On Fri, Oct 15, 2021 at 02:04:42PM -0400, Rob Crittenden via FreeIPA-users wrote: > Tomasz Torcz via FreeIPA-users wrote: > > On Tue, Oct 12, 2021 at 02:33:01PM -0400, Rob Crittenden via FreeIPA-users > > wrote: > >> Tomasz Torcz via FreeIPA-users wrote: > >>> On Sat, Oct 02, 2021 at 04:38:34PM +0200, Tomasz Torcz via FreeIPA-users > >>> wrote: > >>>> $ ipa-acme-manage enable > >>>> Failed to authenticate to CA REST API > >>>> The ipa-acme-manage command failed. > >>> > >>> No ideas how to proceed? > >>> Most troubleshooting guides end at comparing certs on the filesystem and > >>> in LDAP. What's the next step? > > > > So this shows that the RA certificate is fine. It looks like a group > permission issue within the CA that the RA is not allowed to perform > ACME actions. > > Some things to check: >
All below seem to be correct: > - uid=acme-<IPA SERVER HOSTNAME>,ou=people,o=ipaca and > uid=ipara,ou=People,o=ipaca are both uniqueMember attributes of > cn=Enterprise ACME Administrators,ou=groups,o=ipaca # base <cn=Enterprise ACME Administrators,ou=groups,o=ipaca> with scope # subtree # filter: (objectclass=*) # requesting: uniqueMember # # Enterprise ACME Administrators, groups, ipaca dn: cn=Enterprise ACME Administrators,ou=groups,o=ipaca uniqueMember: uid=acme-kaitain.pipebreaker.pl,ou=people,o=ipaca uniqueMember: uid=ipara,ou=people,o=ipaca uniqueMember: uid=acme-okda.pipebreaker.pl,ou=people,o=ipaca > - the entry id=acme-<IPA SERVER HOSTNAME>,ou=people,o=ipaca exists There is no entry with id=, but there is one with uid= (I assume you made a typo): # acme-kaitain.pipebreaker.pl, people, ipaca dn: uid=acme-kaitain.pipebreaker.pl,ou=people,o=ipaca objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser uid: acme-kaitain.pipebreaker.pl cn: acme-kaitain.pipebreaker.pl sn: acme-kaitain.pipebreaker.pl usertype: agentType userstate: 1 userPassword:: … > - In cn=aclResources,o=ipaca there is the value: > resourceACLS: certServer.ca.certs:execute:allow (execute) > group="Enterprise ACME Administrators":ACME Agents may execute cert > operations $ ldapsrch -b cn=aclResources,o=ipaca resourceACLs | grep ACME Enter LDAP Password: resourceACLs: certServer.ca.certs:execute:allow (execute) group="Enterprise ACME Administrators":ACME Agents may execute cert operations So everything looks to be in order. Maybe there is a way to increase logging in com.netscape.cms.tomcat.AbstractPKIAuthenticator.doAuthenticate PKIAuthenticator ? -- Tomasz Torcz Once you've read the dictionary, @ttorcz:pipebreaker.pl every other book is just a remix. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
