[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

On Wed, Jan 4, 2023 at 4:05 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> when I use mod_ssl everything works fine, thanks a lot for your help!!!
>
Thanks for letting us know, I must say I'm relieved we finally found the
root cause :)
flo


>
> thanks
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,

when I use mod_ssl everything works fine, thanks a lot for your help!!!

thanks
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Sorry, hit send too soon.

On Tue, Jan 3, 2023 at 1:53 PM Florence Blanc-Renaud  wrote:

> Hi,
>
>
> On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> Hi,
>> I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf
>> # matches for REST API of CA, KRA, and PKI
>> 
>> SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
>> SSLVerifyClient optional
>> ProxyPassMatch ajp://localhost:8009
>> secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
>> ProxyPassReverse ajp://localhost:8009
>> 
>>
>> [root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> WINGON.HK IPA CA CT,C,C
>> Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
>> Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
>> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
>> Server-Cert  u,u,u
>>
> ^^ I'm surprised that your http cert is stored in /etc/httpd/alias. With
> IPA 4.9.8, httpd is using mod_ssl instead of mod_nss.
> The config file /etc/httpd/conf.d/ssl.conf should setup the following:
> SSLCertificateFile /var/lib/ipa/certs/httpd.crt
> SSLCertificateKeyFile /var/lib/ipa/private/httpd.key
> SSLCACertificateFile /etc/ipa/ca.crt
>
> instead of using /etc/httpd/conf.d/nss.conf with the NSS database.
>
> Do you have a config file /etc/httpd/conf.d/ssl.conf or
> /etc/httpd/conf.d/nss.conf? What is the output of "httpd -M"?
>
> The server cert seems to be a wildcard cert, can you
>
Can you show the server cert pem file? I remember issues with wildcard
certs as the recommended way is to add SAN extensions IIRC.


> flo
>
>
>
>> [root@wocfreeipa ~]# certutil  -d /etc/httpd/alias/ -O -n Server-Cert
>> "Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc."
>> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group,
>> Inc.",C=US]
>>
>>   "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc."
>> [CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
>> Inc.",L=Scottsdale,ST=Arizona,C=US]
>>
>> "Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc."
>> [CN=Go Daddy Secure Certificate Authority - G2,OU=
>> http://certs.godaddy.com/repository/,O="GoDaddy.com,
>> Inc.",L=Scottsdale,ST=Arizona,C=US]
>>
>>   "Server-Cert" [CN=*.wingon.hk]
>>
>> [root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> CN=*.wingon.hk   u,u,u
>> WINGON.HK IPA CA CT,C,C
>> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
>> Inc.,C=US C,,
>> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
>> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
>> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate
>> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
>> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
>> [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
>>
>> Certificate Nickname Trust
>> Attributes
>>
>>  SSL,S/MIME,JAR/XPI
>>
>> caSigningCert cert-pki-caCTu,Cu,Cu
>> ocspSigningCert cert-pki-ca  u,u,u
>> subsystemCert cert-pki-cau,u,u
>> auditSigningCert cert-pki-ca u,u,Pu
>> Server-Cert cert-pki-ca  u,u,u
>> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
>> Inc.,C=US C,,
>> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
>> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
>> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate
>> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
>> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
>>
>> I use ipa-cacert-manage install to add the external CA
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
>> Do not reply to spam, report it:
>> https://pagure.io/fedora-infrastructure/new_issue
>>
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,


On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
> I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf
> # matches for REST API of CA, KRA, and PKI
> 
> SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
> SSLVerifyClient optional
> ProxyPassMatch ajp://localhost:8009
> secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
> ProxyPassReverse ajp://localhost:8009
> 
>
> [root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> WINGON.HK IPA CA CT,C,C
> Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
> Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
> Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
> Server-Cert  u,u,u
>
^^ I'm surprised that your http cert is stored in /etc/httpd/alias. With
IPA 4.9.8, httpd is using mod_ssl instead of mod_nss.
The config file /etc/httpd/conf.d/ssl.conf should setup the following:
SSLCertificateFile /var/lib/ipa/certs/httpd.crt
SSLCertificateKeyFile /var/lib/ipa/private/httpd.key
SSLCACertificateFile /etc/ipa/ca.crt

instead of using /etc/httpd/conf.d/nss.conf with the NSS database.

Do you have a config file /etc/httpd/conf.d/ssl.conf or
/etc/httpd/conf.d/nss.conf? What is the output of "httpd -M"?

The server cert seems to be a wildcard cert, can you
flo



> [root@wocfreeipa ~]# certutil  -d /etc/httpd/alias/ -O -n Server-Cert
> "Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc."
> [OU=Go Daddy Class 2 Certification Authority,O="The Go Daddy Group,
> Inc.",C=US]
>
>   "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc."
> [CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US]
>
> "Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc."
> [CN=Go Daddy Secure Certificate Authority - G2,OU=
> http://certs.godaddy.com/repository/,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US]
>
>   "Server-Cert" [CN=*.wingon.hk]
>
> [root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> CN=*.wingon.hk   u,u,u
> WINGON.HK IPA CA CT,C,C
> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
> Inc.,C=US C,,
> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate
> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
> [root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/
>
> Certificate Nickname Trust
> Attributes
>
>  SSL,S/MIME,JAR/XPI
>
> caSigningCert cert-pki-caCTu,Cu,Cu
> ocspSigningCert cert-pki-ca  u,u,u
> subsystemCert cert-pki-cau,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> Server-Cert cert-pki-ca  u,u,u
> OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\,
> Inc.,C=US C,,
> CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\,
> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
> NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate
> Authority - G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\,
> Inc.,L=Scottsdale,ST=Arizona,C=US C,,
>
> I use ipa-cacert-manage install to add the external CA
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,
I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf
# matches for REST API of CA, KRA, and PKI

SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate
SSLVerifyClient optional
ProxyPassMatch ajp://localhost:8009 
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
ProxyPassReverse ajp://localhost:8009


[root@wocfreeipa ~]# certutil -L -d /etc/httpd/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

WINGON.HK IPA CA CT,C,C
Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc. CT,C,C
Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc. CT,C,C
Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc. CT,C,C
Server-Cert  u,u,u
[root@wocfreeipa ~]# certutil  -d /etc/httpd/alias/ -O -n Server-Cert
"Go Daddy Class 2 Certification Authority - The Go Daddy Group, Inc." [OU=Go 
Daddy Class 2 Certification Authority,O="The Go Daddy Group, Inc.",C=US]

  "Go Daddy Root Certificate Authority - G2 - The Go Daddy Group, Inc." [CN=Go 
Daddy Root Certificate Authority - G2,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US]

"Go Daddy Secure Certificate Authority - G2 - GoDaddy.com, Inc." [CN=Go 
Daddy Secure Certificate Authority - 
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, 
Inc.",L=Scottsdale,ST=Arizona,C=US]

  "Server-Cert" [CN=*.wingon.hk]

[root@wocfreeipa ~]# certutil -L -d /etc/dirsrv/slapd-WINGON-HK/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

CN=*.wingon.hk   u,u,u
WINGON.HK IPA CA CT,C,C
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority 
- G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
[root@wocfreeipa ~]# certutil -L -d /etc/pki/pki-tomcat/alias/

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-caCTu,Cu,Cu
ocspSigningCert cert-pki-ca  u,u,u
subsystemCert cert-pki-cau,u,u
auditSigningCert cert-pki-ca u,u,Pu
Server-Cert cert-pki-ca  u,u,u
OU=Go Daddy Class 2 Certification Authority,O=The Go Daddy Group\, Inc.,C=US C,,
CN=Go Daddy Root Certificate Authority - G2,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,
NSS Certificate DB:NSS Certificate DB:CN=Go Daddy Secure Certificate Authority 
- G2,OU=http://certs.godaddy.com/repository/,O=GoDaddy.com\, 
Inc.,L=Scottsdale,ST=Arizona,C=US C,,

I use ipa-cacert-manage install to add the external CA
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,
[root@wocfreeipa ~]# date
Fri Dec 23 08:26:00 HKT 2022
[root@wocfreeipa ~]# ipa cert-show 1
ipa: ERROR: Failed to authenticate to CA REST API
[root@wocfreeipa ~]#journactl -f
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Counting 
up[ajp-nio-0:0:0:0:0:0:0:1-8009-Acceptor] latch=4
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Processing socket 
[org.apache.tomcat.util.net.NioChannel@76935a98:java.nio.channels.SocketChannel[connected
 local=localhost/127.0.0.1:8009 remote=/0:0:0:0:0:0:0:1:33486]] with status 
[OPEN_READ]
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Found processor 
[null] for socket 
[org.apache.tomcat.util.net.NioChannel@76935a98:java.nio.channels.SocketChannel[connected
 local=localhost/127.0.0.1:8009 remote=/0:0:0:0:0:0:0:1:33486]]
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Popped processor 
[org.apache.coyote.ajp.AjpProcessor@2bcc40ac] from cache
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Received 347 18
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Socket: 
[org.apache.tomcat.util.net.NioEndpoint$NioSocketWrapper@7854aa3a:org.apache.tomcat.util.net.NioChannel@76935a98:java.nio.channels.SocketChannel[connected
 local=localhost/127.0.0.1:8009 remote=/0:0:0:0:0:0:0:1:33486]], Read from 
buffer: [347]
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: INFO: 
ExternalAuthenticationValve: authType: null
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: INFO: 
ExternalAuthenticationValve: principal: null
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Security checking 
request GET /ca/rest/certs/1
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Admin Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Security Domain Services]' against GET /rest/certs/1 --> 
false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Audit]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Account Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Authority Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Profile Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Agent Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Self Tests]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Admin Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Security Domain Services]' against GET /rest/certs/1 --> 
false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Audit]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Account Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Authority Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Profile Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Agent Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Self Tests]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Admin Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Security Domain Services]' against GET /rest/certs/1 --> 
false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Audit]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Account Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Authority Services]' against GET /rest/certs/1 --> false
Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE:   Checking constraint 
'SecurityConstraint[Profile 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Rob Crittenden via FreeIPA-users]

Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
> 
> the FINE logs should be visible in the journal.

Let me add that tail may not be the best way to collect the logs.

389-ds by default has a 30-second buffer, so depending on timing the
associated searches may or may not be included in the tail.

Similarly with PKI it often tries to proceed on error so the last error
is not always relevant.

So collecting by time can be more effective, e.g. I ran ipa cert-show 1
at 08:32:33 UTC and it completed 5 seconds later so collect the logging
between those times, perhaps with a bit more time at the end to account
for logging that might happen after the command(s) execute.

rob

> flo
> 
> On Thu, Dec 22, 2022 at 5:20 AM junhou he via FreeIPA-users
>  > wrote:
> 
> Hi,
> [root@wocfreeipa conf]# ipa cert-show 1
> ipa: ERROR: Failed to authenticate to CA REST API
> [root@wocfreeipa conf]# cat
> /var/lib/pki/pki-tomcat/conf/logging.properties | grep FINE
> 1catalina.org.apache.juli.FileHandler.level = FINE
> 2localhost.org.apache.juli.FileHandler.level = FINE
> 3manager.org.apache.juli.FileHandler.level = FINE
> 4host-manager.org.apache.juli.FileHandler.level = FINE
> java.util.logging.ConsoleHandler.level = FINE
> .level = FINE
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level
> = FINE
> 
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level
> = FINE
> 
> org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level
> = FINE
> org.mozilla.jss.level = FINE
> org.dogtagpki.level = FINE
> com.netscape.level = FINE
> netscape.level = FINE
> [root@wocfreeipa conf]#
> 
> 
> 
>  tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-22.log
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
> Searching ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
> filter: (certStatus=VALID)
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: dn:
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO:
> CertStatusUpdateTask: Updating revoked certs to expired
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
> Searching ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList:
> filter: (certStatus=REVOKED)
> 2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
> SerialNumberUpdateTask: Updating serial number counter
> 2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
> SerialNumberUpdateTask: Checking serial number ranges
> 2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO:
> SerialNumberUpdateTask: Checking request ID ranges
> 2022-12-22 08:38:17 [Timer-0] INFO: SessionTimer: checking security
> domain sessions
> 2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO:
> Getting certificate 0x1
> 2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO:
> LDAPSession: reading cn=1,ou=certificateRepository, ou=ca,o=ipaca
> 
> tail -f /var/log/dirsrv/slapd-WINGON-HK/access
> [22/Dec/2022:08:38:17.233886267 +0800] conn=19 op=21 SRCH
> base="ou=certificateRepository,ou=ca,o=ipaca" scope=0
> filter="(|(objectClass=*)(objectClass=ldapsubentry))"
> attrs="description"
> [22/Dec/2022:08:38:17.234010458 +0800] conn=19 op=21 RESULT err=0
> tag=101 nentries=1 wtime=0.014734052 optime=0.000125838
> etime=0.014858013
> [22/Dec/2022:08:38:17.847746019 +0800] conn=27 op=8 SRCH
> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
> filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
> [22/Dec/2022:08:38:17.847992778 +0800] conn=27 op=8 RESULT err=32
> tag=101 nentries=0 wtime=0.000158299 optime=0.000259281
> etime=0.000414694
> [22/Dec/2022:08:38:19.598578843 +0800] conn=28 op=13 SRCH
> base="ou=authorizations,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221222003819+)" attrs="1.1"
> [22/Dec/2022:08:38:19.598863277 +0800] conn=28 op=13 RESULT err=0
> tag=101 nentries=0 wtime=0.000157043 optime=0.000287685
> etime=0.000440875
> [22/Dec/2022:08:38:19.599268909 +0800] conn=28 op=14 SRCH
> base="ou=orders,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221222003819+)" attrs="1.1"
> [22/Dec/2022:08:38:19.599396932 +0800] conn=28 op=14 RESULT err=0
> tag=101 nentries=0 wtime=0.000379314 optime=0.000128884
> etime=0.000506447
> [22/Dec/2022:08:38:19.601650121 +0800] conn=28 op=15 SRCH
> base="ou=certificates,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221222003819+)" attrs="1.1"
> [22/Dec/2022:08:38:19.601790342 +0800] conn=28 op=15 RESULT err=0
> tag=101 nentries=0 wtime=0.002236364 optime=0.000142754
> 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,
[root@wocfreeipa conf]# ipa cert-show 1
ipa: ERROR: Failed to authenticate to CA REST API
[root@wocfreeipa conf]# cat /var/lib/pki/pki-tomcat/conf/logging.properties | 
grep FINE
1catalina.org.apache.juli.FileHandler.level = FINE
2localhost.org.apache.juli.FileHandler.level = FINE
3manager.org.apache.juli.FileHandler.level = FINE
4host-manager.org.apache.juli.FileHandler.level = FINE
java.util.logging.ConsoleHandler.level = FINE
.level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/manager].level 
= FINE
org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/host-manager].level
 = FINE
org.mozilla.jss.level = FINE
org.dogtagpki.level = FINE
com.netscape.level = FINE
netscape.level = FINE
[root@wocfreeipa conf]#



 tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-22.log
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-22 08:38:17 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)
2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-22 08:38:17 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-22 08:38:17 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Getting 
certificate 0x1
2022-12-22 08:38:49 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: LDAPSession: 
reading cn=1,ou=certificateRepository, ou=ca,o=ipaca

tail -f /var/log/dirsrv/slapd-WINGON-HK/access
[22/Dec/2022:08:38:17.233886267 +0800] conn=19 op=21 SRCH 
base="ou=certificateRepository,ou=ca,o=ipaca" scope=0 
filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="description"
[22/Dec/2022:08:38:17.234010458 +0800] conn=19 op=21 RESULT err=0 tag=101 
nentries=1 wtime=0.014734052 optime=0.000125838 etime=0.014858013
[22/Dec/2022:08:38:17.847746019 +0800] conn=27 op=8 SRCH 
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[22/Dec/2022:08:38:17.847992778 +0800] conn=27 op=8 RESULT err=32 tag=101 
nentries=0 wtime=0.000158299 optime=0.000259281 etime=0.000414694
[22/Dec/2022:08:38:19.598578843 +0800] conn=28 op=13 SRCH 
base="ou=authorizations,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221222003819+)" attrs="1.1"
[22/Dec/2022:08:38:19.598863277 +0800] conn=28 op=13 RESULT err=0 tag=101 
nentries=0 wtime=0.000157043 optime=0.000287685 etime=0.000440875
[22/Dec/2022:08:38:19.599268909 +0800] conn=28 op=14 SRCH 
base="ou=orders,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221222003819+)" attrs="1.1"
[22/Dec/2022:08:38:19.599396932 +0800] conn=28 op=14 RESULT err=0 tag=101 
nentries=0 wtime=0.000379314 optime=0.000128884 etime=0.000506447
[22/Dec/2022:08:38:19.601650121 +0800] conn=28 op=15 SRCH 
base="ou=certificates,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221222003819+)" attrs="1.1"
[22/Dec/2022:08:38:19.601790342 +0800] conn=28 op=15 RESULT err=0 tag=101 
nentries=0 wtime=0.002236364 optime=0.000142754 etime=0.002376855
[22/Dec/2022:08:38:23.202178746 +0800] conn=42 fd=117 slot=117 connection from 
10.99.16.212 to 10.100.0.213
[22/Dec/2022:08:38:23.203751921 +0800] conn=42 op=0 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[22/Dec/2022:08:38:23.206551310 +0800] conn=42 op=0 RESULT err=14 tag=97 
nentries=0 wtime=0.000344548 optime=0.002794049 etime=0.003136691, SASL bind in 
progress
[22/Dec/2022:08:38:23.207866158 +0800] conn=42 op=1 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[22/Dec/2022:08:38:23.209540560 +0800] conn=42 op=1 RESULT err=14 tag=97 
nentries=0 wtime=0.000149285 optime=0.001684787 etime=0.001832976, SASL bind in 
progress
[22/Dec/2022:08:38:23.210611657 +0800] conn=42 op=2 BIND dn="" method=sasl 
version=3 mech=GSSAPI
[22/Dec/2022:08:38:23.211258671 +0800] conn=42 op=2 RESULT err=0 tag=97 
nentries=0 wtime=0.000128945 optime=0.000663926 etime=0.000791870 
dn="krbprincipalname=ldap/wocfreeipa-rep.wingon...@wingon.hk,cn=services,cn=accounts,dc=wingon,dc=hk"
[22/Dec/2022:08:38:23.212523743 +0800] conn=42 op=3 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[22/Dec/2022:08:38:23.213906216 +0800] conn=42 op=3 RESULT err=0 tag=101 
nentries=1 wtime=0.000264956 optime=0.001388203 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

thanks for the logs. Definitely nothing reported here related to the login
attempt.
I would try to increase PKI's log level by editing
/var/lib/pki/pki-tomcat/conf/logging.properties (use FINE everywhere,
restart pki-tomcatd, run the ipa cert-show 1 command, revert to previous
log level), hoping to get more information. Otherwise reach out to PKI
community through us...@lists.dogtagpki.org
,
they may have more ideas.
flo

On Tue, Dec 20, 2022 at 9:40 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi ,
> [20/Dec/2022:08:49:29.637099418 +0800] conn=2892 op=9 UNBIND
> [20/Dec/2022:08:49:29.637145006 +0800] conn=2892 op=9 fd=124 closed error
> - U1
> [20/Dec/2022:08:49:32.043506909 +0800] conn=27 op=3410 SRCH
> base="ou=sessions,ou=Security Domain,o=ipaca" scope=2
> filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
> [20/Dec/2022:08:49:32.043782127 +0800] conn=27 op=3410 RESULT err=32
> tag=101 nentries=0 wtime=0.000153439 optime=0.000279769 etime=0.000430437
> [20/Dec/2022:08:49:38.148322772 +0800] conn=28 op=6817 SRCH
> base="ou=authorizations,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221220004938+)" attrs="1.1"
> [20/Dec/2022:08:49:38.148586175 +0800] conn=28 op=6817 RESULT err=0
> tag=101 nentries=0 wtime=0.000138301 optime=0.000273350 etime=0.000408659
> [20/Dec/2022:08:49:38.148943213 +0800] conn=28 op=6818 SRCH
> base="ou=orders,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221220004938+)" attrs="1.1"
> [20/Dec/2022:08:49:38.149071009 +0800] conn=28 op=6818 RESULT err=0
> tag=101 nentries=0 wtime=0.000206338 optime=0.000129557 etime=0.000333928
> [20/Dec/2022:08:49:38.149274125 +0800] conn=28 op=6819 SRCH
> base="ou=certificates,ou=acme,o=ipaca" scope=2
> filter="(acmeExpires<=20221220004938+)" attrs="1.1"
> [20/Dec/2022:08:49:38.149379198 +0800] conn=28 op=6819 RESULT err=0
> tag=101 nentries=0 wtime=0.000130714 optime=0.000106250 etime=0.000235350
> [20/Dec/2022:08:52:01.986729492 +0800] conn=2888 op=8 UNBIND
> [20/Dec/2022:08:52:01.986771904 +0800] conn=2888 op=8 fd=73 closed error -
> U1
> [20/Dec/2022:08:52:07.702869314 +0800] conn=4 op=13990 SRCH
> base="dc=wingon,dc=hk" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=
> ad...@wingon.hk)(krbPrincipalName:caseIgnoreIA5Match:=ad...@wingon.hk)))"
> attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey
> krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration
> krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange
> krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth
> krbLoginFailedCount krbPrincipalAuthInd krbExtraData krbLastAdminUnlock
> krbObjectReferences krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid
> nsAccountLock passwordHistory ipaKrbAuthzData ipaUserAuthType
> ipatokenRadiusConfigLink krbAuthIndMaxT..."
> [20/Dec/2022:08:52:07.703402545 +0800] conn=4 op=13990 RESULT err=0
> tag=101 nentries=1 wtime=0.000193320 optime=0.000543635 etime=0.000734611
> [20/Dec/2022:08:52:07.703507147 +0800] conn=4 op=13991 SRCH
> base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)"
> attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
> [20/Dec/2022:08:52:07.703570031 +0800] conn=4 op=13991 RESULT err=0
> tag=101 nentries=1 wtime=0.21034 optime=0.63839 etime=0.83694
> [20/Dec/2022:08:52:07.703713585 +0800] conn=4 op=13992 SRCH base="cn=
> WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0
> filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife
> krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife
> krbAuthIndMaxRenewableAge"
> [20/Dec/2022:08:52:07.703808511 +0800] conn=4 op=13992 RESULT err=0
> tag=101 nentries=1 wtime=0.23489 optime=0.95938 etime=0.000118208
> [20/Dec/2022:08:52:07.703932548 +0800] conn=4 op=13993 SRCH
> base="dc=wingon,dc=hk" scope=2
> filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/
> wingon...@wingon.hk)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/
> wingon...@wingon.hk)))" attrs="krbPrincipalName krbCanonicalName
> krbUPEnabled krbPrincipalKey krbTicketPolicyReference
> krbPrincipalExpiration krbPasswordExpiration krbPwdPolicyReference
> krbPrincipalType krbPwdHistory krbLastPwdChange krbPrincipalAliases
> krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount
> krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences
> krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock
> passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink
> krbAuthIndMaxT..."
> [20/Dec/2022:08:52:07.704164824 +0800] conn=4 op=13993 RESULT err=0
> tag=101 nentries=1 wtime=0.55700 optime=0.000233831 etime=0.000288007
> [20/Dec/2022:08:52:07.704454880 +0800] conn=4 op=13994 SRCH
> 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
[20/Dec/2022:08:49:29.637099418 +0800] conn=2892 op=9 UNBIND
[20/Dec/2022:08:49:29.637145006 +0800] conn=2892 op=9 fd=124 closed error - U1
[20/Dec/2022:08:49:32.043506909 +0800] conn=27 op=3410 SRCH 
base="ou=sessions,ou=Security Domain,o=ipaca" scope=2 
filter="(objectClass=securityDomainSessionEntry)" attrs="cn"
[20/Dec/2022:08:49:32.043782127 +0800] conn=27 op=3410 RESULT err=32 tag=101 
nentries=0 wtime=0.000153439 optime=0.000279769 etime=0.000430437
[20/Dec/2022:08:49:38.148322772 +0800] conn=28 op=6817 SRCH 
base="ou=authorizations,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221220004938+)" attrs="1.1"
[20/Dec/2022:08:49:38.148586175 +0800] conn=28 op=6817 RESULT err=0 tag=101 
nentries=0 wtime=0.000138301 optime=0.000273350 etime=0.000408659
[20/Dec/2022:08:49:38.148943213 +0800] conn=28 op=6818 SRCH 
base="ou=orders,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221220004938+)" attrs="1.1"
[20/Dec/2022:08:49:38.149071009 +0800] conn=28 op=6818 RESULT err=0 tag=101 
nentries=0 wtime=0.000206338 optime=0.000129557 etime=0.000333928
[20/Dec/2022:08:49:38.149274125 +0800] conn=28 op=6819 SRCH 
base="ou=certificates,ou=acme,o=ipaca" scope=2 
filter="(acmeExpires<=20221220004938+)" attrs="1.1"
[20/Dec/2022:08:49:38.149379198 +0800] conn=28 op=6819 RESULT err=0 tag=101 
nentries=0 wtime=0.000130714 optime=0.000106250 etime=0.000235350
[20/Dec/2022:08:52:01.986729492 +0800] conn=2888 op=8 UNBIND
[20/Dec/2022:08:52:01.986771904 +0800] conn=2888 op=8 fd=73 closed error - U1
[20/Dec/2022:08:52:07.702869314 +0800] conn=4 op=13990 SRCH 
base="dc=wingon,dc=hk" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=ad...@wingon.hk)(krbPrincipalName:caseIgnoreIA5Match:=ad...@wingon.hk)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
krbAuthIndMaxT..."
[20/Dec/2022:08:52:07.703402545 +0800] conn=4 op=13990 RESULT err=0 tag=101 
nentries=1 wtime=0.000193320 optime=0.000543635 etime=0.000734611
[20/Dec/2022:08:52:07.703507147 +0800] conn=4 op=13991 SRCH 
base="cn=ipaConfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" 
attrs="ipaConfigString ipaKrbAuthzData ipaUserAuthType"
[20/Dec/2022:08:52:07.703570031 +0800] conn=4 op=13991 RESULT err=0 tag=101 
nentries=1 wtime=0.21034 optime=0.63839 etime=0.83694
[20/Dec/2022:08:52:07.703713585 +0800] conn=4 op=13992 SRCH 
base="cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 
filter="(objectClass=krbticketpolicyaux)" attrs="krbMaxTicketLife 
krbMaxRenewableAge krbTicketFlags krbAuthIndMaxTicketLife 
krbAuthIndMaxRenewableAge"
[20/Dec/2022:08:52:07.703808511 +0800] conn=4 op=13992 RESULT err=0 tag=101 
nentries=1 wtime=0.23489 optime=0.95938 etime=0.000118208
[20/Dec/2022:08:52:07.703932548 +0800] conn=4 op=13993 SRCH 
base="dc=wingon,dc=hk" scope=2 
filter="(&(|(objectClass=krbprincipalaux)(objectClass=krbprincipal)(objectClass=ipakrbprincipal))(|(ipaKrbPrincipalAlias=krbtgt/wingon...@wingon.hk)(krbPrincipalName:caseIgnoreIA5Match:=krbtgt/wingon...@wingon.hk)))"
 attrs="krbPrincipalName krbCanonicalName krbUPEnabled krbPrincipalKey 
krbTicketPolicyReference krbPrincipalExpiration krbPasswordExpiration 
krbPwdPolicyReference krbPrincipalType krbPwdHistory krbLastPwdChange 
krbPrincipalAliases krbLastSuccessfulAuth krbLastFailedAuth krbLoginFailedCount 
krbPrincipalAuthInd krbExtraData krbLastAdminUnlock krbObjectReferences 
krbTicketFlags krbMaxTicketLife krbMaxRenewableAge uid nsAccountLock 
passwordHistory ipaKrbAuthzData ipaUserAuthType ipatokenRadiusConfigLink 
krbAuthIndMaxT..."
[20/Dec/2022:08:52:07.704164824 +0800] conn=4 op=13993 RESULT err=0 tag=101 
nentries=1 wtime=0.55700 optime=0.000233831 etime=0.000288007
[20/Dec/2022:08:52:07.704454880 +0800] conn=4 op=13994 SRCH 
base="cn=global_policy,cn=WINGON.HK,cn=kerberos,dc=wingon,dc=hk" scope=0 
filter="(objectClass=*)" attrs="krbMaxPwdLife krbMinPwdLife krbPwdMinDiffChars 
krbPwdMinLength krbPwdHistoryLength krbPwdMaxFailure krbPwdFailureCountInterval 
krbPwdLockoutDuration ipaPwdMaxRepeat ipaPwdMaxSequence ipaPwdDictCheck 
ipaPwdUserCheck"
[20/Dec/2022:08:52:07.704543319 +0800] conn=4 op=13994 RESULT err=0 tag=101 
nentries=1 wtime=0.41266 optime=0.90343 etime=0.000130370
[20/Dec/2022:08:52:09.990863586 +0800] conn=2893 fd=73 slot=73 connection from 
10.99.16.212 to 10.100.0.213
[20/Dec/2022:08:52:09.991284876 +0800] conn=2893 op=0 SRCH base="" scope=0 
filter="(objectClass=*)" attrs="* altServer namingContexts 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Dec 20, 2022 at 2:20 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
> tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=INVALID)
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating valid certs to expired
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=VALID)
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn:
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating revoked certs to expired
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=REVOKED)
> 2022-12-20 08:49:32 [Timer-0] INFO: SessionTimer: checking security domain
> sessions
> 2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: Getting
> certificate 0x1
> 2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO:
> LDAPSession: reading cn=1,ou=certificateRepository, ou=ca,o=ipaca
>
>From this log it looks like the *ipa cert-show 1* op was done at 08:52:50
but the directory server logs below do not cover this timestamp.
It's not possible to check with those logs if the mapping of the
certificate to a user entry succeeded or failed. Do you still have the logs
in /var/log/dirsrv/slapd-WINGON-HK/access (or one of the rotated logs)
corresponding to this date?

flo

> 2022-12-20 08:54:32 [Timer-0] INFO: SessionTimer: checking security domain
> sessions
> 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask:
> Updating serial number counter
> 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask:
> Checking serial number ranges
> 2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask:
> Checking request ID ranges
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating cert status
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating invalid certs to valid
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=INVALID)
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating valid certs to expired
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=VALID)
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn:
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask:
> Updating revoked certs to expired
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter:
> (certStatus=REVOKED)
>
> tail -f /var/log/dirsrv/slapd-WINGON-HK/access
> [20/Dec/2022:09:02:42.692704846 +0800] conn=2900 op=5 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
> [20/Dec/2022:09:02:42.693154479 +0800] conn=2900 op=5 RESULT err=0 tag=120
> nentries=0 wtime=0.85573 optime=0.000458433 etime=0.000543125
> [20/Dec/2022:09:02:42.697272544 +0800] conn=2900 op=6 EXT
> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
> [20/Dec/2022:09:02:42.698855885 +0800] conn=2900 op=6 RESULT err=0 tag=120
> nentries=0 wtime=0.73994 optime=0.001572452 etime=0.001643806
> [20/Dec/2022:09:02:42.700657032 +0800] conn=2900 op=7 EXT
> oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
> [20/Dec/2022:09:02:42.700962545 +0800] conn=2900 op=7 RESULT err=0 tag=120
> nentries=0 wtime=0.000139301 optime=0.000318407 etime=0.000456836
> [20/Dec/2022:09:02:42.705290181 +0800] conn=2900 op=8 EXT
> oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
> [20/Dec/2022:09:02:42.707796203 +0800] conn=2900 op=8 RESULT err=0 tag=120
> nentries=0 wtime=0.000185974 optime=0.002508316 etime=0.002691736
> [20/Dec/2022:09:03:42.726943689 +0800] conn=2900 op=9 UNBIND
> [20/Dec/2022:09:03:42.727016226 +0800] conn=2900 op=9 fd=124 closed error
> - U1
> [20/Dec/2022:09:04:31.059429193 +0800] conn=2901 fd=77 slot=77 connection
> from 10.100.0.213 to 10.100.0.213
> [20/Dec/2022:09:04:31.062126284 +0800] conn=2901 op=0 BIND dn=""
> method=sasl version=3 mech=GSS-SPNEGO
> [20/Dec/2022:09:04:31.064368644 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,
tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)
2022-12-20 08:49:32 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: Getting 
certificate 0x1
2022-12-20 08:52:50 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-5] INFO: LDAPSession: 
reading cn=1,ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:32 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-20 08:54:35 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
cert status
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
invalid certs to valid
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-20 08:54:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)

tail -f /var/log/dirsrv/slapd-WINGON-HK/access
[20/Dec/2022:09:02:42.692704846 +0800] conn=2900 op=5 EXT 
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.693154479 +0800] conn=2900 op=5 RESULT err=0 tag=120 
nentries=0 wtime=0.85573 optime=0.000458433 etime=0.000543125
[20/Dec/2022:09:02:42.697272544 +0800] conn=2900 op=6 EXT 
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.698855885 +0800] conn=2900 op=6 RESULT err=0 tag=120 
nentries=0 wtime=0.73994 optime=0.001572452 etime=0.001643806
[20/Dec/2022:09:02:42.700657032 +0800] conn=2900 op=7 EXT 
oid="2.16.840.1.113730.3.5.12" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.700962545 +0800] conn=2900 op=7 RESULT err=0 tag=120 
nentries=0 wtime=0.000139301 optime=0.000318407 etime=0.000456836
[20/Dec/2022:09:02:42.705290181 +0800] conn=2900 op=8 EXT 
oid="2.16.840.1.113730.3.5.5" name="replication-multimaster-extop"
[20/Dec/2022:09:02:42.707796203 +0800] conn=2900 op=8 RESULT err=0 tag=120 
nentries=0 wtime=0.000185974 optime=0.002508316 etime=0.002691736
[20/Dec/2022:09:03:42.726943689 +0800] conn=2900 op=9 UNBIND
[20/Dec/2022:09:03:42.727016226 +0800] conn=2900 op=9 fd=124 closed error - U1
[20/Dec/2022:09:04:31.059429193 +0800] conn=2901 fd=77 slot=77 connection from 
10.100.0.213 to 10.100.0.213
[20/Dec/2022:09:04:31.062126284 +0800] conn=2901 op=0 BIND dn="" method=sasl 
version=3 mech=GSS-SPNEGO
[20/Dec/2022:09:04:31.064368644 +0800] conn=2901 op=0 RESULT err=0 tag=97 
nentries=0 wtime=0.000254605 optime=0.002247116 etime=0.002500343 
dn="uid=admin,cn=users,cn=accounts,dc=wingon,dc=hk"
[20/Dec/2022:09:04:31.067358291 +0800] conn=2901 op=1 SRCH 
base="cn=ipaconfig,cn=etc,dc=wingon,dc=hk" scope=0 filter="(objectClass=*)" 
attrs=ALL
[20/Dec/2022:09:04:31.067884679 +0800] conn=2901 op=1 RESULT err=0 tag=101 
nentries=1 wtime=0.000120718 optime=0.000535934 etime=0.000654762
[20/Dec/2022:09:04:31.069260735 +0800] conn=2901 op=2 SRCH 
base="cn=masters,cn=ipa,cn=etc,dc=wingon,dc=hk" scope=2 
filter="(&(objectClass=ipaConfigObject)(cn=CA))" attrs=ALL

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,


On Mon, Dec 19, 2022 at 3:25 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
> tail -f /var/log/pki/pki-tomcat/localhost_access_log.2022-12-19.txt
> 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/certs/1
> HTTP/1.1" 200 9991
> 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/account/login
> HTTP/1.1" 401 669
> 10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/certs/1
> HTTP/1.1" 200 9991
> 10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/account/login
> HTTP/1.1" 401 669
> 10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/certs/1
> HTTP/1.1" 200 9991
> 10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/account/login
> HTTP/1.1" 401 669
> 10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/certs/1
> HTTP/1.1" 200 9991
> 10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/account/login
> HTTP/1.1" 401 669
>
> As the logs show the login op, it means that the server.xml and 
> /etc/httpd/conf.d/ipa-pki-proxy.conf
are consistent.
Do you see any log in /var/log/pki/pki-tomcat/ca/debug.$DATE.log starting
with a line like:
[ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: PKIRealm: Authenticating
certificate chain:

The lines after this one should contain more information, like cert not
revoked, the user the cert is mapped to, ...
Other things that could be checked:
- do multiple users map to this certificate?
Look in dirsrv access log (/var/log/dirsrv/slapd-/access) for a
SRCH op similar to:
SRCH base="ou=People,o=ipaca" scope=2
filter="(description=2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=
WINGON.HK)"
Does the corresponding RESULT line show nentries=1 or a different number of
results?

- is the ipara user a member of the right groups?
ldapsearch -D "cn=directory manager" -W -b ou=Groups,o=ipaca
"(&(objectClass=groupofuniquenames)(uniqueMember=uid=ipara,ou=people,o=ipaca))"
cn description

flo

ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository,
> > ou=ca,o=ipaca"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  ou=ca,o=ipaca> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # 7, certificateRepository, ca, ipaca
> dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca
> objectClass: top
> objectClass: certificateRecord
> serialno: 017
> metaInfo: requestId:7
> metaInfo: profileId:caSubsystemCert
> notBefore: 20221116103302Z
> notAfter: 20241105103302Z
> duration: 116220800
> subjectName: CN=IPA RA,O=WINGON.HK
> issuerName: CN=Certificate Authority,O=WINGON.HK
> publicKeyData::
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Eq
>
>  ut/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMe
>
>  Np7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZY
>
>  M20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VD
>
>  wFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9
>  /tcAd+gWVGNXB4QQIDAQAB
> extension: 2.5.29.35
> extension: 1.3.6.1.5.5.7.1.1
> extension: 2.5.29.37
> extension: 2.5.29.15
> userCertificate;binary::
> MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDV
>
>  QQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMj
>
>  MzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJ
>
>  BMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jM
>
>  LovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obt
>
>  dSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1
>
>  eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8
>
>  cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4
>
>  QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBB
>
>  C8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf
>
>  8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgEC
>
>  YHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkV
>
>  COcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6l
>
>  pr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC
>
>  0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1Fwj
>
>  MZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qG
>
>  Fvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM
>  1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
> version: 2
> algorithmId: 1.2.840.113549.1.1.1
> signingAlgorithmId: 1.2.840.113549.1.1.11
> dateOfCreate: 20221116103303Z
> dateOfModify: 20221116103303Z
> certStatus: VALID
> autoRenew: ENABLED
> issuedBy: admin
> cn: 7
>
> # search result
> search: 2
> result: 0 Success
>
> # numResponses: 2
> # numEntries: 1
>
> cat /var/lib/ipa/ra-agent.pem
> -BEGIN CERTIFICATE-
> 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,
tail -f /var/log/pki/pki-tomcat/localhost_access_log.2022-12-19.txt
10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/certs/1 HTTP/1.1" 
200 9991
10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/account/login 
HTTP/1.1" 401 669
10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/certs/1 HTTP/1.1" 
200 9991
10.100.0.213 - - [19/Dec/2022:10:00:01 +0800] "GET /ca/rest/account/login 
HTTP/1.1" 401 669
10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/certs/1 HTTP/1.1" 
200 9991
10.100.0.213 - - [19/Dec/2022:10:01:50 +0800] "GET /ca/rest/account/login 
HTTP/1.1" 401 669
10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/certs/1 HTTP/1.1" 
200 9991
10.100.0.213 - - [19/Dec/2022:10:03:33 +0800] "GET /ca/rest/account/login 
HTTP/1.1" 401 669

ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository,
> ou=ca,o=ipaca"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# 7, certificateRepository, ca, ipaca
dn: cn=7,ou=certificateRepository,ou=ca,o=ipaca
objectClass: top
objectClass: certificateRecord
serialno: 017
metaInfo: requestId:7
metaInfo: profileId:caSubsystemCert
notBefore: 20221116103302Z
notAfter: 20241105103302Z
duration: 116220800
subjectName: CN=IPA RA,O=WINGON.HK
issuerName: CN=Certificate Authority,O=WINGON.HK
publicKeyData:: MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Eq
 ut/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMe
 Np7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZY
 M20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VD
 wFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9
 /tcAd+gWVGNXB4QQIDAQAB
extension: 2.5.29.35
extension: 1.3.6.1.5.5.7.1.1
extension: 2.5.29.37
extension: 2.5.29.15
userCertificate;binary:: MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDV
 QQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMj
 MzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJ
 BMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jM
 LovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obt
 dSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1
 eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8
 cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4
 QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBB
 C8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf
 8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgEC
 YHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkV
 COcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6l
 pr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC
 0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1Fwj
 MZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qG
 Fvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM
 1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
version: 2
algorithmId: 1.2.840.113549.1.1.1
signingAlgorithmId: 1.2.840.113549.1.1.11
dateOfCreate: 20221116103303Z
dateOfModify: 20221116103303Z
certStatus: VALID
autoRenew: ENABLED
issuedBy: admin
cn: 7

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

cat /var/lib/ipa/ra-agent.pem
-BEGIN CERTIFICATE-
MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5H
T04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYw
MjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0G
A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk
70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21J
oNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfje
MFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv
7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSe
uT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPH
R9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2B
wLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lw
YS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLo
g9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN
8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk
2t11xYeB4edgqdU6lpr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1
JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6y
WL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6
clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18
zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4
rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
-END CERTIFICATE-

the cert 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

Let's restart from scratch this investigation.
When you run "ipa cert-show 1", does it trigger any log in
/var/log/httpd/access_log and /var/log/httpd/ssl_request_log? On a working
instance I have the following:
in access_log:
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1
HTTP/1.1" 200 9973
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/login
HTTP/1.1" 200 304
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1"
200 1158
10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/account/logout
HTTP/1.1" 204 -

in ssl_request_log:
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/certs/1 HTTP/1.1" 9973
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/account/login HTTP/1.1" 304
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert
HTTP/1.1" 1158
[16/Dec/2022:09:20:32 -0500] 10.0.138.204 TLSv1.3 TLS_AES_256_GCM_SHA384
"GET /ca/rest/account/logout HTTP/1.1" -

We can see the first operation that is not authenticated (ca/rest/certs/1)
then the second one requires authentication (/ca/rest/account/login
executed before /ca/rest/authorities/xxx).
Is there a corresponding log in
/var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt ? When the AJP
connector is properly set, the operation should also be visible here, for
instance:

10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET /ca/rest/certs/1
HTTP/1.1" 200 9973
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/account/login HTTP/1.1" 200 304
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/authorities/7126aa53-8759-424c-92ca-17d36df4a183/cert HTTP/1.1"
200 1158
10.0.138.204 - ipara [16/Dec/2022:09:20:32 -0500] "GET
/ca/rest/account/logout HTTP/1.1" 204 -

Then the logs in /var/log/pki/pki-tomcat/ca/debug.$DATE.log should show the
operations with:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] INFO: Getting
certificate 0x1
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
Authenticating certificate chain:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
CN=IPA RA, O=IPA.TEST
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:
CertUserDBAuthentication: UID ipara authenticated.
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
User ID: ipara
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:
UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
User DN: uid=ipara,ou=people,o=ipaca
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm:
Roles:
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Certificate Manager Agents
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Registration Manager Agents
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Security Domain Administrators
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: PKIRealm: -
Enterprise ACME Administrators
2022-12-16 09:20:32 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: AAclAuthz:
Granting login permission for certServer.ca.account

As the authentication is done with the RA cert, and we saw that your ra
cert has serial=7, we need to ensure that the cert is valid: what is the
output of
ldapsearch -D cn=directory\ manager -W -b "cn=7,ou=certificateRepository,
ou=ca,o=ipaca"

The output should display certStatus: VALID and userCertificate;binary
should contain the same cert as /var/lib/ipa/ra-agent.pem

flo



On Thu, Dec 15, 2022 at 3:34 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> we disable selinux
> ls -lZ /var/lib/ipa/ra-agent.*
> -rwxrwxrwx 1 root ipaapi ? 1704 Nov 16 10:33 /var/lib/ipa/ra-agent.key
> -rwxrwxrwx 1 root ipaapi ? 1399 Nov 16 10:33 /var/lib/ipa/ra-agent.pem
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,

we disable selinux 
ls -lZ /var/lib/ipa/ra-agent.*
-rwxrwxrwx 1 root ipaapi ? 1704 Nov 16 10:33 /var/lib/ipa/ra-agent.key
-rwxrwxrwx 1 root ipaapi ? 1399 Nov 16 10:33 /var/lib/ipa/ra-agent.pem
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

Did you check the permissions of the ra-agent certificate files?

# ls -lZ /var/lib/ipa/ra-agent.*
-r--r-. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1704 May 31
 2022 /var/lib/ipa/ra-agent.key
-r--r-. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1395 May 31
 2022 /var/lib/ipa/ra-agent.pem

The files must be readable by IPA framework.

flo

On Wed, Dec 14, 2022 at 12:10 PM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi ,
> I checked again and it matches
> ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
> uid=ipara,ou=people,o=ipaca description usercertificate
> dn: uid=ipara,ou=people,o=ipaca
> description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=
> WINGON.HK
> usercertificate::
> MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6lpr2
>
>  
> 3p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
>
> cat /var/lib/ipa/ra-agent.pem
> -BEGIN CERTIFICATE-
> MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5H
> T04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYw
> MjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0G
> A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk
> 70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21J
> oNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfje
> MFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv
> 7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSe
> uT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPH
> R9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2B
> wLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lw
> YS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAww
> CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLo
> g9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN
> 8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk
> 2t11xYeB4edgqdU6lpr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1
> JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6y
> WL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6
> clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18
> zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4
> rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
> -END CERTIFICATE-
>
> thanks,
> junhou
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
I checked again and it matches
ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b 
uid=ipara,ou=people,o=ipaca description usercertificate
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=WINGON.HK
usercertificate:: 
MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5HT04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYwMjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0GA1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21JoNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfjeMFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSeuT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPHR9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2BwLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lwYS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLog9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk2t11xYeB4edgqdU6lpr2
 
3p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6yWL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==

cat /var/lib/ipa/ra-agent.pem
-BEGIN CERTIFICATE-
MIID2zCCAkOgAwIBAgIBBzANBgkqhkiG9w0BAQsFADA0MRIwEAYDVQQKDAlXSU5H
T04uSEsxHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAeFw0yMjExMTYw
MjMzMDJaFw0yNDExMDUwMjMzMDJaMCUxEjAQBgNVBAoMCVdJTkdPTi5ISzEPMA0G
A1UEAxMGSVBBIFJBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAweZk
70qnab7kJNH3Equt/OM5BgDA/8jMLovrMckOEuR0i7ESdbhYs7WXIRdz24Sfj21J
oNiFznX6PNt5+lNGHeIGV59YWMeNp7+6fOzON3obtdSLCmu+B+8IDxjO0FKPGfje
MFXnY5SgxylBPqZ7O80Toa6hr+NgFnloFzBZxZZYM20qmGlyPP1XE1eoNLlqKGEv
7dhyt+quAfos0OYwlsiQUe1x99Yh4ACtEXUiaDNgFbMrqSNmaB0VDwFjhki/LlSe
uT8cf3qhasO/1uXqLVGfk1Rp6tLgpQM7Yme82xP+7mU9qb+2rmvwZEZ7IdhYtyPH
R9/tcAd+gWVGNXB4QQIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFJ8ZyajgiijLxO2B
wLiNp41P71lBMDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL2lw
YS1jYS53aW5nb24uaGsvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBLAwEwYDVR0lBAww
CgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAHNXs5jedTldgECYHyiR1dLo
g9MZt2LlL8CUwOV9CVV7Y6GYK7faEVqQ6asJaMt6lIbfP/5luDDP3I/IV9b0LiKN
8lkVCOcQ6h5gWPni5IEc5BKeCAcrF5Val+XhnEXraSyy0Ak5sxlMlKRN0Um8vvsk
2t11xYeB4edgqdU6lpr23p9jXVZUgdFYcEo2WG0Mf/tES8ekccdYuEUqwK+ftqn1
JytbLekVl/uIB79qS5+PIjTBtm8WiC0BWtaR4M/qQPJIwczfQNj3svhtuC/PeL6y
WL7j20CkPvOldvIvcyJvRfmblkWWZbjy3xRRa1o1FwjMZbN+c/DA3Fp9HWUv97h6
clXb1+n6ZRhthm3R+cD7uK5wGtMzcyM/c0GhonxdCYGuBNYmGuxMv6qGFvga2K18
zVi9i4zVoFz27rllTaHWAEQvsI/BSwTKkEiLjNp9XmncKiz2SbMiC0f6i6hwpbk4
rmNeM1Zwvo+TTpu7iVP57pz1zMaLXPLInkbjx1A1Wg==
-END CERTIFICATE-

