Bug 1779987
| Summary: | ipa-cert-fix. pki.ForbiddenException: Authentication method not allowed | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | amitkuma |
| Component: | ipa | Assignee: | Thomas Woerner <twoerner> |
| Status: | CLOSED DUPLICATE | QA Contact: | ipa-qe <ipa-qe> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 8.1 | CC: | ftweedal, pasik, rcritten, tscherf |
| Target Milestone: | rc | ||
| Target Release: | 8.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-04-23 10:01:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
amitkuma
2019-12-05 07:52:25 UTC
1. Done few changes in /etc/ipa # vim dnssec/softhsm2.conf SoftHSM v2 configuration file # File generated by IPA instalation #directories.tokendir = /var/lib/ipa/dnssec/tokens <<< objectstore.backend = file # vim custodia/custodia.conf [global] host = master.ipa.test basedn = dc=ipa,dc=test realm = IPA.TEST domain = ipa.test xmlrpc_uri = https://master.ipa.test/ipa/xml ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket mode = production enable_ra = False <<<<<<< ra_plugin = dogtag dogtag_version = 10 # mv html/ssbrowser.html html/ssbrowser.html-bak # vim custodia/custodia.conf [auth:simple] handler = custodia.httpd.authenticators.SimpleCredsAuth uid = 48 gid = 48 2. # ipa-cert-fix failed 3. Reverted all changes to original state. # vim dnssec/softhsm2.conf SoftHSM v2 configuration file # File generated by IPA instalation directories.tokendir = /var/lib/ipa/dnssec/tokens objectstore.backend = file # vim custodia/custodia.conf [global] host = master.ipa.test basedn = dc=ipa,dc=test realm = IPA.TEST domain = ipa.test xmlrpc_uri = https://master.ipa.test/ipa/xml ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket mode = production enable_ra = true ra_plugin = dogtag dogtag_version = 10 # mv html/ssbrowser.html-bak html/ssbrowser.html # vim custodia/custodia.conf [auth:simple] handler = custodia.httpd.authenticators.SimpleCredsAuth uid = 49 gid = 49 # ipa-cert-fix -v ipapython.admintool: DEBUG: Not logging to a file ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.installutils: DEBUG: httpd is configured ipaserver.install.installutils: DEBUG: kadmin is configured ipaserver.install.installutils: DEBUG: dirsrv is configured ipaserver.install.installutils: DEBUG: pki-tomcatd is configured ipaserver.install.installutils: DEBUG: install is not configured ipaserver.install.installutils: DEBUG: krb5kdc is configured ipaserver.install.installutils: DEBUG: named is configured ipaserver.install.installutils: DEBUG: filestore has files ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS] --cert <Cert ID> Fix specified system cert (default: all certs). --extra-cert <Serial> Also renew cert with given serial number. --agent-uid <String> UID of Dogtag agent user --ldapi-socket <Path> Path to DS LDAPI socket --ldap-url <URL> LDAP URL (mutually exclusive to --ldapi-socket) -i, --instance <instance ID> Instance ID (default: pki-tomcat). -p, --port <port number> Secure port number (default: 8443). -v, --verbose Run in verbose mode. --debug Run in debug mode. --help Show help message. ipapython.ipautil: DEBUG: stderr= ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_140367237835296 ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=IPA.TEST ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fa9cad14be0> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDpzCCAg+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz MjIyNzM2WhgPMjA5MTAyMTMyMjI3MzZaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw ggEKAoIBAQCxdnFPJDxPVD/Dxz6LqZW7slsL1Pppmgvqx8gtIO0lo9ySik/9pfBM uPC1iMfUoIAsD2ZbkCa5NJ6XyrQkn/tBmC/Nkax9l+0DAko4AN4DTmuAW4ERFusm KbXgGp2Epw5LLfo6g+Vk+8Xi7CZXFZb6xmCPQpFwYQE3s6jbqwybeFUnq/xaF+5y 87OroHdL7YHzH1QDNScP1QbZJzUPm7tg8YH1SBrt5rIIrNA1Qw5T4GFnj4GXTXOH N2lPHtMniHZgDtdd/Hsi2+hg33EGxpr52wGps8Le9Hedlfnb8b+6T5+kVv8Ec/et oy9ZdE2JlQNwAyM32h4FI8KsmNHSHEefAgMBAAGjSDBGMB8GA1UdIwQYMBaAFLMb K4oOecpaBYCkbAPNXTUsSVV7MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB /wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAQ7l1X08hFr9RtqqaLnC1emLZqUl/ kYlBSNk3ImQ4rOXAIdWuNZypmfJxHBY/ma9P43mEWahcTK4Oymszj3a3DzKjGzao zRailX/obDHPc/jXLZK1a5njbMugvtNQJq4YKHQyNeunNxJYWXO9YWxOfUCRtMDX wh7tFeIri6Cmy4oYRK5TKsL+bRUzr+L592t0xOK4mqBIpk29KmI8UnXQt6oW/M5M i+KThgi07Ky/yZqyjub+KLdjEsMcv1rDYL5dkBQe9cRyd3eu/n5Ut6yqxNFY1u6z Q7XSUCgZq9N7vic1r4qBaifFLtEwt3cylQwtw7CH41rfJquYdDODuU+ImoV/m220 xA4e05TpDRO1Jr5gBu6vGFpw5LNT6Q2Fdg30a1/dJOmNeHaAeWrVtSjbXFjDZolL aa4W61z6xlRSEheeb/ZURlTSqjkntj6IGee+OK/hrhPBfCHk1XEsDLirARKWrvxL n2k8xzy6C3xo3N1qg/Y+SROhltY7yasOlATv -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID3jCCAkagAwIBAgIBBDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTE1MloXDTIxMTEyMzE0MTE1MlowKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB AKzKvJt18KedaQfu0kN0gEHaNcCTq+iqZK28LmDDdoVy7pMN0W67mlNKlcvpCamH MXL5MCKVN1YqgT7FCXdNCF19ZzNWpshyeCzD79Ss9HXEoLsLfwxaba6OJebsmMi7 Byeuu0y7vUXhB+ZPzD1xPd4Fg+lTVdOgP+bcxq4uYm3aKjzlTVPHZBXswQoOaNSP 4ByKVgnzT+04tadp1mzQ0EkZUWt3lrk+5oIVBfrqxZLXKZXwiN4DXDaX+E4AWxNc ohnsgnDaLbs7Wpc4DPEULhKFZAbx2fADIlf+afNpDsl/2D8LPW1m2HXzMtkkqUIJ 1ECaCqfnTmWrmxZFL47T8lkCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSzGyuKDnnK WgWApGwDzV01LElVezA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6 Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAJbskNv5AHCiknV8sW41 XhceIE7NJYbdFs/lt0a2raTGf4PqTOkA9YZoY4xAqENN6WQ+FSNQ0W0GaSsjIETn qtmvjv74ag31UObz0ZWWL8pC6NiAcvRlLZOS8AgtLVSkpgNZxpEGzwTBYZ8FpQtG mL2nlLnhiTIX3BAVBNvcheZXH+Bbmm1LrnPZ1H48ms/qMvDLVy63RBCjifUJ2P/9 fWe4+zaUxDvl7ndRcptJ7ZfAjVcMDSH/z7f1o5ZScuBqgrrPjckU4lnqbt1WvHcI tmXzmgHohqwmcDo2Eml5lWbeEnL4ciI0O4ZuNoMwWI4tDmFjPabVAc0ftU9PPhdw G1JqEgluwzUK2aiqH7XWxRGV3QyxYQ6ZTfQPMY3xdnyvtDxuvLXEI7JZ+wo/m1u6 VSPri6Igto+i3cKyAQv62igL0JxcLh+qWtFB/bHVndmD0LeqG+bJqujWLyeyNacj jW/RXoehnL8OS/sBwRJjGoSe6mirUw3BbD5K4AZ0xFdyKw== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIID4TCCAkmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTE1MloXDTIxMTEyMzE0MTE1MlowLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAvwoOtPcyO9gYpKqJFGPeWHv7xH7pWowoGcPSy4U1sPEuaU34W3AbATYdxQh1 QMZju2BtPFUPnJPjlkbinQatOt4StI2cnwylYXUIMizqHDegUVIi7vA89F4SSFNG VL/pF7il/qvfn3FRL27fBmZSZdrGJZccifGwyjn76Y5OAPQFQrE+/gnFpcYNGkem U9TojATOFE47IjqMVZSnFUz11pJhO25cAsmH9VXbUK1HAhwydtwBS6fvuDbNQhqd ed+QnzlJ9AfS4RHTqq7mOoHbMy65mQDo1nxfqKBGEf4VIsPjCGbdGmbisA98IPVu nOHQuY00rTGUGV0p+gsuqbn6YwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFLMbK4oO ecpaBYCkbAPNXTUsSVV7MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0 cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJ MA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQELBQADggGBAErAb0mDY3I1ctGN gB/dPdGyj8oT0R89l3O5DgnSiCS8rtan/ueLskNJ0fur5G8NBzehrV0umTmzjWqF JYOWM1YW3JCpoyah+sFMXzxR8inN+XC74z2L4aK9WkbdAfIBvpl0PC5cwfwmjMvS 9hK1EebeWKlJBjDr/dHbmbbF/XygSzLSzxwfzf68l71aP+9LoTOY9dU3qQBqlv6o vqPnzDsdvFWnd2gi/0bxv1mKjzaGsGvl+ODYm/B8Oh9k9FRWSrbcm6HzW83QLu22 78BnwxuS73MEGGNq0uAZ7t8dZZgFmzv5yWXtd3Kmh9ugthoPfTc3Iuqp+m6ocXXH QErgQil7wka9XRjo3jjBVMujm2nCEKDIKuNVyIMuRc8LMGclT5k0GfGVqDMqcc01 +4DUyRtXJMYS5lPuvovxO9CmO4WcgDNnrP1e59f+p7tjay8OInPaK11NDepFdtaw VPQ5KCopd0RFQUjJLl+6XZ/iA1FRRfcKzH3QGaIoMHK5eTrd3g== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIDwzCCAiugAwIBAgIBBTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTE1MloXDTIxMTEyMzE0MTE1MlowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Zjv 5aT79oizSdoypvu/kC0GY1JeV6oAIqzjKqsVnmfKUgC/KvDkWW0Vi/7JnuqwoRlt vJ0M4tEtiSSt4sVqxFju59wpb3F/JV6wyTboEp2/1/Zu5MNH46qIjEXVTymtwSr6 WO3myGFdXkSQCFKVrZYBV2tuAwGVu6nzn+77N2VrKzEE9wdxxUrwn/qmirJdYkS2 D4/4VHa6vDto0BgSO4lqnlMc6uisJ7K1Q96UFNp4J+eaKTromfWWQXVjF1+D/yHe fo9CeUwUa5rEAgqqftcR72L082JTkQuMc10iy+lelwKaJdgZ7UU/VvPBqmuWLgOU 7iaRGd5rB6gSqRtDdwIDAQABo28wbTAfBgNVHSMEGDAWgBSzGyuKDnnKWgWApGwD zV01LElVezAOBgNVHQ8BAf8EBAMCBsAwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUF BzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggGBABSaBxDac7EN2SPsejH+HQ5G0xIfurgvfUU+c4zLLMQFT63H3BLctRXi aekWx5Z/+3UxX7apoiuZJTzazdeMYIbzsstambknytUSUktKL9rViUjFBe9AFGfQ uS9evEo2DfU++7G4BnOWpLkVhT0Lam5wl3arSWrl+Zvt45olmVdQS1BJ2BeeI9j8 iTovbNS68wCkOjIuKuAd11WR3KJCDkKQnnMD6E9e3X2VPvhSgvaBwWbqQywyPObr tHgGY7bEO7dw+E5UUD+/GNZPnAO3omQF4FE5n5uUSBRSFrpuXxNRz7Zh4c5foh+U oUn+mduiFRaUroiEkNsf8X8+yEM/kwzFk1/ZIY2EYyyThAo5TcruHrxgV0hvOJe0 dPB5/TRdjGf7sP9fS9+JHQWHBaKvv1gCKxiJ+0xg+yfH6TMHW/9tFqFjRB7EVfQi cVVApBsuHXphvaqUF/rCLwjs8n61hxAx0sTNrEuyAlX8asvKusaGSELmNYtV6lWn AusJ1eAViw== -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt'] ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- MIIFDDCCA3SgAwIBAgIBCDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0 MTMzNVoXDTIxMTIwNDE0MTMzNVowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC ggEBAO4jjRH1y0n4WRXa0r9FYxB7Yn9H1TbVFBAxKAqcYwudY0Sh8kmNvBehjmhz 4ZEUKHfBbI2zFUDmn33k65vlbFTWlJRR1We8Jqmekcxp86DUGOfDCcX2DMT1+GwY SWZU6t4gU0iQogvYLXpBVxw9T/7hR87qhe0SQ2tWtjbFt4NDk1+ZIqZMU+4mQC0I INOCrGZqJ3H4GHOiQhMwUX1nQhFv2CA32rCTiojuwoTZ0NhOZtBoUZU+3U/xJpcb YKI8aYy467jqg5w86u2xizWaqBtVdHwnJaae1kAFSWeZHa8rQBm31WsuC0/C2PQl Mgb8uAuUMDDjqmkl674PGM/W9rsCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFLMb K4oOecpaBYCkbAPNXTUsSVV7MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp dHkwHQYDVR0OBBYEFAwLBSufaUKMQt/LSaUE4eX5e0BrMIGIBgNVHREEgYAwfoIP bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA NbJDXfsiD8dICM77auZiq1LMnibi1u12saB7sSG7yeIAxvzSBoIafBhlS0wg3LkN iCxVwHCUz9hKqZ6RZr1LwvorYImVs0EVxLuGnmek07YfbPixb/0KohKvHebwYazt xXxK21fUZ9z+5ypMX6C2ILgzvUWt807j2Re3e3d5tcKu9g0ltq9CPeTd2wIQ9A1q a7RWF3zmcwJ/V8HBDPeA9l9q1C8Cf8BG18tutIdAr8KNu1Otsgs7UnA89opkM//k a5/wRsGY1JPpGN3+OPNirdwN0wzuZ+fN4+7XlntE6R5KZS9VJwuvXNs8k7wTHIKG 1yB8WWwqrCdn59AE5KH1HnZlf94Wtgk4nCp/RHx8Q5QcHvfUWRPllXDm/V7efdzx cTYNxkmCOy/2dxN/cCPYCEk/1RsBS7h+HbCJ7t6Ohw1OWyLzncZj1QqqMGu53drB ktFsmz0swl5Xg9Ps/ESkTxkeSfAisXxFV4QrCwKgyZWVI0rmDH6h+aeiDpk7OlLu -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of FreeIPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=IPA.TEST Serial: 4 Expires: 2021-11-23 14:11:52 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=IPA.TEST Serial: 2 Expires: 2021-11-23 14:11:52 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=IPA.TEST Serial: 5 Expires: 2021-11-23 14:11:52 IPA IPA RA certificate: Subject: CN=IPA RA,O=IPA.TEST Serial: 7 Expires: 2021-11-23 14:12:30 IPA Apache HTTPS certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 9 Expires: 2021-12-04 14:14:02 IPA LDAP certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 8 Expires: 2021-12-04 14:13:35 IPA KDC certificate: Subject: CN=master.ipa.test,O=IPA.TEST Serial: 10 Expires: 2021-12-04 14:14:16 Enter "yes" to proceed: yes Proceeding. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket', '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '9', '--extra-cert', '8', '--extra-cert', '10'] ipapython.ipautil: DEBUG: Process finished, return code=1 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat INFO: Loading subsystem: ca INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing', 'ca_audit_signing'] INFO: Renewing the following additional certs: ['7', '9', '8', '10'] INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Starting the instance INFO: Sleeping for 10 seconds to allow server time to start... INFO: Requesting new cert for subsystem INFO: Getting subsystem cert info for ca from CS.cfg INFO: Getting subsystem cert info for ca from NSS database INFO: Trying to setup a secure connection to CA subsystem. INFO: Secure connection with CA is established. INFO: Placing cert creation request for serial: 4 INFO: Stopping the instance INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in review_request r = self.connection.get(url, headers=self.headers) File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper return func(self, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get r.raise_for_status() File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 403 Client Error: for url: https://master.ipa.test:8443/ca/rest/agent/certrequests/19 During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in <module> cli.execute(sys.argv) File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142, in execute super(PKIServerCLI, self).execute(args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute module.execute(module_args) File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in execute username=agent_uid, password=agent_pass, secure_port=port) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in cert_create PKIServer.renew_certificate(connection, new_cert_file, serial) File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in renew_certificate ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in enroll_cert self.approve_request(request_id) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in approve_request request_id, cert_review_response, 'approve') File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler return fn_call(inst, *args, **kwargs) File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in _perform_action cert_review_response = self.review_request(request_id) File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler raise pki_exception pki.ForbiddenException: Authentication method not allowed. ERROR: Authentication method not allowed. ipapython.admintool: DEBUG: File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute return_value = self.run() File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 129, in run replicate_dogtag_certs(subject_base, ca_subject_dn, certs) File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 252, in replicate_dogtag_certs cert = x509.load_certificate_from_file(cert_path) File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in load_certificate_from_file with open(filename, mode='rb') as f: ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt' ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt' ipapython.admintool: ERROR: The ipa-cert-fix command failed. System: 10.0.153.111 *** This bug has been marked as a duplicate of bug 1779984 *** |