[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

On Wed, Jan 4, 2023 at 4:05 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > > when I use mod_ssl everything works fine, thanks a lot for your help!!! > Thanks for letting us know, I must say I'm relieved we finally found the root cause :) flo > > thanks >

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, when I use mod_ssl everything works fine, thanks a lot for your help!!! thanks ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Sorry, hit send too soon. On Tue, Jan 3, 2023 at 1:53 PM Florence Blanc-Renaud wrote: > Hi, > > > On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > >> Hi, >> I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf >> #

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Tue, Jan 3, 2023 at 9:20 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf > # matches for REST API of CA, KRA, and PKI > > SSLOptions +StdEnvVars +ExportCertData +StrictRequire

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, I did not change anything in /etc/httpd/conf.d/ipa-pki-proxy.conf # matches for REST API of CA, KRA, and PKI SSLOptions +StdEnvVars +ExportCertData +StrictRequire +OptRenegotiate SSLVerifyClient optional ProxyPassMatch ajp://localhost:8009

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, [root@wocfreeipa ~]# date Fri Dec 23 08:26:00 HKT 2022 [root@wocfreeipa ~]# ipa cert-show 1 ipa: ERROR: Failed to authenticate to CA REST API [root@wocfreeipa ~]#journactl -f Dec 23 08:26:03 wocfreeipa.wingon.hk server[26465]: FINE: Counting up[ajp-nio-0:0:0:0:0:0:0:1-8009-Acceptor] latch=4

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > the FINE logs should be visible in the journal. Let me add that tail may not be the best way to collect the logs. 389-ds by default has a 30-second buffer, so depending on timing the associated searches may or may not be included in the

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, [root@wocfreeipa conf]# ipa cert-show 1 ipa: ERROR: Failed to authenticate to CA REST API [root@wocfreeipa conf]# cat /var/lib/pki/pki-tomcat/conf/logging.properties | grep FINE 1catalina.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.level = FINE

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, thanks for the logs. Definitely nothing reported here related to the login attempt. I would try to increase PKI's log level by editing /var/lib/pki/pki-tomcat/conf/logging.properties (use FINE everywhere, restart pki-tomcatd, run the ipa cert-show 1 command, revert to previous log level),

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , [20/Dec/2022:08:49:29.637099418 +0800] conn=2892 op=9 UNBIND [20/Dec/2022:08:49:29.637145006 +0800] conn=2892 op=9 fd=124 closed error - U1 [20/Dec/2022:08:49:32.043506909 +0800] conn=27 op=3410 SRCH base="ou=sessions,ou=Security Domain,o=ipaca" scope=2

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Tue, Dec 20, 2022 at 2:20 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log > 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching > ou=certificateRepository, ou=ca,o=ipaca >

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, tail -f /var/log/pki/pki-tomcat/ca/debug.2022-12-20.log 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: Searching ou=certificateRepository, ou=ca,o=ipaca 2022-12-20 08:44:38 [CertStatusUpdateTask] INFO: DBVirtualList: filter: (certStatus=INVALID) 2022-12-20 08:44:38

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Mon, Dec 19, 2022 at 3:25 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi, > tail -f /var/log/pki/pki-tomcat/localhost_access_log.2022-12-19.txt > 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/certs/1 > HTTP/1.1" 200 9991 > 10.100.0.213 -

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, tail -f /var/log/pki/pki-tomcat/localhost_access_log.2022-12-19.txt 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/certs/1 HTTP/1.1" 200 9991 10.100.0.213 - - [19/Dec/2022:09:59:45 +0800] "GET /ca/rest/account/login HTTP/1.1" 401 669 10.100.0.213 - - [19/Dec/2022:10:00:01 +0800]

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, Let's restart from scratch this investigation. When you run "ipa cert-show 1", does it trigger any log in /var/log/httpd/access_log and /var/log/httpd/ssl_request_log? On a working instance I have the following: in access_log: 10.0.138.204 - - [16/Dec/2022:09:20:32 -0500] "GET

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, we disable selinux ls -lZ /var/lib/ipa/ra-agent.* -rwxrwxrwx 1 root ipaapi ? 1704 Nov 16 10:33 /var/lib/ipa/ra-agent.key -rwxrwxrwx 1 root ipaapi ? 1399 Nov 16 10:33 /var/lib/ipa/ra-agent.pem ___ FreeIPA-users mailing list --

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, Did you check the permissions of the ra-agent certificate files? # ls -lZ /var/lib/ipa/ra-agent.* -r--r-. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1704 May 31 2022 /var/lib/ipa/ra-agent.key -r--r-. 1 root ipaapi system_u:object_r:ipa_var_lib_t:s0 1395 May 31 2022

