:45:46.672858 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in > __enter__ > [Wed Dec 14 10:45:46.672862 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] raise > errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) > [Wed Dec 14 10:45:46.672867 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] > ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST API > [Wed Dec 14 10:45:46.672874 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] > [Wed Dec 14 10:45:46.673000 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] ipa: INFO: [jsonserver_session] > ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError > [Wed Dec 14 10:45:46.673047 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: [jsonserver_session] > ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError > etime=569221770 > [Wed Dec 14 10:45:46.673819 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: FINAL: Hits 0 Misses > 2 Size 2 > [Wed Dec 14 10:45:46.673911 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: Destroyed connection > context.ldap2_140175871416696 > [Wed Dec 14 10:46:58.533496 2022] [:warn] [pid 15505:tid 140175805597440] > [client 10.100.0.213:45502] failed to set perms (3140) on file > (/run/ipa/ccaches/ad...@wingon.hk-sHvwu4)!, referer: > https://wocfreeipa.wingon.hk/ipa/xml > [Wed Dec 14 10:46:58.534621 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI > wsgi_dispatch.__call__: > [Wed Dec 14 10:46:58.534727 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI > jsonserver_session.__call__: > [Wed Dec 14 10:46:58.545384 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Created connection > context.ldap2_140175871412600 > [Wed Dec 14 10:46:58.545468 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI > jsonserver.__call__: > [Wed Dec 14 10:46:58.545505 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI > WSGIExecutioner.__call__: > [Wed Dec 14 10:46:58.551189 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: cert_show('1', > version='2.245') > [Wed Dec 14 10:46:58.551663 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: cert_show(1, > cacn='ipa', chain=False, all=False, raw=False, version='2.245', > no_members=False) > [Wed Dec 14 10:46:58.552186 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: > ca_is_enabled(version='2.245') > [Wed Dec 14 10:46:58.552313 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: > ca_is_enabled(version='2.245') > [Wed Dec 14 10:46:58.555552 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ra.get_certificate() > [Wed Dec 14 10:46:58.556893 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request GET > https://wocfreeipa.wingon.hk:443/ca/rest/certs/1 > [Wed Dec 14 10:46:58.556960 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request body '' > [Wed Dec 14 10:46:58.585446 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response status 200 > [Wed Dec 14 10:46:58.587038 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response headers > Date: Wed, 14 Dec 2022 02:46:58 GMT > [Wed Dec 14 10:46:58.587058 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky) > OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 > Python/3.6 > [Wed Dec 14 10:46:58.587064 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Content-Type: application/json > [Wed Dec 14 10:46:58.587069 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Vary: Accept-Encoding > [Wed Dec 14 10:46:58.587073 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Transfer-Encoding: chunked > [Wed Dec 14 10:46:58.587077 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > [Wed Dec 14 10:46:58.587084 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > [Wed Dec 14 10:46:58.587694 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response body > (decoded): b'{"id":"0x1","IssuerDN":"CN=Certificate > Authority,O=WINGON.HK","SubjectDN":"CN=Certificate > Authority,O=WINGON.HK","PrettyPrint":" Certificate: \\\\n Data: > \\\\n Version: v3\\\\n Serial Number: 0x1\\\\n > Signature Algorithm: SHA256withRSA - 1.2.840.113549.1.1.11\\\\n > Issuer: CN=Certificate Authority,O=WINGON.HK\\\\n Validity: \\\\n > Not Before: Wednesday, November 16, 2022 10:31:44 AM HKT > Asia/Hong_Kong\\\\n Not After: Sunday, November 16, 2042 > 10:31:44 AM HKT Asia/Hong_Kong\\\\n Subject: CN=Certificate > Authority,O=WINGON.HK\\\\n Subject Public Key Info: \\\\n > Algorithm: RSA - 1.2.840.113549.1.1.1\\\\n Public Key: > \\\\n Exponent: 65537\\\\n Public Key > Modulus: > (3072 bits) :\\\\n > BB:84:36:6D:DE:4F:B1:18:49:17:2D:66:E6:8F:E6:BB:\\\\n > 64:CA:03:53:4E:61:32:43:86:5A:19:BF:B2:54:CB:65:\\\\n > 12:05:FB:B9:64:52:78:1A:60:18:BE:B8:AE:16:81:54:\\\\n > 25:9C:51:67:BF:B6:9C:A9:E0:E5:3D:01:C2:E9:FD:51:\\\\n > 7A:0A:83:A3:2D:E1:24:FB:44:10:FE:86:4D:5E:A9:F4:\\\\n > B8:FD:2D:CA:ED:08:7B:7A:21:81:88:CF:7D:BA:5A:1E:\\\\n > CA:3F:50:6C:61:75:35:DE:6A:DE:C3:E4:AA:E4:7B:4B:\\\\n > B3:80:64:F5:27:25:A3:93:EE:D2:38:0A:B8:FD:D0:31:\\\\n > F9:86:F0:86:6F:F4:37:67:8F:60:7F:44:73:1F:07:53:\\\\n > 8D:61:A8:5B:FD:2C:E5:B1:C3:50:9F:76:BE:FC:50:69:\\\\n > A5:43:87:E0:93:8B:61:68:3E:80:CE:12:EB:2F:D5:29:\\\\n > BF:4A:FF:2C:85:90:3B:AE:4F:CD:A7:21:27:31:4B:CD:\\\\n > 36:71:62:29:A3:81:A5:4C:96:DF:A > D:74:19:11:9E:13:\\\\n > 1B:F6:2E:D1:E8:8B:64:81:0A:1B:A4:B8:2D:52:60:CE:\\\\n > 37:C9:0B:44:78:3E:03:13:63:1D:41:1A:BD:10:C7:AC:\\\\n > 84:F1:6E:73:31:6B:A0:AB:31:1D:C6:73:3B:FF:04:F9:\\\\n > 11:8E:0A:3C:F2:7A:2A:75:71:D7:41:CE:0B:18:C8:F4:\\\\n > F0:6C:F8:80:C9:29:BE:3D:6A:6D:88:2D:04:10:A2:F3:\\\\n > D8:18:CD:0C:9C:66:A9:A6:A0:3F:9A:13:0C:6D:E5:C2:\\\\n > 42:DD:F3:AC:3D:5A:F5:CC:81:B8:BF:7B:4B:9C:A2:7F:\\\\n > E8:0A:AD:BD:3A:D5:AD:38:84:5E:D2:68:F3:E8:A1:01:\\\\n > 9B:93:01:E2:73:B7:BE:5F:C8:88:E5:F4:26:6F:E5:E8:\\\\n > EF:8D:7F:80:D4:BC:8D:A4:89:FE:D0:19:C0:A8:84:EE:\\\\n > BB:8C:1B:C0:24:49:B2:9F:05:38:74:D9:E8:69:0A:7D\\\\n Extensions: > \\\\n Identifier: Authority Key Identifier - 2.5.29.35\\\\n > Critical: n > o \\\\n Key Identifier: \\\\n > 9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n > 4F:EF:59:41\\\\n Identifier: Basic Constraints - > 2.5.29.19\\\\n Critical: yes \\\\n Is > CA: yes \\\\n Path Length Constraint: UNLIMITED\\\\n > Identifier: Key Usage: - 2.5.29.15\\\\n Critical: > yes \\\\n Key Usage: \\\\n Digital > Signature \\\\n Non Repudiation \\\\n > Key CertSign \\\\n Crl Sign \\\\n > Identifier: Subject Key Identifier - 2.5.29.14\\\\n > Critical: no \\\\n Key Identifier: \\\\n > 9F:19:C9:A8:E0:8A:28:CB:C4:ED:81:C0:B8:8D:A7:8D:\\\\n > 4F:EF:59:41\\\\n Identifier: Authority Info Access: - > 1.3.6.1.5.5.7.1.1\\ > \\n Critical: no \\\\n Access > Description: \\\\n Method #0: ocsp\\\\n > Location #0: URIName: http://ipa-ca.wingon.hk/ca/ocsp\\\\n > Signature: \\\\n Algorithm: SHA256withRSA - > 1.2.840.113549.1.1.11\\\\n Signature: \\\\n > 8A:4F:71:AC:55:7E:C5:A1:05:85:F3:C0:5D:86:57:EE:\\\\n > 8C:A3:50:F7:A0:C6:C9:9D:8C:90:6C:1A:65:82:B3:9C:\\\\n > 3D:58:32:4F:14:80:FF:84:AE:AC:43:5F:D7:A8:C6:1C:\\\\n > 62:0F:BF:72:B5:C6:BC:D9:D8:D5:6F:2C:F5:FB:76:CE:\\\\n > 73:16:87:A0:C9:4C:4E:5C:CA:FC:D9:A4:20:FF:1F:73:\\\\n > 47:8D:7F:1A:15:0C:50:77:F3:AD:2D:F8:56:83:D9:F7:\\\\n > 29:84:F0:24:12:0A:68:42:0B:A2:34:7F:08:4C:91:05:\\\\n > 00:FC:49:CD:53:6F:13:9B:B5:84:BB:8A:1C:8B:5C:FD:\\\\n > 8C:D7:07:6E:93:97:BA:02:C1:20:A1:94:67:67:9B:B6:\\\\n > D4:C4:74:62:4A:D2:F5:04:B3:35:2 > F:A1:88:52:31:65:\\\\n > 53:03:0F:EF:A4:B0:33:7B:10:36:41:05:80:73:E3:54:\\\\n > 0D:86:9F:1B:71:62:57:F8:E5:96:0C:2C:EF:97:93:7F:\\\\n > F3:98:05:54:89:BD:E5:AD:EC:D7:F5:FE:C1:30:FF:E0:\\\\n > 3D:C6:CE:9B:34:92:91:3E:98:14:8E:69:61:8D:3E:D5:\\\\n > B7:5A:FD:B4:C5:50:4B:E1:DB:3F:BD:61:86:6A:3D:4B:\\\\n > A4:56:4D:03:AD:7F:17:32:EB:CB:C3:BE:4D:7E:E1:F0:\\\\n > 0E:E6:8F:E9:05:F0:CA:B2:2E:88:3C:01:CB:37:CE:21:\\\\n > E8:5D:7D:36:27:D1:2C:3E:4A:0E:9B:94:C9:3C:60:1B:\\\\n > 37:26:CB:84:E6:25:F0:D4:08:6F:3F:80:F5:75:C6:05:\\\\n > B3:AA:A2:AE:4C:0D:7E:BC:B9:F5:84:C5:89:0A:D1:B5:\\\\n > 62:56:F4:9D:C9:FA:96:89:95:50:7A:E9:48:76:38:FC:\\\\n > 75:3D:79:9D:CB:F0:3E:78:3D:36:DA:84:56:A2:9B:97:\\\\n > E7:DC:74:B9:AF:A1:E7:8F:EB:49:E1:3C:28:F6:A3:EF:\\\\n > 16:E5:DD:5C:4B:A2:E4:9D:B2:AB:62:DB:C5:D9:20:7F\\\\n Fi > ngerPrint\\\\n MD2:\\\\n > 72:FA:C5:52:3D:9D:C9:F9:81:E3:47:D5:D2:4A:D3:99\\\\n MD5:\\\\n > 83:78:B6:62:C4:28:DF:5C:96:AB:85:48:B0:0A:BA:56\\\\n > SHA-1:\\\\n > 50:5D:03:72:FE:A6:A4:BC:CE:70:3A:95:67:41:8F:40:\\\\n > 81:17:76:4A\\\\n SHA-256:\\\\n > 03:6B:AF:80:99:86:C0:AC:7D:88:7A:48:7D:11:79:4D:\\\\n > 5E:C5:DC:C5:BE:06:F5:34:9E:AB:00:05:C3:4F:C0:3E\\\\n SHA-512:\\\\n > 47:73:2F:2A:85:E6:BE:D0:F2:77:54:82:3E:02:FC:85:\\\\n > 49:F9:26:FF:7B:F8:42:C8:3E:C0:9F:F6:BA:7D:C2:8D:\\\\n > 2F:E2:9C:D9:38:BA:DC:AA:EE:F1:AC:48:F6:5A:C6:48:\\\\n > 59:D5:60:46:F2:16:16:81:B1:E2:59:3F:60:94:C9:AC\\\\n","Encoded":"-----BEGIN > CERTIFICATE-----\\\\nMIIEhTCCAu2gAwIBAgIBATANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAc\\\\r\\\\nBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMxNDRaFw00MjExMTYwMjMx\\\\r\\\\nND > > RaMDQxEjAQBgNVBAoMCVdJTkdPTi5ISzEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5\\\\r\\\\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAu4Q2bd5PsRhJFy1m5o/mu2TKA1NOYTJD\\\\r\\\\nhloZv7JUy2USBfu5ZFJ4GmAYvriuFoFUJZxRZ7+2nKng5T0Bwun9UXoKg6Mt4ST7RBD+hk1eqfS4\\\\r\\\\n/S3K7Qh7eiGBiM99uloeyj9QbGF1Nd5q3sPkquR7S7OAZPUnJaOT7tI4Crj90DH5hvCGb/Q3Z49g\\\\r\\\\nf0RzHwdTjWGoW/0s5bHDUJ92vvxQaaVDh+CTi2FoPoDOEusv1Sm/Sv8shZA7rk/NpyEnMUvNNnFi\\\\r\\\\nKaOBpUyW3610GRGeExv2LtHoi2SBChukuC1SYM43yQtEeD4DE2MdQRq9EMeshPFuczFroKsxHcZz\\\\r\\\\nO/8E+RGOCjzyeip1cddBzgsYyPTwbPiAySm+PWptiC0EEKLz2BjNDJxmqaagP5oTDG3lwkLd86w9\\\\r\\\\nWvXMgbi/e0ucon/oCq29OtWtOIRe0mjz6KEBm5MB4nO3vl/IiOX0Jm/l6O+Nf4DUvI2kif7QGcCo\\\\r\\\\nhO67jBvAJEmynwU4dNnoaQp9AgMBAAGjgaEwgZ4wHwYDVR0jBBgwFoAUnxnJqOCKKMvE7YHAuI2n\\\\r\\\\njU/vWUEwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAcYwHQYDVR0OBBYEFJ8ZyajgiijL\\\\r\\\\nxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53\\\\r\\\\naW5nb24uaGsvY2Evb2NzcDANBgkqhkiG9w0BAQsFAAOCAYEAik9xr > > FV+xaEFhfPAXYZX7oyjUPeg\\\\r\\\\nxsmdjJBsGmWCs5w9WDJPFID/hK6sQ1/XqMYcYg+/crXGvNnY1W8s9ft2znMWh6DJTE5cyvzZpCD/\\\\r\\\\nH3NHjX8aFQxQd/OtLfhWg9n3KYTwJBIKaEILojR/CEyRBQD8Sc1TbxObtYS7ihyLXP2M1wduk5e6\\\\r\\\\nAsEgoZRn > [Wed Dec 14 10:46:58.593066 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: IPA: virtual verify > retrieve certificate > [Wed Dec 14 10:46:58.593525 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Cache lookup: > cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.593849 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Requested attrs_list > ['objectclass'] > [Wed Dec 14 10:46:58.595776 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: cn=retrieve > certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.595866 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: not in cache > cn=retrieve certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.596087 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ADD: cn=retrieve > certificate,cn=virtual operations,cn=etc,dc=wingon,dc=hk: > {'entrylevelrights', 'attributelevelrights', 'objectclass'} all=False > [Wed Dec 14 10:46:58.596154 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses > 1 Size 1 > [Wed Dec 14 10:46:58.596400 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: ca_show('ipa', > chain=False, all=False, version='2.245') > [Wed Dec 14 10:46:58.596538 