Hi, Let's restart from scratch this investigation. When you run "ipa cert-show 1", does it trigger any log in /var/log/httpd/access_log and /var/log/httpd/ssl_request_log? On a working instance I have the following: in access_log: 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1 HTTP/1.1" 200 9973 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/login HTTP/1.1" 200 304 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1" 200 1158 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/logout HTTP/1.1" 204 -
in ssl_request_log: [16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /ca/rest/certs/1 HTTP/1.1" 9973 [16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /ca/rest/account/login HTTP/1.1" 304 [16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1" 1158 [16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384 "GET /ca/rest/account/logout HTTP/1.1" - We can see the first operation that is not authenticated (ca/rest/certs/1) then the second one requires authentication (/ca/rest/account/login executed before /ca/rest/authorities/xxx). Is there a corresponding log in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt ? When the AJP connector is properly set, the operation should also be visible here, for instance: 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1 HTTP/1.1" 200 9973 10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/login HTTP/1.1" 200 304 10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1" 200 1158 10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/logout HTTP/1.1" 204 - Then the logs in /var/log/pki/pki-tomcat/ca/debug.$DATE.log should show the operations with: 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Getting certificate 0x1 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: Authenticating certificate chain: 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: - CN=IPA RA, O=IPA.TEST 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: CertUserDBAuthentication: UID ipara authenticated. 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: User ID: ipara 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: User DN: uid=ipara,ou=people,o=ipaca 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: Roles: 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: - Certificate Manager Agents 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: - Registration Manager Agents 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: - Security Domain Administrators 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: - Enterprise ACME Administrators 2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: AAclAuthz: Granting login permission for certServer.ca.account As the authentication is done with the RA cert, and we saw that your ra cert has serial=7, we need to ensure that the cert is valid: what is the output of ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository, ou=ca,o=ipaca" The output should display certStatus: VALID and userCertificate;binary should contain the same cert as /var/lib/ipa/ra-agent.pem flo On Thu, Dec 15, 2022 at 3:34 AM junhou he via FreeIPA-users < [email protected]> wrote: > Hi, > > we disable selinux > ls -lZ /var/lib/ipa/ra-agent.* > -rwxrwxrwx 1 root ipaapi ? 1704 Nov 16 10:33 /var/lib/ipa/ra-agent.key > -rwxrwxrwx 1 root ipaapi ? 1399 Nov 16 10:33 /var/lib/ipa/ra-agent.pem > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
