1779987 – ipa-cert-fix. pki.ForbiddenException: Authentication method not allowed

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1779987 - ipa-cert-fix. pki.ForbiddenException: Authentication method not allowed

Summary: ipa-cert-fix. pki.ForbiddenException: Authentication method not allowed

Keywords:
Status:	CLOSED DUPLICATE of bug 1779984
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	ipa
Sub Component:
Version:	8.1
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	8.0
Assignee:	Thomas Woerner
QA Contact:	ipa-qe
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-12-05 07:52 UTC by amitkuma
Modified:	2020-04-23 10:01 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-23 10:01:00 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description amitkuma 2019-12-05 07:52:25 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:


Additional info:

Comment 1 amitkuma 2019-12-05 07:59:47 UTC

1. Done few changes in /etc/ipa

# vim dnssec/softhsm2.conf
 SoftHSM v2 configuration file 
# File generated by IPA instalation
#directories.tokendir = /var/lib/ipa/dnssec/tokens		<<<
objectstore.backend = file

# vim custodia/custodia.conf
[global]
host = master.ipa.test
basedn = dc=ipa,dc=test
realm = IPA.TEST
domain = ipa.test
xmlrpc_uri = https://master.ipa.test/ipa/xml
ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
mode = production
enable_ra = False		<<<<<<<
ra_plugin = dogtag
dogtag_version = 10

# mv html/ssbrowser.html html/ssbrowser.html-bak

# vim custodia/custodia.conf
[auth:simple]
handler = custodia.httpd.authenticators.SimpleCredsAuth
uid = 48			
gid = 48			

2. # ipa-cert-fix
failed

3. Reverted all changes to original state.
# vim dnssec/softhsm2.conf
 SoftHSM v2 configuration file 
# File generated by IPA instalation
directories.tokendir = /var/lib/ipa/dnssec/tokens
objectstore.backend = file

# vim custodia/custodia.conf
[global]
host = master.ipa.test
basedn = dc=ipa,dc=test
realm = IPA.TEST
domain = ipa.test
xmlrpc_uri = https://master.ipa.test/ipa/xml
ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket
mode = production
enable_ra = true
ra_plugin = dogtag
dogtag_version = 10

# mv html/ssbrowser.html-bak html/ssbrowser.html

# vim custodia/custodia.conf
[auth:simple]
handler = custodia.httpd.authenticators.SimpleCredsAuth
uid = 49
gid = 49

# ipa-cert-fix -v
ipapython.admintool: DEBUG: Not logging to a file
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.installutils: DEBUG: httpd is configured
ipaserver.install.installutils: DEBUG: kadmin is configured
ipaserver.install.installutils: DEBUG: dirsrv is configured
ipaserver.install.installutils: DEBUG: pki-tomcatd is configured
ipaserver.install.installutils: DEBUG: install is not configured
ipaserver.install.installutils: DEBUG: krb5kdc is configured
ipaserver.install.installutils: DEBUG: named is configured
ipaserver.install.installutils: DEBUG: filestore has files
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--help']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS]

      --cert <Cert ID>            Fix specified system cert (default: all certs).
      --extra-cert <Serial>       Also renew cert with given serial number.
      --agent-uid <String>        UID of Dogtag agent user
      --ldapi-socket <Path>       Path to DS LDAPI socket
      --ldap-url <URL>            LDAP URL (mutually exclusive to --ldapi-socket)
  -i, --instance <instance ID>    Instance ID (default: pki-tomcat).
  -p, --port <port number>        Secure port number (default: 8443).
  -v, --verbose                   Run in verbose mode.
      --debug                     Run in debug mode.
      --help                      Show help message.


ipapython.ipautil: DEBUG: stderr=
ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins...
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap
ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac
ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp
ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase
ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo
ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual
ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami
ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver
ipalib.backend: DEBUG: Created connection context.ldap2_140367237835296
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state'
ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=IPA.TEST
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2Fvar%2Frun%2Fslapd-IPA-TEST.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7fa9cad14be0>
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'Server-Cert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDpzCCAg+gAwIBAgIBAzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCIYDzIwOTAxMTEz
MjIyNzM2WhgPMjA5MTAyMTMyMjI3MzZaMC0xETAPBgNVBAoMCElQQS5URVNUMRgw
FgYDVQQDDA9tYXN0ZXIuaXBhLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
ggEKAoIBAQCxdnFPJDxPVD/Dxz6LqZW7slsL1Pppmgvqx8gtIO0lo9ySik/9pfBM
uPC1iMfUoIAsD2ZbkCa5NJ6XyrQkn/tBmC/Nkax9l+0DAko4AN4DTmuAW4ERFusm
KbXgGp2Epw5LLfo6g+Vk+8Xi7CZXFZb6xmCPQpFwYQE3s6jbqwybeFUnq/xaF+5y
87OroHdL7YHzH1QDNScP1QbZJzUPm7tg8YH1SBrt5rIIrNA1Qw5T4GFnj4GXTXOH
N2lPHtMniHZgDtdd/Hsi2+hg33EGxpr52wGps8Le9Hedlfnb8b+6T5+kVv8Ec/et
oy9ZdE2JlQNwAyM32h4FI8KsmNHSHEefAgMBAAGjSDBGMB8GA1UdIwQYMBaAFLMb
K4oOecpaBYCkbAPNXTUsSVV7MBMGA1UdJQQMMAoGCCsGAQUFBwMBMA4GA1UdDwEB
/wQEAwIE8DANBgkqhkiG9w0BAQsFAAOCAYEAQ7l1X08hFr9RtqqaLnC1emLZqUl/
kYlBSNk3ImQ4rOXAIdWuNZypmfJxHBY/ma9P43mEWahcTK4Oymszj3a3DzKjGzao
zRailX/obDHPc/jXLZK1a5njbMugvtNQJq4YKHQyNeunNxJYWXO9YWxOfUCRtMDX
wh7tFeIri6Cmy4oYRK5TKsL+bRUzr+L592t0xOK4mqBIpk29KmI8UnXQt6oW/M5M
i+KThgi07Ky/yZqyjub+KLdjEsMcv1rDYL5dkBQe9cRyd3eu/n5Ut6yqxNFY1u6z
Q7XSUCgZq9N7vic1r4qBaifFLtEwt3cylQwtw7CH41rfJquYdDODuU+ImoV/m220
xA4e05TpDRO1Jr5gBu6vGFpw5LNT6Q2Fdg30a1/dJOmNeHaAeWrVtSjbXFjDZolL
aa4W61z6xlRSEheeb/ZURlTSqjkntj6IGee+OK/hrhPBfCHk1XEsDLirARKWrvxL
n2k8xzy6C3xo3N1qg/Y+SROhltY7yasOlATv
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'subsystemCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID3jCCAkagAwIBAgIBBDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0
MTE1MloXDTIxMTEyMzE0MTE1MlowKjERMA8GA1UECgwISVBBLlRFU1QxFTATBgNV
BAMMDENBIFN1YnN5c3RlbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
AKzKvJt18KedaQfu0kN0gEHaNcCTq+iqZK28LmDDdoVy7pMN0W67mlNKlcvpCamH
MXL5MCKVN1YqgT7FCXdNCF19ZzNWpshyeCzD79Ss9HXEoLsLfwxaba6OJebsmMi7
Byeuu0y7vUXhB+ZPzD1xPd4Fg+lTVdOgP+bcxq4uYm3aKjzlTVPHZBXswQoOaNSP
4ByKVgnzT+04tadp1mzQ0EkZUWt3lrk+5oIVBfrqxZLXKZXwiN4DXDaX+E4AWxNc
ohnsgnDaLbs7Wpc4DPEULhKFZAbx2fADIlf+afNpDsl/2D8LPW1m2HXzMtkkqUIJ
1ECaCqfnTmWrmxZFL47T8lkCAwEAAaOBhTCBgjAfBgNVHSMEGDAWgBSzGyuKDnnK
WgWApGwDzV01LElVezA6BggrBgEFBQcBAQQuMCwwKgYIKwYBBQUHMAGGHmh0dHA6
Ly9pcGEtY2EuaXBhLnRlc3QvY2Evb2NzcDAOBgNVHQ8BAf8EBAMCBPAwEwYDVR0l
BAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQELBQADggGBAJbskNv5AHCiknV8sW41
XhceIE7NJYbdFs/lt0a2raTGf4PqTOkA9YZoY4xAqENN6WQ+FSNQ0W0GaSsjIETn
qtmvjv74ag31UObz0ZWWL8pC6NiAcvRlLZOS8AgtLVSkpgNZxpEGzwTBYZ8FpQtG
mL2nlLnhiTIX3BAVBNvcheZXH+Bbmm1LrnPZ1H48ms/qMvDLVy63RBCjifUJ2P/9
fWe4+zaUxDvl7ndRcptJ7ZfAjVcMDSH/z7f1o5ZScuBqgrrPjckU4lnqbt1WvHcI
tmXzmgHohqwmcDo2Eml5lWbeEnL4ciI0O4ZuNoMwWI4tDmFjPabVAc0ftU9PPhdw
G1JqEgluwzUK2aiqH7XWxRGV3QyxYQ6ZTfQPMY3xdnyvtDxuvLXEI7JZ+wo/m1u6
VSPri6Igto+i3cKyAQv62igL0JxcLh+qWtFB/bHVndmD0LeqG+bJqujWLyeyNacj
jW/RXoehnL8OS/sBwRJjGoSe6mirUw3BbD5K4AZ0xFdyKw==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'ocspSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIID4TCCAkmgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0
MTE1MloXDTIxMTEyMzE0MTE1MlowLDERMA8GA1UECgwISVBBLlRFU1QxFzAVBgNV
BAMMDk9DU1AgU3Vic3lzdGVtMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAvwoOtPcyO9gYpKqJFGPeWHv7xH7pWowoGcPSy4U1sPEuaU34W3AbATYdxQh1
QMZju2BtPFUPnJPjlkbinQatOt4StI2cnwylYXUIMizqHDegUVIi7vA89F4SSFNG
VL/pF7il/qvfn3FRL27fBmZSZdrGJZccifGwyjn76Y5OAPQFQrE+/gnFpcYNGkem
U9TojATOFE47IjqMVZSnFUz11pJhO25cAsmH9VXbUK1HAhwydtwBS6fvuDbNQhqd
ed+QnzlJ9AfS4RHTqq7mOoHbMy65mQDo1nxfqKBGEf4VIsPjCGbdGmbisA98IPVu
nOHQuY00rTGUGV0p+gsuqbn6YwIDAQABo4GGMIGDMB8GA1UdIwQYMBaAFLMbK4oO
ecpaBYCkbAPNXTUsSVV7MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0
cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMBMGA1UdJQQMMAoGCCsGAQUFBwMJ
MA8GCSsGAQUFBzABBQQCBQAwDQYJKoZIhvcNAQELBQADggGBAErAb0mDY3I1ctGN
gB/dPdGyj8oT0R89l3O5DgnSiCS8rtan/ueLskNJ0fur5G8NBzehrV0umTmzjWqF
JYOWM1YW3JCpoyah+sFMXzxR8inN+XC74z2L4aK9WkbdAfIBvpl0PC5cwfwmjMvS
9hK1EebeWKlJBjDr/dHbmbbF/XygSzLSzxwfzf68l71aP+9LoTOY9dU3qQBqlv6o
vqPnzDsdvFWnd2gi/0bxv1mKjzaGsGvl+ODYm/B8Oh9k9FRWSrbcm6HzW83QLu22
78BnwxuS73MEGGNq0uAZ7t8dZZgFmzv5yWXtd3Kmh9ugthoPfTc3Iuqp+m6ocXXH
QErgQil7wka9XRjo3jjBVMujm2nCEKDIKuNVyIMuRc8LMGclT5k0GfGVqDMqcc01
+4DUyRtXJMYS5lPuvovxO9CmO4WcgDNnrP1e59f+p7tjay8OInPaK11NDepFdtaw
VPQ5KCopd0RFQUjJLl+6XZ/iA1FRRfcKzH3QGaIoMHK5eTrd3g==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-ca', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIDwzCCAiugAwIBAgIBBTANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0
MTE1MloXDTIxMTEyMzE0MTE1MlowJjERMA8GA1UECgwISVBBLlRFU1QxETAPBgNV
BAMMCENBIEF1ZGl0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3Zjv
5aT79oizSdoypvu/kC0GY1JeV6oAIqzjKqsVnmfKUgC/KvDkWW0Vi/7JnuqwoRlt
vJ0M4tEtiSSt4sVqxFju59wpb3F/JV6wyTboEp2/1/Zu5MNH46qIjEXVTymtwSr6
WO3myGFdXkSQCFKVrZYBV2tuAwGVu6nzn+77N2VrKzEE9wdxxUrwn/qmirJdYkS2
D4/4VHa6vDto0BgSO4lqnlMc6uisJ7K1Q96UFNp4J+eaKTromfWWQXVjF1+D/yHe
fo9CeUwUa5rEAgqqftcR72L082JTkQuMc10iy+lelwKaJdgZ7UU/VvPBqmuWLgOU
7iaRGd5rB6gSqRtDdwIDAQABo28wbTAfBgNVHSMEGDAWgBSzGyuKDnnKWgWApGwD
zV01LElVezAOBgNVHQ8BAf8EBAMCBsAwOgYIKwYBBQUHAQEELjAsMCoGCCsGAQUF
BzABhh5odHRwOi8vaXBhLWNhLmlwYS50ZXN0L2NhL29jc3AwDQYJKoZIhvcNAQEL
BQADggGBABSaBxDac7EN2SPsejH+HQ5G0xIfurgvfUU+c4zLLMQFT63H3BLctRXi
aekWx5Z/+3UxX7apoiuZJTzazdeMYIbzsstambknytUSUktKL9rViUjFBe9AFGfQ
uS9evEo2DfU++7G4BnOWpLkVhT0Lam5wl3arSWrl+Zvt45olmVdQS1BJ2BeeI9j8
iTovbNS68wCkOjIuKuAd11WR3KJCDkKQnnMD6E9e3X2VPvhSgvaBwWbqQywyPObr
tHgGY7bEO7dw+E5UUD+/GNZPnAO3omQF4FE5n5uUSBRSFrpuXxNRz7Zh4c5foh+U
oUn+mduiFRaUroiEkNsf8X8+yEM/kwzFk1/ZIY2EYyyThAo5TcruHrxgV0hvOJe0
dPB5/TRdjGf7sP9fS9+JHQWHBaKvv1gCKxiJ+0xg+yfH6TMHW/9tFqFjRB7EVfQi
cVVApBsuHXphvaqUF/rCLwjs8n61hxAx0sTNrEuyAlX8asvKusaGSELmNYtV6lWn
AusJ1eAViw==
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'transportCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'storageCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-n', 'auditSigningCert cert-pki-kra', '-a', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-IPA-TEST/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-IPA-TEST/pwdfile.txt']
ipapython.ipautil: DEBUG: Process finished, return code=0
ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE-----
MIIFDDCCA3SgAwIBAgIBCDANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEu
VEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE5MTIwNDE0
MTMzNVoXDTIxMTIwNDE0MTMzNVowLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNV
BAMMD21hc3Rlci5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
ggEBAO4jjRH1y0n4WRXa0r9FYxB7Yn9H1TbVFBAxKAqcYwudY0Sh8kmNvBehjmhz
4ZEUKHfBbI2zFUDmn33k65vlbFTWlJRR1We8Jqmekcxp86DUGOfDCcX2DMT1+GwY
SWZU6t4gU0iQogvYLXpBVxw9T/7hR87qhe0SQ2tWtjbFt4NDk1+ZIqZMU+4mQC0I
INOCrGZqJ3H4GHOiQhMwUX1nQhFv2CA32rCTiojuwoTZ0NhOZtBoUZU+3U/xJpcb
YKI8aYy467jqg5w86u2xizWaqBtVdHwnJaae1kAFSWeZHa8rQBm31WsuC0/C2PQl
Mgb8uAuUMDDjqmkl674PGM/W9rsCAwEAAaOCAa8wggGrMB8GA1UdIwQYMBaAFLMb
K4oOecpaBYCkbAPNXTUsSVV7MDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYe
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYs
aHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQy
MDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3Jp
dHkwHQYDVR0OBBYEFAwLBSufaUKMQt/LSaUE4eX5e0BrMIGIBgNVHREEgYAwfoIP
bWFzdGVyLmlwYS50ZXN0oC0GCisGAQQBgjcUAgOgHwwdbGRhcC9tYXN0ZXIuaXBh
LnRlc3RASVBBLlRFU1SgPAYGKwYBBQICoDIwMKAKGwhJUEEuVEVTVKEiMCCgAwIB
AaEZMBcbBGxkYXAbD21hc3Rlci5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEA
NbJDXfsiD8dICM77auZiq1LMnibi1u12saB7sSG7yeIAxvzSBoIafBhlS0wg3LkN
iCxVwHCUz9hKqZ6RZr1LwvorYImVs0EVxLuGnmek07YfbPixb/0KohKvHebwYazt
xXxK21fUZ9z+5ypMX6C2ILgzvUWt807j2Re3e3d5tcKu9g0ltq9CPeTd2wIQ9A1q
a7RWF3zmcwJ/V8HBDPeA9l9q1C8Cf8BG18tutIdAr8KNu1Otsgs7UnA89opkM//k
a5/wRsGY1JPpGN3+OPNirdwN0wzuZ+fN4+7XlntE6R5KZS9VJwuvXNs8k7wTHIKG
1yB8WWwqrCdn59AE5KH1HnZlf94Wtgk4nCp/RHx8Q5QcHvfUWRPllXDm/V7efdzx
cTYNxkmCOy/2dxN/cCPYCEk/1RsBS7h+HbCJ7t6Ohw1OWyLzncZj1QqqMGu53drB
ktFsmz0swl5Xg9Ps/ESkTxkeSfAisXxFV4QrCwKgyZWVI0rmDH6h+aeiDpk7OlLu
-----END CERTIFICATE-----

ipapython.ipautil: DEBUG: stderr=

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of FreeIPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=IPA.TEST
  Serial:  4
  Expires: 2021-11-23 14:11:52

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=IPA.TEST
  Serial:  2
  Expires: 2021-11-23 14:11:52

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=IPA.TEST
  Serial:  5
  Expires: 2021-11-23 14:11:52

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=IPA.TEST
  Serial:  7
  Expires: 2021-11-23 14:12:30

IPA Apache HTTPS certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  9
  Expires: 2021-12-04 14:14:02

IPA LDAP certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  8
  Expires: 2021-12-04 14:13:35

IPA KDC certificate:
  Subject: CN=master.ipa.test,O=IPA.TEST
  Serial:  10
  Expires: 2021-12-04 14:14:16

Enter "yes" to proceed: yes
Proceeding.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=['pki-server', 'cert-fix', '--ldapi-socket', '/var/run/slapd-IPA-TEST.socket', '--agent-uid', 'ipara', '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '9', '--extra-cert', '8', '--extra-cert', '10']
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=INFO: Loading instance: pki-tomcat
INFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf
INFO: Loading PKI Tomcat config: /usr/share/pki/etc/tomcat.conf
INFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat
INFO: Loading subsystem: ca
INFO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg
INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing', 'ca_audit_signing']
INFO: Renewing the following additional certs: ['7', '9', '8', '10']
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Starting the instance
INFO: Sleeping for 10 seconds to allow server time to start...
INFO: Requesting new cert for subsystem
INFO: Getting subsystem cert info for ca from CS.cfg
INFO: Getting subsystem cert info for ca from NSS database
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Secure connection with CA is established.
INFO: Placing cert creation request for serial: 4
INFO: Stopping the instance
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 821, in review_request
    r = self.connection.get(url, headers=self.headers)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
    return func(self, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get
    r.raise_for_status()
  File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
    raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 403 Client Error:  for url: https://master.ipa.test:8443/ca/rest/agent/certrequests/19

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.6/site-packages/pki/server/pkiserver.py", line 38, in <module>
    cli.execute(sys.argv)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/__init__.py", line 142, in execute
    super(PKIServerCLI, self).execute(args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/cli/__init__.py", line 204, in execute
    module.execute(module_args)
  File "/usr/lib/python3.6/site-packages/pki/server/cli/cert.py", line 1256, in execute
    username=agent_uid, password=agent_pass, secure_port=port)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 1781, in cert_create
    PKIServer.renew_certificate(connection, new_cert_file, serial)
  File "/usr/lib/python3.6/site-packages/pki/server/__init__.py", line 820, in renew_certificate
    ret = cert_client.enroll_cert(inputs=inputs, profile_id='caManualRenewal')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 1032, in enroll_cert
    self.approve_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 852, in approve_request
    request_id, cert_review_response, 'approve')
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
    return fn_call(inst, *args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pki/cert.py", line 834, in _perform_action
    cert_review_response = self.review_request(request_id)
  File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 442, in handler
    raise pki_exception
pki.ForbiddenException: Authentication method not allowed.
ERROR: Authentication method not allowed.

ipapython.admintool: DEBUG:   File "/usr/lib/python3.6/site-packages/ipapython/admintool.py", line 179, in execute
    return_value = self.run()
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 129, in run
    replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
  File "/usr/lib/python3.6/site-packages/ipaserver/install/ipa_cert_fix.py", line 252, in replicate_dogtag_certs
    cert = x509.load_certificate_from_file(cert_path)
  File "/usr/lib/python3.6/site-packages/ipalib/x509.py", line 439, in load_certificate_from_file
    with open(filename, mode='rb') as f:

ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: FileNotFoundError: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt'
ipapython.admintool: ERROR: [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/subsystem.crt'
ipapython.admintool: ERROR: The ipa-cert-fix command failed.


System: 10.0.153.111

Comment 2 Fraser Tweedale 2020-04-23 10:01:00 UTC


*** This bug has been marked as a duplicate of bug 1779984 ***

Note You need to log in before you can comment on or make changes to this bug.