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ca_show('ipa', > rights=False, chain=False, all=False, raw=False, version='2.245') > [Wed Dec 14 10:46:58.596680 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: > ca_is_enabled(version='2.245') > [Wed Dec 14 10:46:58.596758 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: > ca_is_enabled(version='2.245') > [Wed Dec 14 10:46:58.597793 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Cache lookup: > cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.597867 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Requested attrs_list > ['description', 'ipacasubjectdn', 'cn', 'ipacaid', 'ipacaissuerdn'] > [Wed Dec 14 10:46:58.599055 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: > cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.599146 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: DROP: not in cache > cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk > [Wed Dec 14 10:46:58.599368 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ADD: > cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk: {'description', 'ipacasubjectdn', > 'commonname', 'cn', 'ipacaid', 'ipacaissuerdn'} all=False > [Wed Dec 14 10:46:58.599434 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: MISS: Hits 0 Misses > 2 Size 2 > [Wed Dec 14 10:46:58.600765 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request GET > https://wocfreeipa.wingon.hk:443/ca/rest/account/login > [Wed Dec 14 10:46:58.600832 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request body '' > [Wed Dec 14 10:46:58.626797 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response status 401 > [Wed Dec 14 10:46:58.627246 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response headers > Date: Wed, 14 Dec 2022 02:46:58 GMT > [Wed Dec 14 10:46:58.627257 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky) > OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 > Python/3.6 > [Wed Dec 14 10:46:58.627262 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Cache-Control: private > [Wed Dec 14 10:46:58.627266 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Expires: Thu, 01 Jan 1970 > 00:00:00 GMT > [Wed Dec 14 10:46:58.627271 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] WWW-Authenticate: Basic > realm="Certificate Authority" > [Wed Dec 14 10:46:58.627275 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Content-Type: > text/html;charset=utf-8 > [Wed Dec 14 10:46:58.627280 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Content-Language: en > [Wed Dec 14 10:46:58.627284 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] Content-Length: 669 > [Wed Dec 14 10:46:58.627288 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > [Wed Dec 14 10:46:58.627294 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > [Wed Dec 14 10:46:58.627363 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response body > (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 401 > \\xe2\\x80\\x93 Unauthorized</title><style type="text/css">body > {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b > {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 > {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} > .line > {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP > Status 401 \\xe2\\x80\\x93 Unauthorized</h1><hr class="line" > /><p><b>Type</b> Status Report</p><p><b>Description</b> The request has not > been applied because it lacks valid authentication credentials for the target > resource.</p><hr class="line" /><h3>Apache Tomcat/9.0.30</h3></body></html>' > [Wed Dec 14 10:46:58.629455 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI wsgi_execute > PublicError: Traceback (most recent call last): > [Wed Dec 14 10:46:58.629481 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 407, in > wsgi_execute > [Wed Dec 14 10:46:58.629487 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] result = command(*args, > **options) > [Wed Dec 14 10:46:58.629491 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ > [Wed Dec 14 10:46:58.629496 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] return self.