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , I checked again and it matches ldapsearch -x -o ldif-wrap=no -LLL -s base -h `hostname` -p 389 -b uid=ipara,ou=people,o=ipaca description usercertificate dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=WINGON.HK;CN=IPA RA,O=WINGON.HK usercertificate::

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

junhou he via FreeIPA-users wrote: > Hi , > > tail -f /var/log/httpd/error_log > [Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid > 140175850501888] [remote 10.100.0.213:47182] File > "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in >

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , tail -f /var/log/httpd/error_log [Wed Dec 14 10:45:46.672850 2022] [wsgi:error] [pid 15502:tid 140175850501888] [remote 10.100.0.213:47182] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/ca.py", line 189, in set_certificate_attrs [Wed Dec 14 10:45:46.672854 2022] [wsgi:error]

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Tue, Dec 13, 2022 at 11:00 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi , > rpm -qa | grep pki > krb5-pkinit-1.18.2-14.el8.x86_64 > pki-base-10.12.0-2.module+el8.6.0+788+76246f77.noarch > pki-base-java-10.12.0-2.module+el8.6.0+788+76246f77.noarch >

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , rpm -qa | grep pki krb5-pkinit-1.18.2-14.el8.x86_64 pki-base-10.12.0-2.module+el8.6.0+788+76246f77.noarch pki-base-java-10.12.0-2.module+el8.6.0+788+76246f77.noarch pki-acme-10.12.0-2.module+el8.6.0+788+76246f77.noarch python3-pki-10.12.0-2.module+el8.6.0+788+76246f77.noarch

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, which versions of tomcat is installed? rpm -q tomcat pki-servlet-engine Pre 9.0.31.0, the server.xml file needs to define the secret for the connector with "requiredSecret=". WIth 9.0.31.0 and above, the server.xml file needs to define the secret with "secret=...". flo On Tue, Dec 13,

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, tail -f /var/log/httpd/error_log [Tue Dec 13 11:23:06.828435 2022] [:warn] [pid 12597:tid 140168279328512] [client 10.100.0.213:56124] failed to set perms (3140) on file (/run/ipa/ccaches/ad...@wingon.hk-PIt3U8)!, referer: https://wocfreeipa.wingon.hk/ipa/xml [Tue Dec 13 11:23:06.894172

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

junhou he via FreeIPA-users wrote: > Hi , > I opened two windows, one to run ipa cert-show1, one to observe the debug log > [root@wocfreeipa ~]# ipa cert-show 1 > ipa: ERROR: Failed to authenticate to CA REST API > [root@wocfreeipa ~]# ipa cert-show 1 > ipa: ERROR: Failed to authenticate to CA

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , I opened two windows, one to run ipa cert-show1, one to observe the debug log [root@wocfreeipa ~]# ipa cert-show 1 ipa: ERROR: Failed to authenticate to CA REST API [root@wocfreeipa ~]# ipa cert-show 1 ipa: ERROR: Failed to authenticate to CA REST API [root@wocfreeipa ~]# ipa cert-show 1 ipa:

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

junhou he via FreeIPA-users wrote: > Hi, > "does it mean that they were replaced with externally-signed > server certificates using ipa-server-certinstall?" > yes , I replaced with externally-signed server certificates using certutil > less /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log >

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , cat /etc/httpd/conf.d/ipa-pki-proxy.conf | grep secret ProxyPassMatch ajp://localhost:8009 secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG ProxyPassMatch ajp://localhost:8009 secret=9YiPRrt1izX7zjQ2PLQwyIkLdEKMwArNdEEuyPHiHVCG ProxyPassMatch ajp://localhost:8009

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, "does it mean that they were replaced with externally-signed server certificates using ipa-server-certinstall?" yes , I replaced with externally-signed server certificates using certutil less /var/log/pki/pki-tomcat/ca/debug.2022-12-13.log 2022-12-13 08:18:31 [Timer-0] INFO: SessionTimer:

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users > > wrote: > > Hi , > getcert list > Number of certificates and requests being tracked: 7. > Request ID

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Mon, Dec 12, 2022 at 10:20 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hi , > getcert list > Number of certificates and requests being tracked: 7. > Request ID '20221116023302': > status: MONITORING > stuck: no > key pair

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi , getcert list Number of certificates and requests being tracked: 7. Request ID '20221116023302': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA:

[Freeipa-users] Re: ipa: ERROR: Failed to authenticate to CA REST API

Hi, On Mon, Dec 12, 2022 at 8:55 AM junhou he via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > ipactl status shows that the services are running normally > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: