[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
Hi Peter, Did you manage to resolve this issue back then? Because I face exactly the same one, appreciate if you can give me some hints. Thanks! --- Regards, Dmitry Perets ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Fri, Nov 09, 2018 at 01:43:37PM +, Peter Oliver via FreeIPA-users wrote: > On Thu, 8 Nov 2018, 22:29 Fraser Tweedale > > > > > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > > > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > > > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)? > > > > > > > > If not, update the entry to match the certificate. > > > > > I'm sorry Peter, I told you the wrong user entry. I should have > > said uid=ipara, not uid=pkidbuser. > > > I find that uid=ipara already has the expected description and certificate. > OK, and you restored the uid=pkidbuser entry to its previous contents? Please convey the whole uid=ipara object, and the /var/lib/ipa/ra-agent.pem certificate, for examination. Thanks, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Thu, 8 Nov 2018, 22:29 Fraser Tweedale > > On Thu, 8 Nov 2018, 01:41 Fraser Tweedale > > > > > > > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. > > > Do the 'userCertificate', 'description' and 'seeAlso' attributes > > > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)? > > > > > > If not, update the entry to match the certificate. > > > I'm sorry Peter, I told you the wrong user entry. I should have > said uid=ipara, not uid=pkidbuser. I find that uid=ipara already has the expected description and certificate. -- Peter Oliver ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Thu, Nov 08, 2018 at 11:39:41AM +, Peter Oliver wrote:
> On Thu, 8 Nov 2018, 01:41 Fraser Tweedale
> >
> > Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> > Do the 'userCertificate', 'description' and 'seeAlso' attributes
> > match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
> >
> > If not, update the entry to match the certificate.
> >
>
> Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate
> for "CN=CA Subsystem", not "CN=IPA RA" as was found in
> /var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I
> received when trying to use vault, and additionally caused pki-tomcatd to
> be unable to restart ("Error netscape.ldap.LDAPException: Authentication
> failed (49)"). It seems like it's more than this one thing that's out of
> place.
>
I'm sorry Peter, I told you the wrong user entry. I should have
said uid=ipara, not uid=pkidbuser. I'm sorry for the mistake.
Please restore the uid=pkidbuser entry to its previous state, and
perform the steps I mentioned against the uid=ipara entry instead.
(Note that the ipara entry doesn't have or need the 'seeAlso'
attribute).
(I got confused because both of these entries need to be in sync
with a certificate. The pkidbuser entry is used by Dogtag to
authenticate to the LDAP database).
Thanks,
Fraser
> --
> Peter Oliver
>
> >
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Thu, 8 Nov 2018, 01:41 Fraser Tweedale
> Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'.
> Do the 'userCertificate', 'description' and 'seeAlso' attributes
> match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)?
>
> If not, update the entry to match the certificate.
>
Thanks. Entry uid=pkidbuser,ou=people,o=ipaca contained the certificate
for "CN=CA Subsystem", not "CN=IPA RA" as was found in
/var/lib/ipa/ra-agent.pem. However, changing it didn't change the errors I
received when trying to use vault, and additionally caused pki-tomcatd to
be unable to restart ("Error netscape.ldap.LDAPException: Authentication
failed (49)"). It seems like it's more than this one thing that's out of
place.
--
Peter Oliver
>
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
On Wed, Nov 07, 2018 at 01:05:24PM -0500, Rob Crittenden via FreeIPA-users wrote: > Peter Oliver via FreeIPA-users wrote: > > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: > > CertUserDBAuthentication: cannot map certificate to any userUser not found > > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: > > event AUTH > > > > Any suggestions? Has something gone wrong with the setup? > > > > I'm not sure, cc'ing a dogtag developer. > > rob > Hi Peter, Please check the LDAP entry 'uid=pkidbuser,ou=people,o=ipaca'. Do the 'userCertificate', 'description' and 'seeAlso' attributes match the IPA RA certificate (/var/lib/ipa/ra-agent.pem)? If not, update the entry to match the certificate. Note that the second field of the 'description' attribute is the serial number (decimal), and the first field is always '2'. Cheers, Fraser ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
[Freeipa-users] Re: Vault: Cannot authenticate agent with certificate
Peter Oliver via FreeIPA-users wrote: > I have a CentOS 7 server running ipa-server-4.5.4, recently installed. I > find that operations related to the vault feature fail. For example: > >> ipa -v vault-add test --type=standard > ipa: INFO: trying https://ipa-01.example.com/ipa/session/json > ipa: INFO: [try 1]: Forwarding 'vault_add_internal/1' to json server > 'https://ipa-01.example.com/ipa/session/json' > ipa: INFO: [try 1]: Forwarding 'vault_show/1' to json server > 'https://ipa-01.example.com/ipa/session/json' > ipa: INFO: [try 1]: Forwarding 'vaultconfig_show/1' to json server > 'https://ipa-01.example.com/ipa/session/json' > ipa: INFO: [try 1]: Forwarding 'vault_archive_internal/1' to json server > 'https://ipa-01.example.com/ipa/session/json' > ipa: ERROR: an internal error has occurred > > In /var/log/pki/pki-tomcat/kra/system I see the following message: > > 0.ajp-bio-127.0.0.1-8009-exec-15 - [02/Nov/2018:14:54:37 GMT] [6] [3] Cannot > authenticate agent with certificate Serial 0x7 Subject DN CN=IPA > RA,O=IPA.EXAMPLE.COM. Error: User not found > > In /var/log/pki/pki-tomcat/kra/debug is see the following messages: > > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > SessionContextInterceptor: SystemCertResource.getTransportCert() > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > SessionContextInterceptor: Not authenticated. > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > AuthMethodInterceptor: SystemCertResource.getTransportCert() > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > AuthMethodInterceptor: mapping: default > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > AuthMethodInterceptor: required auth methods: [*] > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > AuthMethodInterceptor: anonymous access allowed > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: > SystemCertResource.getTransportCert() > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > ACLInterceptor.filter: no authorization required > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: ACLInterceptor: No > ACL mapping; authz not required. > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: SignedAuditLogger: > event AUTHZ > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > MessageFormatInterceptor: SystemCertResource.getTransportCert() > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > MessageFormatInterceptor: content-type: application/json > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > MessageFormatInterceptor: accept: [application/json] > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > MessageFormatInterceptor: request format: application/json > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-16]: > MessageFormatInterceptor: response format: application/json > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: > Authenticating certificate chain: > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: > PKIRealm.getAuditUserfromCert: certUID=CN=IPA RA, O=IPA.EXAMPLE.COM > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: PKIRealm: CN=IPA > RA, O=IPA.EXAMPLE.COM > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: > started > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: > Retrieving client certificate > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: CertUserDBAuth: Got > client certificate > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: Authentication: > client certificate found > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: In > LdapBoundConnFactory::getConn() > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: masterConn is > connected: true > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: conn is > connected true > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: getConn: mNumConns > now 2 > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: returnConn: mNumConns > now 3 > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: > CertUserDBAuthentication: cannot map certificate to any userUser not found > [02/Nov/2018:14:54:37][ajp-bio-127.0.0.1-8009-exec-15]: SignedAuditLogger: > event AUTH > > Any suggestions? Has something gone wrong with the setup? > I'm not sure, cc'ing a dogtag developer. rob ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