thanks,
junhou
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Rob Crittenden via FreeIPA-users]

junhou he via FreeIPA-users wrote:
> Hi ,
> 
> tail -f /var/log/httpd/error_log
> [Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182]   File 
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in 
> set_certificate_attrs
> [Wed Dec 14 10:45:46.672854 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] with 
> api.Backend.ra_lightweight_ca as ca_api:
> [Wed Dec 14 10:45:46.672858 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182]   File 
> "/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in 
> __enter__
> [Wed Dec 14 10:45:46.672862 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] raise 
> errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
> [Wed Dec 14 10:45:46.672867 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] 
> ipalib.errors.RemoteRetrieveError: Failed to authenticate to CA REST API
> [Wed Dec 14 10:45:46.672874 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182]
> [Wed Dec 14 10:45:46.673000 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] ipa: INFO: [jsonserver_session] 
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError
> [Wed Dec 14 10:45:46.673047 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: [jsonserver_session] 
> ad...@wingon.hk: cert_show/1('1', version='2.245'): RemoteRetrieveError 
> etime=569221770
> [Wed Dec 14 10:45:46.673819 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: FINAL: Hits 0 Misses 
> 2 Size 2
> [Wed Dec 14 10:45:46.673911 2022] [wsgi:error] [pid 15502:tid 
> 140175850501888] [remote 10.100.0.213:47182] ipa: DEBUG: Destroyed connection 
> context.ldap2_140175871416696
> [Wed Dec 14 10:46:58.533496 2022] [:warn] [pid 15505:tid 140175805597440] 
> [client 10.100.0.213:45502] failed to set perms (3140) on file 
> (/run/ipa/ccaches/ad...@wingon.hk-sHvwu4)!, referer: 
> https://wocfreeipa.wingon.hk/ipa/xml
> [Wed Dec 14 10:46:58.534621 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI 
> wsgi_dispatch.__call__:
> [Wed Dec 14 10:46:58.534727 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI 
> jsonserver_session.__call__:
> [Wed Dec 14 10:46:58.545384 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: Created connection 
> context.ldap2_140175871412600
> [Wed Dec 14 10:46:58.545468 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI 
> jsonserver.__call__:
> [Wed Dec 14 10:46:58.545505 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: WSGI 
> WSGIExecutioner.__call__:
> [Wed Dec 14 10:46:58.551189 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: cert_show('1', 
> version='2.245')
> [Wed Dec 14 10:46:58.551663 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: cert_show(1, 
> cacn='ipa', chain=False, all=False, raw=False, version='2.245', 
> no_members=False)
> [Wed Dec 14 10:46:58.552186 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: raw: 
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.552313 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: 
> ca_is_enabled(version='2.245')
> [Wed Dec 14 10:46:58.52 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: ra.get_certificate()
> [Wed Dec 14 10:46:58.556893 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request GET 
> https://wocfreeipa.wingon.hk:443/ca/rest/certs/1
> [Wed Dec 14 10:46:58.556960 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: request body ''
> [Wed Dec 14 10:46:58.585446 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response status 200
> [Wed Dec 14 10:46:58.587038 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] ipa: DEBUG: response headers 
> Date: Wed, 14 Dec 2022 02:46:58 GMT
> [Wed Dec 14 10:46:58.587058 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky) 
> OpenSSL/1.1.1k mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 
> Python/3.6
> [Wed Dec 14 10:46:58.587064 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 10.100.0.213:45502] Content-Type: application/json
> [Wed Dec 14 10:46:58.587069 2022] [wsgi:error] [pid 15499:tid 
> 140175850501888] [remote 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,

tail -f /var/log/httpd/error_log
[Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182]   File 
"/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in 
set_certificate_attrs
[Wed Dec 14 10:45:46.672854 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] with api.Backend.ra_lightweight_ca as ca_api:
[Wed Dec 14 10:45:46.672858 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182]   File 
"/usr/lib/python3.6/site-packages/ipaserver/plugins/dogtag.py", line 1211, in 
__enter__
[Wed Dec 14 10:45:46.672862 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] raise 
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
[Wed Dec 14 10:45:46.672867 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] ipalib.errors.RemoteRetrieveError: Failed to 
authenticate to CA REST API
[Wed Dec 14 10:45:46.672874 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182]
[Wed Dec 14 10:45:46.673000 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Wed Dec 14 10:45:46.673047 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] ipa: DEBUG: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError etime=569221770
[Wed Dec 14 10:45:46.673819 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] ipa: DEBUG: FINAL: Hits 0 Misses 2 Size 2
[Wed Dec 14 10:45:46.673911 2022] [wsgi:error] [pid 15502:tid 140175850501888] 
[remote 10.100.0.213:47182] ipa: DEBUG: Destroyed connection 
context.ldap2_140175871416696
[Wed Dec 14 10:46:58.533496 2022] [:warn] [pid 15505:tid 140175805597440] 
[client 10.100.0.213:45502] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-sHvwu4)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Wed Dec 14 10:46:58.534621 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: WSGI wsgi_dispatch.__call__:
[Wed Dec 14 10:46:58.534727 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: WSGI jsonserver_session.__call__:
[Wed Dec 14 10:46:58.545384 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: Created connection 
context.ldap2_140175871412600
[Wed Dec 14 10:46:58.545468 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: WSGI jsonserver.__call__:
[Wed Dec 14 10:46:58.545505 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: WSGI WSGIExecutioner.__call__:
[Wed Dec 14 10:46:58.551189 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: raw: cert_show('1', version='2.245')
[Wed Dec 14 10:46:58.551663 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: cert_show(1, cacn='ipa', chain=False, 
all=False, raw=False, version='2.245', no_members=False)
[Wed Dec 14 10:46:58.552186 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: raw: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.552313 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: ca_is_enabled(version='2.245')
[Wed Dec 14 10:46:58.52 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: ra.get_certificate()
[Wed Dec 14 10:46:58.556893 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: request GET 
https://wocfreeipa.wingon.hk:443/ca/rest/certs/1
[Wed Dec 14 10:46:58.556960 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: request body ''
[Wed Dec 14 10:46:58.585446 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: response status 200
[Wed Dec 14 10:46:58.587038 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] ipa: DEBUG: response headers Date: Wed, 14 Dec 2022 
02:46:58 GMT
[Wed Dec 14 10:46:58.587058 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] Server: Apache/2.4.37 (rocky) OpenSSL/1.1.1k 
mod_auth_gssapi/1.6.1 mod_nss/1.0.17 NSS/3.44 mod_wsgi/4.6.4 Python/3.6
[Wed Dec 14 10:46:58.587064 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] Content-Type: application/json
[Wed Dec 14 10:46:58.587069 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] Vary: Accept-Encoding
[Wed Dec 14 10:46:58.587073 2022] [wsgi:error] [pid 15499:tid 140175850501888] 
[remote 10.100.0.213:45502] Transfer-Encoding: chunked
[Wed Dec 14 10:46:58.587077 2022] [wsgi:error] 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Tue, Dec 13, 2022 at 11:00 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi ,
> rpm -qa | grep pki
> krb5-pkinit-1.18.2-14.el8.x86_64
> pki-base-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-base-java-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-acme-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> python3-pki-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-servlet-4.0-api-9.0.30-3.module+el8.5.0+697+f586bb30.noarch
> pki-tools-10.12.0-2.module+el8.6.0+788+76246f77.x86_64
> pki-servlet-engine-9.0.30-3.module+el8.5.0+697+f586bb30.noarch
>
^^ This is pre 9.0.31 so it looks like your server.xml is consistent
(contains requiredSecret).

IIRC in debug mode there are additional messages in httpd's error log. You
can do the following:
- create a file /etc/ipa/server.conf with the following content
[global]
debug=True

- restart ipa to take the config change into account:
ipactl restart

- launch the command that will create new logs
kinit admin
ipa cert-show 1

- check the content of /var/log/httpd/error_log

There is also a command that makes roughly the same call to PKI (run as
root):
curl -v --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key -d
'op=displayBySerial=1' -k https://
`hostname`:443/ca/agent/ca/displayBySerial

If there are issues during the handshake you should be able to see error
messages.

flo

pki-ca-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-kra-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-server-10.12.0-2.module+el8.6.0+788+76246f77.noarch
> pki-symkey-10.12.0-2.module+el8.6.0+788+76246f77.x86_64
> [root@wocfreeipa ~]# rpm -qa | grep tomcat
> tomcatjss-7.7.1-1.module+el8.6.0+788+76246f77.noarch
> [root@wocfreeipa ~]#
> [root@wocfreeipa ~]#
> [root@wocfreeipa ~]# ipa --version
> VERSION: 4.9.8, API_VERSION: 2.245
>
> thanks,
> Junhou
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
rpm -qa | grep pki
krb5-pkinit-1.18.2-14.el8.x86_64
pki-base-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-base-java-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-acme-10.12.0-2.module+el8.6.0+788+76246f77.noarch
python3-pki-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-servlet-4.0-api-9.0.30-3.module+el8.5.0+697+f586bb30.noarch
pki-tools-10.12.0-2.module+el8.6.0+788+76246f77.x86_64
pki-servlet-engine-9.0.30-3.module+el8.5.0+697+f586bb30.noarch
pki-ca-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-kra-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-server-10.12.0-2.module+el8.6.0+788+76246f77.noarch
pki-symkey-10.12.0-2.module+el8.6.0+788+76246f77.x86_64
[root@wocfreeipa ~]# rpm -qa | grep tomcat
tomcatjss-7.7.1-1.module+el8.6.0+788+76246f77.noarch
[root@wocfreeipa ~]#
[root@wocfreeipa ~]#
[root@wocfreeipa ~]# ipa --version
VERSION: 4.9.8, API_VERSION: 2.245

thanks,
Junhou
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

which versions of tomcat is installed?
rpm -q tomcat pki-servlet-engine

Pre 9.0.31.0, the server.xml file needs to define the secret for the
connector with "requiredSecret=". WIth 9.0.31.0 and above, the
server.xml file needs to define the secret with "secret=...".
flo

On Tue, Dec 13, 2022 at 6:25 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi,
>
> tail -f /var/log/httpd/error_log
> [Tue Dec 13 11:23:06.828435 2022] [:warn] [pid 12597:tid 140168279328512]
> [client 10.100.0.213:56124] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 11:23:06.894172 2022] [wsgi:error] [pid 12224:tid
> 140169472526080] [remote 10.100.0.213:56124] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk: cert_show/1('1', version='2.245'):
> RemoteRetrieveError
> [Tue Dec 13 11:28:14.692546 2022] [:warn] [pid 12229:tid 140169276016384]
> [client 10.100.0.213:48306] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 11:28:14.759617 2022] [wsgi:error] [pid 12223:tid
> 140169472526080] [remote 10.100.0.213:48306] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk: cert_show/1('1', version='2.245'):
> RemoteRetrieveError
> [Tue Dec 13 13:22:40.042488 2022] [:warn] [pid 12597:tid 140169393514240]
> [client 10.100.0.213:42292] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 13:22:40.057179 2022] [wsgi:error] [pid 12225:tid
> 140169472526080] [remote 10.100.0.213:42292] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk:
> schema(known_fingerprints=('3f71e6ba',), version='2.170'): SchemaUpToDate
> [Tue Dec 13 13:22:40.389463 2022] [:warn] [pid 12597:tid 140169385121536]
> [client 10.100.0.213:42308] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 13:22:40.452860 2022] [wsgi:error] [pid 12223:tid
> 140169472526080] [remote 10.100.0.213:42308] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk: cert_show/1('1', version='2.245'):
> RemoteRetrieveError
> [Tue Dec 13 13:23:07.808084 2022] [:warn] [pid 12597:tid 140168858162944]
> [client 10.100.0.213:45054] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 13:23:07.870276 2022] [wsgi:error] [pid 12225:tid
> 140169472526080] [remote 10.100.0.213:45054] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk: cert_show/1('1', version='2.245'):
> RemoteRetrieveError
> [Tue Dec 13 13:24:18.612677 2022] [:warn] [pid 12597:tid 140168338077440]
> [client 10.100.0.213:39580] failed to set perms (3140) on file
> (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer:
> https://wocfreeipa.wingon.hk/ipa/xml
> [Tue Dec 13 13:24:18.674701 2022] [wsgi:error] [pid 12224:tid
> 140169472526080] [remote 10.100.0.213:39580] ipa: INFO:
> [jsonserver_session] ad...@wingon.hk: cert_show/1('1', version='2.245'):
> RemoteRetrieveError
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi,

tail -f /var/log/httpd/error_log
[Tue Dec 13 11:23:06.828435 2022] [:warn] [pid 12597:tid 140168279328512] 
[client 10.100.0.213:56124] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 11:23:06.894172 2022] [wsgi:error] [pid 12224:tid 140169472526080] 
[remote 10.100.0.213:56124] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Tue Dec 13 11:28:14.692546 2022] [:warn] [pid 12229:tid 140169276016384] 
[client 10.100.0.213:48306] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 11:28:14.759617 2022] [wsgi:error] [pid 12223:tid 140169472526080] 
[remote 10.100.0.213:48306] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Tue Dec 13 13:22:40.042488 2022] [:warn] [pid 12597:tid 140169393514240] 
[client 10.100.0.213:42292] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 13:22:40.057179 2022] [wsgi:error] [pid 12225:tid 140169472526080] 
[remote 10.100.0.213:42292] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
schema(known_fingerprints=('3f71e6ba',), version='2.170'): SchemaUpToDate
[Tue Dec 13 13:22:40.389463 2022] [:warn] [pid 12597:tid 140169385121536] 
[client 10.100.0.213:42308] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 13:22:40.452860 2022] [wsgi:error] [pid 12223:tid 140169472526080] 
[remote 10.100.0.213:42308] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Tue Dec 13 13:23:07.808084 2022] [:warn] [pid 12597:tid 140168858162944] 
[client 10.100.0.213:45054] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 13:23:07.870276 2022] [wsgi:error] [pid 12225:tid 140169472526080] 
[remote 10.100.0.213:45054] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
[Tue Dec 13 13:24:18.612677 2022] [:warn] [pid 12597:tid 140168338077440] 
[client 10.100.0.213:39580] failed to set perms (3140) on file 
(/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: 
https://wocfreeipa.wingon.hk/ipa/xml
[Tue Dec 13 13:24:18.674701 2022] [wsgi:error] [pid 12224:tid 140169472526080] 
[remote 10.100.0.213:39580] ipa: INFO: [jsonserver_session] ad...@wingon.hk: 
cert_show/1('1', version='2.245'): RemoteRetrieveError
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Rob Crittenden via FreeIPA-users]

junhou he via FreeIPA-users wrote:
> Hi ,
> I opened two windows, one to run ipa cert-show1, one to observe the debug log
> [root@wocfreeipa ~]# ipa cert-show 1
> ipa: ERROR: Failed to authenticate to CA REST API
> [root@wocfreeipa ~]# ipa cert-show 1
> ipa: ERROR: Failed to authenticate to CA REST API
> [root@wocfreeipa ~]# ipa cert-show 1
> ipa: ERROR: Failed to authenticate to CA REST API

So it isn't hitting the CA at all. Check /var/log/httpd/error_log for
any details.

rob

> 
> [root@wocfreeipa ~]# tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=INVALID)
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating valid certs to expired
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=VALID)
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating revoked certs to expired
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=REVOKED)
> 2022-12-13 11:18:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying 
> LDAP entry cn=MasterCRL,ou=crlIssuingPoints,o=ipaca
> 2022-12-13 11:18:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 11:22:35 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] INFO: Getting 
> certificate 0x1
> 2022-12-13 11:22:35 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] INFO: LDAPSession: 
> reading cn=1,ou=certificateRepository, ou=caca
> 2022-12-13 11:23:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: Getting 
> certificate 0x1
> 2022-12-13 11:23:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: LDAPSession: 
> reading cn=1,ou=certificateRepository, ou=caca
> 2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Updating serial number counter
> 2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking serial number ranges
> 2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking request ID ranges
> 2022-12-13 11:23:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating cert status
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating invalid certs to valid
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=INVALID)
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating valid certs to expired
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=VALID)
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating revoked certs to expired
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=REVOKED)
> 
> 2022-12-13 11:28:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Getting 
> certificate 0x1
> 2022-12-13 11:28:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession: 
> reading cn=1,ou=certificateRepository, ou=ca,o=ipaca
> 
> 
> 
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it: 
> https://pagure.io/fedora-infrastructure/new_issue
> 
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
I opened two windows, one to run ipa cert-show1, one to observe the debug log
[root@wocfreeipa ~]# ipa cert-show 1
ipa: ERROR: Failed to authenticate to CA REST API
[root@wocfreeipa ~]# ipa cert-show 1
ipa: ERROR: Failed to authenticate to CA REST API
[root@wocfreeipa ~]# ipa cert-show 1
ipa: ERROR: Failed to authenticate to CA REST API

[root@wocfreeipa ~]# tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 11:13:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)
2022-12-13 11:18:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying 
LDAP entry cn=MasterCRL,ou=crlIssuingPoints,o=ipaca
2022-12-13 11:18:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 11:22:35 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] INFO: Getting 
certificate 0x1
2022-12-13 11:22:35 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-8] INFO: LDAPSession: 
reading cn=1,ou=certificateRepository, ou=caca
2022-12-13 11:23:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: Getting 
certificate 0x1
2022-12-13 11:23:06 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-9] INFO: LDAPSession: 
reading cn=1,ou=certificateRepository, ou=caca
2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-13 11:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-13 11:23:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
cert status
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
invalid certs to valid
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 11:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)

2022-12-13 11:28:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: Getting 
certificate 0x1
2022-12-13 11:28:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] INFO: LDAPSession: 
reading cn=1,ou=certificateRepository, ou=ca,o=ipaca



___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Rob Crittenden via FreeIPA-users]

junhou he via FreeIPA-users wrote:
> Hi, 
> "does it mean that they were replaced with externally-signed
> server certificates using ipa-server-certinstall?"
> yes , I replaced with externally-signed server certificates using certutil
> less /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log
> 2022-12-13 08:18:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Updating serial number counter
> 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking serial number ranges
> 2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking request ID ranges
> 2022-12-13 08:23:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating cert status
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating invalid certs to valid
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=INVALID)
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating valid certs to expired
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=VALID)
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating revoked certs to expired
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=REVOKED)
> 2022-12-13 08:28:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:33:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying 
> LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca
> 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Updating serial number counter
> 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking serial number ranges
> 2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking request ID ranges
> 2022-12-13 08:33:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating cert status
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating invalid certs to valid
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=INVALID)
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating valid certs to expired
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=VALID)
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
> cn=2,ou=certificateRepository,ou=ca,o=ipaca
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating revoked certs to expired
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=REVOKED)
> 2022-12-13 08:38:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Updating serial number counter
> 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking serial number ranges
> 2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
> Checking request ID ranges
> 2022-12-13 08:43:31 [Timer-0] INFO: SessionTimer: checking security domain 
> sessions
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating cert status
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating invalid certs to valid
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
> (certStatus=INVALID)
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: 
> Updating valid certs to expired
> 2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
> ou=certificateRepository, ou=ca,o=ipaca
> 2022-12-13 08:43:31 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
cat /etc/httpd/conf.d/ipa-pki-proxy.conf | grep secret
ProxyPassMatch ajp://localhost:8009 
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
ProxyPassMatch ajp://localhost:8009 
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
ProxyPassMatch ajp://localhost:8009 
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG
ProxyPassMatch ajp://localhost:8009 
secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG

cat /etc/pki/pki-tomcat/server.xml | grep 8009




value is matched
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi, 
"does it mean that they were replaced with externally-signed
server certificates using ipa-server-certinstall?"
yes , I replaced with externally-signed server certificates using certutil
less /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log
2022-12-13 08:18:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-13 08:23:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-13 08:23:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
cert status
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
invalid certs to valid
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:23:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)
2022-12-13 08:28:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:33:30 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying 
LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca
2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-13 08:33:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-13 08:33:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
cert status
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
invalid certs to valid
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
revoked certs to expired
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:33:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=REVOKED)
2022-12-13 08:38:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Updating serial number counter
2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking serial number ranges
2022-12-13 08:43:30 [SerialNumberUpdateTask] INFO: SerialNumberUpdateTask: 
Checking request ID ranges
2022-12-13 08:43:31 [Timer-0] INFO: SessionTimer: checking security domain 
sessions
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
cert status
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
invalid certs to valid
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=INVALID)
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: CertStatusUpdateTask: Updating 
valid certs to expired
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: Searching 
ou=certificateRepository, ou=ca,o=ipaca
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: filter: 
(certStatus=VALID)
2022-12-13 08:43:31 [CertStatusUpdateTask] INFO: DBVirtualList: dn: 
cn=2,ou=certificateRepository,ou=ca,o=ipaca
2022-12-13 08:43:31 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Rob Crittenden via FreeIPA-users]

Florence Blanc-Renaud via FreeIPA-users wrote:
> Hi,
> 
> On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users
>  > wrote:
> 
> Hi ,
> getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20221116023302':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=WINGON.HK 
>         subject: CN=IPA RA,O=WINGON.HK 
>         issued: 2022-11-16 10:33:02 HKT
>         expires: 2024-11-05 10:33:02 HKT
>         key usage: digitalSignature,keyEncipherment,dataEncipherment
>         eku: id-kp-clientAuth
>         profile: caSubsystemCert
>         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>         track: yes
>         auto-renew: yes
> Request ID '20221116023307':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=WINGON.HK 
>         subject: CN=CA Audit,O=WINGON.HK 
>         issued: 2022-11-16 10:31:47 HKT
>         expires: 2024-11-05 10:31:47 HKT
>         key usage: digitalSignature,nonRepudiation
>         profile: caSignedLogCert
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20221116023309':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=WINGON.HK 
>         subject: CN=OCSP Subsystem,O=WINGON.HK 
>         issued: 2022-11-16 10:31:46 HKT
>         expires: 2024-11-05 10:31:46 HKT
>         eku: id-kp-OCSPSigning
>         profile: caOCSPCert
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20221116023310':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=WINGON.HK 
>         subject: CN=CA Subsystem,O=WINGON.HK 
>         issued: 2022-11-16 10:31:46 HKT
>         expires: 2024-11-05 10:31:46 HKT
>         key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>         eku: id-kp-clientAuth
>         profile: caSubsystemCert
>         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>         track: yes
>         auto-renew: yes
> Request ID '20221116023311':
>         status: MONITORING
>         stuck: no
>         key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>         certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>         CA: dogtag-ipa-ca-renew-agent
>         issuer: CN=Certificate Authority,O=WINGON.HK 
>         subject: CN=Certificate Authority,O=WINGON.HK 
>         issued: 2022-11-16 10:31:44 HKT
>         expires: 2042-11-16 10:31:44 HKT
>       

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi ,
> getcert list
> Number of certificates and requests being tracked: 7.
> Request ID '20221116023302':
> status: MONITORING
> stuck: no
> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=WINGON.HK
> subject: CN=IPA RA,O=WINGON.HK
> issued: 2022-11-16 10:33:02 HKT
> expires: 2024-11-05 10:33:02 HKT
> key usage: digitalSignature,keyEncipherment,dataEncipherment
> eku: id-kp-clientAuth
> profile: caSubsystemCert
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20221116023307':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=WINGON.HK
> subject: CN=CA Audit,O=WINGON.HK
> issued: 2022-11-16 10:31:47 HKT
> expires: 2024-11-05 10:31:47 HKT
> key usage: digitalSignature,nonRepudiation
> profile: caSignedLogCert
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20221116023309':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=WINGON.HK
> subject: CN=OCSP Subsystem,O=WINGON.HK
> issued: 2022-11-16 10:31:46 HKT
> expires: 2024-11-05 10:31:46 HKT
> eku: id-kp-OCSPSigning
> profile: caOCSPCert
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20221116023310':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=WINGON.HK
> subject: CN=CA Subsystem,O=WINGON.HK
> issued: 2022-11-16 10:31:46 HKT
> expires: 2024-11-05 10:31:46 HKT
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-clientAuth
> profile: caSubsystemCert
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20221116023311':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=WINGON.HK
> subject: CN=Certificate Authority,O=WINGON.HK
> issued: 2022-11-16 10:31:44 HKT
> expires: 2042-11-16 10:31:44 HKT
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> profile: caCACert
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20221116023312':
> status: MONITORING
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[junhou he via FreeIPA-users]

Hi ,
getcert list
Number of certificates and requests being tracked: 7.
Request ID '20221116023302':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=IPA RA,O=WINGON.HK
issued: 2022-11-16 10:33:02 HKT
expires: 2024-11-05 10:33:02 HKT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221116023307':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=CA Audit,O=WINGON.HK
issued: 2022-11-16 10:31:47 HKT
expires: 2024-11-05 10:31:47 HKT
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023309':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=OCSP Subsystem,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023310':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=CA Subsystem,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023311':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=Certificate Authority,O=WINGON.HK
issued: 2022-11-16 10:31:44 HKT
expires: 2042-11-16 10:31:44 HKT
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221116023312':
status: MONITORING
stuck: no
key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=WINGON.HK
subject: CN=wocfreeipa.wingon.hk,O=WINGON.HK
issued: 2022-11-16 10:31:46 HKT
expires: 2024-11-05 10:31:46 HKT
dns: wocfreeipa.wingon.hk
key usage: 

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

On Mon, Dec 12, 2022 at 8:55 AM junhou he via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> ipactl status shows that the services are running normally
> Directory Service: RUNNING
> krb5kdc Service: RUNNING
> kadmin Service: RUNNING
> named Service: RUNNING
> httpd Service: RUNNING
> ipa-custodia Service: RUNNING
> pki-tomcatd Service: RUNNING
> ipa-otpd Service: RUNNING
> ipa-dnskeysyncd Service: RUNNING
> ipa: INFO: The ipactl command was successful
>
>  but ipa cert-show prompts an error:
> ipa: ERROR: Failed to authenticate to CA REST API
>
>
When a user executes the command "ipa cert-show ", the process
contacts httpd and then httpd needs to contact the Certificate Server. This
error usually happens when the authentication step between httpd and the
Certificate Server fails. Authentication is done using the certificate
ra-agent stored in /var/lib/ipa/ra-agent.{pem|key} for recent versions or
in the NSS database /etc/pki/pki-tomcat/alias/.
The authentication may fail for multiple reasons:
- the ra-agent cert is expired
- the SSL server cert used by the Certificate Server is expired
- the entry uid=ipara,ou=people,o=ipaca hasn't been updated

The validity of certificates can be checked using "*getcert list*": ensure
that all the certificates are displayed with "status: MONITORING" and have
a date "expires: xxx" that is not already past.
The content of the entry uid=ipara,ou=people,o=ipaca can be checked with:
*ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b
uid=ipara,ou=people,o=ipaca description usercertificate*
dn: uid=ipara,ou=people,o=ipaca
description: 2;22;CN=Certificate Authority,O=IPA.TEST;CN=IPA RA,O=IPA.TEST
usercertificate:: MIID...JN4Q==

The field "description" must contain 2;;;
corresponding to the ra certificate. Compare the values with the output of:
(if the cert is stored in /var/lib/ipa/ra-agent.pem)
*openssl x509 -nameopt RFC2253 -noout -subject -serial -issuer -in
/var/lib/ipa/ra-agent.pem *
subject=CN=IPA RA,O=IPA.TEST
serial=16   <<< here the serial is displayed in hex
format, 0x16 = 22
issuer=CN=Certificate Authority,O=IPA.TEST
issuer=O = IPA.TEST, CN = Certificate Authority

or (if the cert is stored in /etc/pki/pki-tomcat/alias)
*certutil -L -d /etc/pki/pki-tomcat/alias -n ipaCert*

The field "userCertificate" must contain the same cert as the file
/var/lib/ipa/ra-agent.pem, minus the header and footer, or the same value
as returned by the command
*certutil -L -d /etc/pki/pki-tomcat/alias -n ipaCert -a*

If you see any inconsistency, please provide the output of the above
commands and we'll be able to guide you how to fix the issue.
HTH,
flo

I can't find the relevant error in the ipa log file, does anyone know how
> to debug this problem?
> ___
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue