Hi, We have a problem connecting with CA REST API (403). Any ideas how to troubleshoot?
Setup: IPA 4.9.8 on CentOS Stream 8, two IPA CA servers Only looking at the CA renewal master (ipa1.example.com) # ipa cert-show 1 ipa: DEBUG: trying https://ipa1.example.com/ipa/session/json ipa: ERROR: Certificate operation cannot be completed: Request failed with status 403: Non-2xx response from CA REST API: 403. (403) # pki-healthcheck Internal server error 403 Client Error: 403 for url: http://ipa1.example.com:80/ca/rest/securityDomain/domainInfo [ { "source": "pki.server.healthcheck.meta.csconfig", "check": "CADogtagCertsConfigCheck", "result": "ERROR", "uuid": "58153e6c-98ed-4264-a622-e8f6e23d58ca", "when": "20220809080611Z", "duration": "0.164052", "kw": { "key": "ca_signing", "nickname": "caSigningCert cert-pki-ca", "directive": "ca.signing.cert", "configfile": "/var/lib/pki/pki-tomcat/ca/conf/CS.cfg", "msg": "Certificate 'caSigningCert cert-pki-ca' does not match the value of ca.signing.cert in /var/lib/pki/pki-tomcat/ca/conf/CS.cfg" } } ] LDAP and IPA RA appear to have identical certificates and serial number: # ldapsearch -LLL -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca userCertificate description dn: uid=ipara,ou=people,o=ipaca userCertificate:: MIID...Ovix8 description: 2;1878982672;CN=Certificate Authority,O=EXAMPLE.COM;CN=IPA RA,O=EXAMPLE.COM # openssl x509 -text -in /var/lib/ipa/ra-agent.pem Serial Number: 1878982672 (0x6fff0010) Validity Not Before: Aug 8 10:02:19 2022 GMT Not After : Jul 28 10:02:19 2024 GMT -----BEGIN CERTIFICATE----- MIID...Ovix8 -----END CERTIFICATE----- PKI appear to have identical certificates in LDAP and /etc/pki/pki-tomcat/alias: # certutil -L -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' |grep Serial Serial Number: 1878982665 (0x6fff0009) # ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso dn: uid=pkidbuser,ou=people,o=ipaca userCertificate:: MIID...eluPug== description: 2;1878982665;CN=Certificate Authority,O=EXAMPLE.COM;CN=CA Subsystem,O=EXAMPLE.COM seeAlso: CN=CA Subsystem,O=EXAMPLE.COM And, the certificate in CS.cfg appears to match the caSigningCert in LDAP: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg: ca.signing.cert=MIID...yfc5a # ldapsearch -LLL -D 'cn=directory manager' -W \ -b 'cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com' dn: cn=caSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=com userCertificate:: MIID...yfc5a Additional details: # ldapsearch -LLL -D 'cn=directory manager' -W -b ou=authorities,ou=ca,o=ipaca dn: ou=authorities,ou=ca,o=ipaca ou: authorities objectClass: top objectClass: organizationalUnit dn: cn=58d7a049-ada3-4146-b39a-84aa1b6f4add,ou=authorities,ou=ca,o=ipaca authoritySerial: 1878982673 description: Host authority authorityDN: CN=Certificate Authority,O=EXAMPLE.COM authorityEnabled: TRUE authorityKeyNickname: caSigningCert cert-pki-ca authorityID: 58d7a049-ada3-4146-b39a-84aa1b6f4add cn: 58d7a049-ada3-4146-b39a-84aa1b6f4add objectClass: authority objectClass: top # ldapsearch -LLL -D 'cn=directory manager' -W -b cn=ipa,cn=cas,cn=ca,dc=example,dc=com dn: cn=ipa,cn=cas,cn=ca,dc=example,dc=com cn: ipa ipaCaId: 58d7a049-ada3-4146-b39a-84aa1b6f4add ipaCaSubjectDN: CN=Certificate Authority,O=EXAMPLE.COM objectClass: top objectClass: ipaca ipaCaIssuerDN: CN=Certificate Authority,O=EXAMPLE.COM description: IPA CA # certutil -L -d /etc/pki/pki-tomcat/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u ocspSigningCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu EXAMPLE.COM IPA CA CTu,Cu,Cu # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'EXAMPLE.COM IPA CA' 3 certificates # certutil -L -d /etc/pki/pki-tomcat/alias -a -n 'caSigningCert cert-pki-ca' 3 certificates (identical with above 3 certificates) # pki ca-cert-show 1878982672 Serial Number: 0x6fff0010 Subject DN: CN=IPA RA,O=EXAMPLE.COM Issuer DN: CN=Certificate Authority,O=EXAMPLE.COM Status: VALID Not Valid Before: Mon Aug 08 12:02:19 CEST 2022 Not Valid After: Sun Jul 28 12:02:19 CEST 2024 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
