On Wed, Oct 20, 2021 at 08:40:30PM -0500, Endi Dewata via FreeIPA-users wrote: > Hi, > > I think error 401 means that the client cert could not be mapped > to the user in DS. > > Could you check the uid=ipara,ou=people,o=ipaca to make sure > that the userCertificate and the description attributes contain the > right certificate?
That was the first thing I've checked. userCertificate:: (after base64 decoding) is the same as /var/lib/ipa/ra-agent.pem - the same description, fingerprint, etc. openssl x509 -serial return "69" for both, and LDAP contains: description: 2;105;CN=Certificate Authority,O=PIPEBREAKER.PL;CN=IPA RA,O=PIPEBREAKER.PL 105 (dec) == 69 (hex) so this is correct, too. > > You can also try setting the log level to INFO or FINE to see the > authentication process on the server side: > https://github.com/dogtagpki/pki/wiki/Configuring-Server-Logging This is something! There are new lines between starting certificate authentication and returning failure. First I thought there are libraries missing, but in the end all finish with "Loading class from parent": FINE: Calling authenticate() INFO: PKIAuthenticator: Authenticate with client certificate authentication INFO: Authenticating certificate chain: INFO: - CN=IPA RA,O=PIPEBREAKER.PL INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL FINE: loadClass(org.mozilla.jss.netscape.security.util.Cert, false) FINE: Searching local repositories FINE: findClass(org.mozilla.jss.netscape.security.util.Cert) FINE: --> Returning ClassNotFoundException FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2 FINE: Loading class from parent FINE: loadClass(netscape.ldap.LDAPSearchResults, false) FINE: Searching local repositories FINE: findClass(netscape.ldap.LDAPSearchResults) FINE: --> Returning ClassNotFoundException FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2 FINE: Loading class from parent FINE: loadClass(netscape.ldap.LDAPEntry, false) FINE: Searching local repositories FINE: findClass(netscape.ldap.LDAPEntry) FINE: --> Returning ClassNotFoundException FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2 FINE: Loading class from parent FINE: loadClass(com.netscape.cmscore.usrgrp.User, false) FINE: Searching local repositories FINE: findClass(com.netscape.cmscore.usrgrp.User) FINE: Loading class from local repository FINE: loadClass(netscape.ldap.LDAPAttribute, false) FINE: Searching local repositories FINE: findClass(netscape.ldap.LDAPAttribute) FINE: --> Returning ClassNotFoundException FINE: Delegating to parent classloader at end: java.net.URLClassLoader@5fcfe4b2 FINE: Loading class from parent INFO: PKIAuthenticator: Result: false FINE: Failed authenticate() test Second invocation of "pki-acme-manage status" do not generate those class messages: FINE: Calling hasUserDataPermission() FINE: User data constraint already satisfied FINE: Calling authenticate() INFO: PKIAuthenticator: Authenticate with client certificate authentication INFO: Authenticating certificate chain: INFO: - CN=IPA RA,O=PIPEBREAKER.PL INFO: - CN=Certificate Authority,O=PIPEBREAKER.PL INFO: PKIAuthenticator: Result: false FINE: Failed authenticate() test FINE: JSSEngine: wrap(ssl_fd=org.mozilla.jss.nss.SSLFDProxy[1522605810@00079ea974550000]) -- Tomasz Torcz Once you've read the dictionary, @ttorcz:pipebreaker.pl every other book is just a remix. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
