Hi,
On Mon, Dec 19, 2022 at 3:25 AM junhou he via FreeIPA-users < [email protected]> wrote: > Hi, > tail -f /var/log/pki/pki-tomcat/localhost_access_log.2022-12-19.txt > 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/certs/1 > HTTP/1.1" 200 9991 > 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/account/login > HTTP/1.1" 401 669 > 10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/certs/1 > HTTP/1.1" 200 9991 > 10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/account/login > HTTP/1.1" 401 669 > 10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/certs/1 > HTTP/1.1" 200 9991 > 10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/account/login > HTTP/1.1" 401 669 > 10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/certs/1 > HTTP/1.1" 200 9991 > 10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/account/login > HTTP/1.1" 401 669 > > As the logs show the login op, it means that the server.xml and > /etc/httpd/conf.d/ipa-pki-proxy.conf are consistent. Do you see any log in /var/log/pki/pki-tomcat/ca/debug.$DATE.log starting with a line like: [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: PKIRealm: Authenticating certificate chain: The lines after this one should contain more information, like cert not revoked, the user the cert is mapped to, ... Other things that could be checked: - do multiple users map to this certificate? Look in dirsrv access log (/var/log/dirsrv/slapd-<domain>/access) for a SRCH op similar to: SRCH base="ou=People,o=ipaca" scope=2 filter="(description=2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O= WINGON.HK)" Does the corresponding RESULT line show nentries=1 or a different number of results? - is the ipara user a member of the right groups? ldapsearch -D "cn=directory manager" -W -b ou=Groups,o=ipaca "(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))" cn description flo ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository, > > ou=ca,o=ipaca" > Enter LDAP Password: > # extended LDIF > # > # LDAPv3 > # base <cn=7,ou=certificateRepository, > ou=ca,o=ipaca> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # 7, certificateRepository, ca, ipaca > dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca > objectClass: top > objectClass: certificateRecord > serialno: 017 > metaInfo: requestId:7 > metaInfo: profileId:caSubsystemCert > notBefore: 20221116103302Z > notAfter: 20241105103302Z > duration: 1162208000000 > subjectName: CN=IPA RA,O=WINGON.HK > issuerName: CN=Certificate Authority,O=WINGON.HK > publicKeyData:: > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Eq > > ut/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMe > > Np7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZY > > M20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VD > > wFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9 > /tcAd+gWVGNXB4QQIDAQAB > extension: 2.5.29.35 > extension: 1.3.6.1.5.5.7.1.1 > extension: 2.5.29.37 > extension: 2.5.29.15 > userCertificate;binary:: > MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDV > > QQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMj > > MzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJ > > BMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jM > > LovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obt > > dSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1 > > eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8 > > cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4 > > QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBB > > C8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf > > 8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgEC > > YHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkV > > COcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6l > > pr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC > > 0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1Fwj > > MZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qG > > Fvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM > 1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg== > version: 2 > algorithmId: 1.2.840.113549.1.1.1 > signingAlgorithmId: 1.2.840.113549.1.1.11 > dateOfCreate: 20221116103303Z > dateOfModify: 20221116103303Z > certStatus: VALID > autoRenew: ENABLED > issuedBy: admin > cn: 7 > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > > cat /var/lib/ipa/ra-agent.pem > -----BEGIN CERTIFICATE----- > MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5H > T04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYw > MjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0G > A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk > 70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21J > oNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfje > MFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv > 7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSe > uT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPH > R9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2B > wLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lw > YS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAww > CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLo > g9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN > 8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk > 2t11xYeB4edgqdU6lpr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1 > JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6y > WL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6 > clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18 > zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4 > rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg== > -----END CERTIFICATE----- > > the cert is vaild, and binary contain the same cert as > /var/lib/ipa/ra-agent.pem,but the logs show unauthorized > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
