[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Thu, 22 Dec 2022 07:49:21 -0800 

Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
> 
> the FINE logs should be visible in the journal.

Let me add that tail may not be the best way to collect the logs.

389-ds by default has a 30-second buffer, so depending on timing the
associated searches may or may not be included in the tail.

Similarly with PKI it often tries to proceed on error so the last error
is not always relevant.

So collecting by time can be more effective, e.g. I ran ipa cert-show 1
at 08:32:33 UTC and it completed 5 seconds later so collect the logging
between those times, perhaps with a bit more time at the end to account
for logging that might happen after the command(s) execute.

rob

> flo
> 
> On Thu, Dec 22, 2022 at 5:20 AM junhou he via FreeIPA-users
> <[email protected]
> <mailto:[email protected]>> wrote:
> 
>     Hi,
>     [root@wocfreeipa conf]# ipa cert-show 1
>     ipa: ERROR: Failed to authenticate to CA REST API
>     [root@wocfreeipa conf]# cat
>     /var/lib/pki/pki-tomcat/conf/logging.properties | grep FINE
>     1catalina.org.apache.juli.FileHandler.level = FINE
>     2localhost.org.apache.juli.FileHandler.level = FINE
>     3manager.org.apache.juli.FileHandler.level = FINE
>     4host-manager.org.apache.juli.FileHandler.level = FINE
>     java.util.logging.ConsoleHandler.level = FINE
>     .level = FINE
>     org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level
>     = FINE
>     
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level
>     = FINE
>     
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level
>     = FINE
>     org.mozilla.jss.level = FINE
>     org.dogtagpki.level = FINE
>     com.netscape.level = FINE
>     netscape.level = FINE
>     [root@wocfreeipa conf]#
> 
> 
> 
>      tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-22.log
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
>     Searching ou=certificateRepository, ou=ca,o=ipaca
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
>     filter: (certStatus=VALID)
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: dn:
>     cn=2,ou=certificateRepository,ou=ca,o=ipaca
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO:
>     CertStatusUpdateTask: Updating revoked certs to expired
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
>     Searching ou=certificateRepository, ou=ca,o=ipaca
>     2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
>     filter: (certStatus=REVOKED)
>     2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
>     SerialNumberUpdateTask: Updating serial number counter
>     2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
>     SerialNumberUpdateTask: Checking serial number ranges
>     2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
>     SerialNumberUpdateTask: Checking request ID ranges
>     2022-12-22 08:38:17 [Timer-0] INFO: SessionTimer: checking security
>     domain sessions
>     2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO:
>     Getting certificate 0x1
>     2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO:
>     LDAPSession: reading cn=1,ou=certificateRepository, ou=ca,o=ipaca
> 
>     tail -f /var/log/dirsrv/slapd-WINGON-HK/access
>     [22/Dec/2022:08:38:17.233886267 +0800] conn=19 op=21 SRCH
>     base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
>     filter="(|(objectClass=*)(objectClass=ldapsubentry))"
>     attrs="description"
>     [22/Dec/2022:08:38:17.234010458 +0800] conn=19 op=21 RESULT err=0
>     tag=101 nentries=1 wtime=0.014734052 optime=0.000125838
>     etime=0.014858013
>     [22/Dec/2022:08:38:17.847746019 +0800] conn=27 op=8 SRCH
>     base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
>     filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
>     [22/Dec/2022:08:38:17.847992778 +0800] conn=27 op=8 RESULT err=32
>     tag=101 nentries=0 wtime=0.000158299 optime=0.000259281
>     etime=0.000414694
>     [22/Dec/2022:08:38:19.598578843 +0800] conn=28 op=13 SRCH
>     base="ou=authorizations,ou=acme,o=ipaca" scope=2
>     filter="(acmeExpires<=20221222003819+0000)" attrs="1.1"
>     [22/Dec/2022:08:38:19.598863277 +0800] conn=28 op=13 RESULT err=0
>     tag=101 nentries=0 wtime=0.000157043 optime=0.000287685
>     etime=0.000440875
>     [22/Dec/2022:08:38:19.599268909 +0800] conn=28 op=14 SRCH
>     base="ou=orders,ou=acme,o=ipaca" scope=2
>     filter="(acmeExpires<=20221222003819+0000)" attrs="1.1"
>     [22/Dec/2022:08:38:19.599396932 +0800] conn=28 op=14 RESULT err=0
>     tag=101 nentries=0 wtime=0.000379314 optime=0.000128884
>     etime=0.000506447
>     [22/Dec/2022:08:38:19.601650121 +0800] conn=28 op=15 SRCH
>     base="ou=certificates,ou=acme,o=ipaca" scope=2
>     filter="(acmeExpires<=20221222003819+0000)" attrs="1.1"
>     [22/Dec/2022:08:38:19.601790342 +0800] conn=28 op=15 RESULT err=0
>     tag=101 nentries=0 wtime=0.002236364 optime=0.000142754
>     etime=0.002376855
>     [22/Dec/2022:08:38:23.202178746 +0800] conn=42 fd=117 slot=117
>     connection from 10.99.16.212 to 10.100.0.213
>     [22/Dec/2022:08:38:23.203751921 +0800] conn=42 op=0 BIND dn=""
>     method=sasl version=3 mech=GSSAPI
>     [22/Dec/2022:08:38:23.206551310 +0800] conn=42 op=0 RESULT err=14
>     tag=97 nentries=0 wtime=0.000344548 optime=0.002794049
>     etime=0.003136691, SASL bind in progress
>     [22/Dec/2022:08:38:23.207866158 +0800] conn=42 op=1 BIND dn=""
>     method=sasl version=3 mech=GSSAPI
>     [22/Dec/2022:08:38:23.209540560 +0800] conn=42 op=1 RESULT err=14
>     tag=97 nentries=0 wtime=0.000149285 optime=0.001684787
>     etime=0.001832976, SASL bind in progress
>     [22/Dec/2022:08:38:23.210611657 +0800] conn=42 op=2 BIND dn=""
>     method=sasl version=3 mech=GSSAPI
>     [22/Dec/2022:08:38:23.211258671 +0800] conn=42 op=2 RESULT err=0
>     tag=97 nentries=0 wtime=0.000128945 optime=0.000663926
>     etime=0.000791870
>     dn="krbprincipalname=ldap/[email protected]
>     
> <mailto:[email protected]>,cn=services,cn=accounts,dc=wingon,dc=hk"
>     [22/Dec/2022:08:38:23.212523743 +0800] conn=42 op=3 SRCH base=""
>     scope=0 filter="(objectClass=*)" attrs="supportedControl
>     supportedExtension"
>     [22/Dec/2022:08:38:23.213906216 +0800] conn=42 op=3 RESULT err=0
>     tag=101 nentries=1 wtime=0.000264956 optime=0.001388203
>     etime=0.001651902
>     [22/Dec/2022:08:38:23.215132145 +0800] conn=42 op=4 SRCH base=""
>     scope=0 filter="(objectClass=*)" attrs="supportedControl
>     supportedExtension"
>     [22/Dec/2022:08:38:23.216723816 +0800] conn=42 op=4 RESULT err=0
>     tag=101 nentries=1 wtime=0.000159669 optime=0.001596932
>     etime=0.001755369
>     [22/Dec/2022:08:38:23.217967046 +0800] conn=42 op=5 EXT
>     oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
>     [22/Dec/2022:08:38:23.218703628 +0800] conn=42 op=5 RESULT err=0
>     tag=120 nentries=0 wtime=0.000182814 optime=0.000749303
>     etime=0.000931176
>     [22/Dec/2022:08:38:23.222687297 +0800] conn=42 op=6 EXT
>     oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
>     [22/Dec/2022:08:38:23.224177305 +0800] conn=42 op=6 RESULT err=0
>     tag=120 nentries=0 wtime=0.000158357 optime=0.001488320
>     etime=0.001640472
>     [22/Dec/2022:08:38:49.307392953 +0800] conn=43 fd=121 slot=121
>     connection from 10.100.0.213 to 10.100.0.213
>     [22/Dec/2022:08:38:49.309912944 +0800] conn=43 op=0 BIND dn=""
>     method=sasl version=3 mech=GSS-SPNEGO
>     [22/Dec/2022:08:38:49.311877794 +0800] conn=43 op=0 RESULT err=0
>     tag=97 nentries=0 wtime=0.000234961 optime=0.001969243
>     etime=0.002203214 dn="uid=admin,cn=users,cn=accounts,dc=wingon,dc=hk"
>     [22/Dec/2022:08:38:49.321041547 +0800] conn=43 op=1 SRCH
>     base="cn=ipaconfig,cn=etc,dc=wingon,dc=hk" scope=0
>     filter="(objectClass=*)" attrs=ALL
>     [22/Dec/2022:08:38:49.321543659 +0800] conn=43 op=1 RESULT err=0
>     tag=101 nentries=1 wtime=0.000129599 optime=0.000504156
>     etime=0.000632090
>     [22/Dec/2022:08:38:49.322646358 +0800] conn=43 op=2 SRCH
>     base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2
>     filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL
>     [22/Dec/2022:08:38:49.323086920 +0800] conn=43 op=2 RESULT err=0
>     tag=101 nentries=1 wtime=0.000081437 optime=0.000441018
>     etime=0.000520830
>     [22/Dec/2022:08:38:49.323798035 +0800] conn=43 op=3 SRCH
>     base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2
>     
> filter="(&(&(objectClass=ipaConfigObject)(cn=CA))(|(ipaConfigString=enabledService)(ipaConfigString=hiddenService)))"
>     attrs="ipaConfigString"
>     [22/Dec/2022:08:38:49.324181733 +0800] conn=43 op=3 RESULT err=0
>     tag=101 nentries=1 wtime=0.000081926 optime=0.000384241
>     etime=0.000464637
>     [22/Dec/2022:08:38:49.347011565 +0800] conn=19 op=23 SRCH
>     base="cn=1,ou=certificateRepository,ou=ca,o=ipaca" scope=0
>     filter="(objectClass=*)" attrs=ALL
>     [22/Dec/2022:08:38:49.347206355 +0800] conn=19 op=23 RESULT err=0
>     tag=101 nentries=1 wtime=0.000096368 optime=0.000196426
>     etime=0.000290580
>     [22/Dec/2022:08:38:49.365442853 +0800] conn=43 op=4 EXT
>     oid="1.3.6.1.4.1.4203.1.11.3" name="whoami-plugin"
>     [22/Dec/2022:08:38:49.365513662 +0800] conn=43 op=4 RESULT err=0
>     tag=120 nentries=0 wtime=0.000094022 optime=0.000081234
>     etime=0.000173235
>     [22/Dec/2022:08:38:49.365762008 +0800] conn=43 op=5 SRCH
>     base="cn=retrieve certificate,cn=virtual
>     operations,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)"
>     attrs="objectClass"
>     [22/Dec/2022:08:38:49.366479995 +0800] conn=43 op=5 RESULT err=0
>     tag=101 nentries=1 wtime=0.000093224 optime=0.000719504
>     etime=0.000810644 - entryLevelRights: vadn
>     [22/Dec/2022:08:38:49.368369619 +0800] conn=43 op=6 SRCH
>     base="cn=cas,cn=ca,dc=wingon,dc=hk" scope=2
>     filter="(&(cn=ipa)(objectClass=ipaca))" attrs=""
>     [22/Dec/2022:08:38:49.368729116 +0800] conn=43 op=6 RESULT err=0
>     tag=101 nentries=1 wtime=0.000103659 optime=0.000361339
>     etime=0.000463243
>     [22/Dec/2022:08:38:49.369339524 +0800] conn=43 op=7 SRCH
>     base="cn=ipa,cn=cas,cn=ca,dc=wingon,dc=hk" scope=0
>     filter="(objectClass=*)" attrs="description ipaCaIssuerDN
>     ipaCaSubjectDN ipaCaId cn"
>     [22/Dec/2022:08:38:49.369580767 +0800] conn=43 op=7 RESULT err=0
>     tag=101 nentries=1 wtime=0.000068199 optime=0.000242285
>     etime=0.000309020
>     [22/Dec/2022:08:38:49.370906130 +0800] conn=43 op=8 SRCH
>     base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2
>     
> filter="(&(&(objectClass=ipaConfigObject)(cn=CA))(|(ipaConfigString=enabledService)(ipaConfigString=hiddenService)))"
>     attrs="ipaConfigString"
>     [22/Dec/2022:08:38:49.371330577 +0800] conn=43 op=8 RESULT err=0
>     tag=101 nentries=1 wtime=0.000076944 optime=0.000424999
>     etime=0.000500342
>     [22/Dec/2022:08:38:49.405392008 +0800] conn=43 op=9 UNBIND
>     [22/Dec/2022:08:38:49.405422974 +0800] conn=43 op=9 fd=121 closed
>     error - U1
> 
>     _______________________________________________
>     FreeIPA-users mailing list -- [email protected]
>     <mailto:[email protected]>
>     To unsubscribe send an email to
>     [email protected]
>     <mailto:[email protected]>
>     Fedora Code of Conduct:
>     https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>     List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>     List Archives:
>     
> https://lists.fedorahosted.org/archives/list/[email protected]
>     Do not reply to spam, report it:
>     https://pagure.io/fedora-infrastructure/new_issue
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/[email protected]
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to