__do_call(*args, > **options) > [Wed Dec 14 10:46:58.629501 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call > [Wed Dec 14 10:46:58.629506 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ret = self.run(*args, > **options) > [Wed Dec 14 10:46:58.629510 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run > [Wed Dec 14 10:46:58.629515 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] return self.execute(*args, > **options) > [Wed Dec 14 10:46:58.629519 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/cert.py", line 1388, in > execute > [Wed Dec 14 10:46:58.629524 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] chain=chain, > [Wed Dec 14 10:46:58.629529 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 471, in __call__ > [Wed Dec 14 10:46:58.629533 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] return self.__do_call(*args, > **options) > [Wed Dec 14 10:46:58.629538 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 499, in __do_call > [Wed Dec 14 10:46:58.629547 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ret = self.run(*args, > **options) > [Wed Dec 14 10:46:58.629728 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 821, in run > [Wed Dec 14 10:46:58.629734 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] return self.execute(*args, > **options) > [Wed Dec 14 10:46:58.629739 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 252, in > execute > [Wed Dec 14 10:46:58.629744 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] msg = > set_certificate_attrs(result['result'], options) > [Wed Dec 14 10:46:58.629748 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in > set_certificate_attrs > [Wed Dec 14 10:46:58.629757 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] with > api.Backend.ra_lightweight_ca as ca_api: > [Wed Dec 14 10:46:58.629761 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in > __enter__ > [Wed Dec 14 10:46:58.629766 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] raise > errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) > [Wed Dec 14 10:46:58.629771 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST API > [Wed Dec 14 10:46:58.629796 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] > [Wed Dec 14 10:46:58.629954 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: INFO: [jsonserver_session] > ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError > [Wed Dec 14 10:46:58.630022 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: [jsonserver_session] > ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError > etime=84348352 > [Wed Dec 14 10:46:58.630767 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: FINAL: Hits 0 Misses > 2 Size 2 > [Wed Dec 14 10:46:58.630882 2022] [wsgi:error] [pid 15499:tid > 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Destroyed connection > context.ldap2_140175871412600
Seems to just confirm that the CA is returning a 401. Early on in the thread Flo asked you to check on something in LDAP and you had a stray character (*). Did you ever double-check that? ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description usercertificate You want to make sure that the certificate value in /var/lib/ipa/ra-agent.pem is in the usercertificate attribute in LDAP. The CA uses TLS client authentication to validate the cert. It also does a subject and key comparison (description) and the certificate blob itself (usercertificate). rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue