RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1919282 - ACME cert enrollment failed with HTTP 500
Summary: ACME cert enrollment failed with HTTP 500
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pki-core
Version: 8.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 8.0
Assignee: Endi Sukma Dewata
QA Contact: PKI QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-01-22 14:07 UTC by Mohammad Rizwan
Modified: 2021-05-18 15:25 UTC (History)
6 users (show)

Fixed In Version: pki-core-10.6-8040020210209003343.d4d99205
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-05-18 15:25:16 UTC
Type: Bug
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
letsencrypt.log (25.92 KB, text/plain)
2021-01-22 14:09 UTC, Mohammad Rizwan
no flags Details

Description Mohammad Rizwan 2021-01-22 14:07:17 UTC
Description of problem:
When requesting standalone certificate from ACME server, it gets error:
acme.errors.ClientError: <Response [500]>

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1. Install IPA server and ipa client against it
2. enable acme on server $ ipa-acme-manage enable
3. resgister account using certbot and request the ACME certificate for client.
   

Actual results:
[root@client ~]# certbot  --server https://ipa-ca.testrelm.test/acme/directory certonly --domain `hostname` --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for client.testrelm.test
Performing the following challenges:
http-01 challenge for client.testrelm.test
Waiting for verification...
Cleaning up challenges
An unexpected error occurred:
acme.errors.ClientError: <Response [500]>
Please see the logfiles in /var/log/letsencrypt for more details.
 
 
[root@client ~]# [root@client ~]# tail -n 20 /var/log/letsencrypt/letsencrypt.log
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 390, in obtain_certificate
    cert, chain = self.obtain_certificate_from_csr(csr, orderr)
  File "/usr/local/lib/python3.6/site-packages/certbot/_internal/client.py", line 292, in obtain_certificate_from_csr
    fetch_alternative_chains=get_alt_chains)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 925, in finalize_order
    return self.client.finalize_order(orderr, deadline, fetch_alternative_chains)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 752, in finalize_order
    self._post(orderr.body.finalize, wrapped_csr)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 97, in _post
    return self.net.post(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1201, in post
    return self._post_once(*args, **kwargs)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1214, in _post_once
    response = self._check_response(response, content_type=content_type)
  File "/usr/local/lib/python3.6/site-packages/acme/client.py", line 1078, in _check_response
    raise errors.ClientError(response)
acme.errors.ClientError: <Response [500]>
2021-01-22 08:51:15,181:ERROR:certbot._internal.log:An unexpected error occurred:
2021-01-22 08:51:15,181:ERROR:certbot._internal.log:acme.errors.ClientError: <Response [500]>



Trackeback from acme debug log from server:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: HTTP request: POST /ca/rest/certrequests HTTP/1.1
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Accept: application/xml
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Content-Type: application/xml
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Content-Length: 2065
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Host: master.testrelm.test:8443
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Connection: Keep-Alive
2021-01-22 08:51:14 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   User-Agent: Apache-HttpClient/4.5.5 (Java/1.8.0_272)
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: HTTP response: HTTP/1.1 401
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Content-Type: application/xml;charset=UTF-8
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Content-Length: 261
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Date: Fri, 22 Jan 2021 13:51:14 GMT
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Keep-Alive: timeout=300
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO:   Connection: keep-alive
2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] INFO: com.netscape.certsrv.base.UnauthorizedException:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<PKIException>
    <Attributes/>
    <ClassName>com.netscape.certsrv.base.UnauthorizedException</ClassName>
    <Code>401</Code>
    <Message>Authentication failed: SessionAuthentication: no auth token</Message>
</PKIException>


2021-01-22 08:51:15 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-6] SEVERE: Servlet.service() for servlet [ACME] in context with path [/acme] threw exception
org.jboss.resteasy.spi.UnhandledException: com.netscape.certsrv.base.UnauthorizedException: Authentication failed: SessionAuthentication: no auth token
        at org.jboss.resteasy.core.ExceptionHandler.handleApplicationException(ExceptionHandler.java:78)
        at org.jboss.resteasy.core.ExceptionHandler.handleException(ExceptionHandler.java:222)
        at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:179)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:422)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:213)
        at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:228)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
        at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:741)
        at sun.reflect.GeneratedMethodAccessor38.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:170)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:225)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)

        at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)
        at sun.reflect.GeneratedMethodAccessor37.invoke(Unknown Source)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:282)
        at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:279)
        at java.security.AccessController.doPrivileged(Native Method)
        at javax.security.auth.Subject.doAsPrivileged(Subject.java:549)
        at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:314)
        at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:253)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:191)
        at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:47)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:149)
        at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:145)
        at java.security.AccessController.doPrivileged(Native Method)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:144)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:541)
        at com.netscape.cms.tomcat.ExternalAuthenticationValve.invoke(ExternalAuthenticationValve.java:82)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
        at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:678)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343)
        at org.apache.coyote.ajp.AjpProcessor.service(AjpProcessor.java:428)
        at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)

        at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1598)
        at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:748)
Caused by: com.netscape.certsrv.base.UnauthorizedException: Authentication failed: SessionAuthentication: no auth token
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at com.netscape.certsrv.client.PKIClient.handleErrorResponse(PKIClient.java:135)
        at com.netscape.certsrv.client.PKIClient.getEntity(PKIClient.java:143)
        at com.netscape.certsrv.ca.CACertClient.enrollRequest(CACertClient.java:111)
        at org.dogtagpki.acme.issuer.PKIIssuer.issueCertificate(PKIIssuer.java:136)
        at org.dogtagpki.acme.server.ACMEFinalizeOrderService.handlePOST(ACMEFinalizeOrderService.java:91)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:140)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:295)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:249)
        at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:236)
        at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:406)
        ... 54 more

2021-01-22 08:54:12 [pool-1-thread-1] INFO: Running ACME maintenance
2021-01-22 08:54:12 [pool-1-thread-1] INFO: LDAP: search ou=nonces,ou=acme,o=ipaca
2021-01-22 08:54:12 [pool-1-thread-1] INFO: LDAP: search ou=authorizations,ou=acme,o=ipaca
2021-01-22 08:54:12 [pool-1-thread-1] INFO: LDAP: search ou=orders,ou=acme,o=ipaca
2021-01-22 08:54:12 [pool-1-thread-1] INFO: LDAP: search ou=certificates,ou=acme,o=ipaca



Expected results:
ACME certificate issued by ACME server

Additional info:

[root@client ~]# cat >/etc/httpd/conf.d/acme.conf <<EOF
> LogLevel warn md:notice
> 
> MDCertificateAuthority https://ipa-ca.ipa.local/acme/directory
> MDCertificateAgreement accepted
> 
> MDomain f31-0.ipa.local
> 
> <VirtualHost *:443>
>     ServerName f31-0.ipa.local
> 
>     SSLEngine on
>     # no certificates specification
> </VirtualHost>
> EOF
[root@client ~]# vim /etc/httpd/conf.d/acme.conf
[root@client ~]# 
[root@client ~]# systemctl restart httpd
[root@client ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Fri 2021-01-22 08:43:05 EST; 6s ago
     Docs: man:httpd.service(8)
 Main PID: 19599 (httpd)
   Status: "Started, listening on: port 443, port 80"
    Tasks: 216 (limit: 4742)
   Memory: 30.8M
   CGroup: /system.slice/httpd.service
           ├─19599 /usr/sbin/httpd -DFOREGROUND
           ├─19601 /usr/sbin/httpd -DFOREGROUND
           ├─19602 /usr/sbin/httpd -DFOREGROUND
           ├─19603 /usr/sbin/httpd -DFOREGROUND
           └─19604 /usr/sbin/httpd -DFOREGROUND

Jan 22 08:43:05 client.testrelm.test systemd[1]: Starting The Apache HTTP Server...
Jan 22 08:43:05 client.testrelm.test systemd[1]: Started The Apache HTTP Server.
Jan 22 08:43:05 client.testrelm.test httpd[19599]: Server configured, listening on: port 443, port 80
[root@client ~]# 

[root@client ~]# tail /var/log/httpd/error_log 

[Fri Jan 22 08:43:20.730996 2021] [md:warn] [pid 19602:tid 140278698555136] (111)Connection refused: md[client.testrelm.test] while[Contacting ACME server for client.testrelm.test at https://ipa-ca.testrelm.test/acme/directory] detail[Unsuccessful in contacting ACME server at <https://ipa-ca.testrelm.test/acme/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this.]
[Fri Jan 22 08:43:20.731090 2021] [md:error] [pid 19602:tid 140278698555136] (111)Connection refused: md[client.testrelm.test] while[Contacting ACME server for client.testrelm.test at https://ipa-ca.testrelm.test/acme/directory] detail[Unsuccessful in contacting ACME server at <https://ipa-ca.testrelm.test/acme/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this.]
[Fri Jan 22 08:43:20.731108 2021] [md:error] [pid 19602:tid 140278698555136] (111)Connection refused: AH10056: processing client.testrelm.test: Unsuccessful in contacting ACME server at <https://ipa-ca.testrelm.test/acme/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this.



[root@client ~]# curl https://ipa-ca.testrelm.test/acme/directory
{"newNonce":"https://ipa-ca.testrelm.test/acme/new-nonce","newAccount":"https://ipa-ca.testrelm.test/acme/new-account","newOrder":"https://ipa-ca.testrelm.test/acme/new-order","revokeCert":"https://ipa-ca.testrelm.test/acme/revoke-cert","meta":{"termsOfService":"https://www.example.com/acme/tos.pdf","website":"https://www.example.com","caaIdentities":["example.com"],"externalAccountRequired":false}}


After setting 
[root@client ~]# setsebool httpd_can_network_connect 1


[root@client ~]# tail -f /var/log/httpd/error_log
[Fri Jan 22 09:04:09.137148 2021] [mpm_event:notice] [pid 20356:tid 139757908203840] AH00492: caught SIGWINCH, shutting down gracefully
[Fri Jan 22 09:04:27.232924 2021] [core:notice] [pid 20640:tid 140227249404224] SELinux policy enabled; httpd running as context system_u:system_r:httpd_t:s0
[Fri Jan 22 09:04:27.233827 2021] [suexec:notice] [pid 20640:tid 140227249404224] AH01232: suEXEC mechanism enabled (wrapper: /usr/sbin/suexec)
[Fri Jan 22 09:04:27.237096 2021] [ssl:warn] [pid 20640:tid 140227249404224] AH10085: Init: client.testrelm.test:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Fri Jan 22 09:04:27.263481 2021] [md:notice] [pid 20640:tid 140227249404224] AH10064: md(client.testrelm.test): previous drive job showed 5 errors, purging STAGING area to reset.
[Fri Jan 22 09:04:27.264562 2021] [ssl:warn] [pid 20640:tid 140227249404224] AH10085: Init: client.testrelm.test:443 will respond with '503 Service Unavailable' for now. There are no SSL certificates configured and no other module contributed any.
[Fri Jan 22 09:04:27.264979 2021] [lbmethod_heartbeat:notice] [pid 20640:tid 140227249404224] AH02282: No slotmem from mod_heartmonitor
[Fri Jan 22 09:04:27.269187 2021] [mpm_event:notice] [pid 20640:tid 140227249404224] AH00489: Apache/2.4.37 (Red Hat Enterprise Linux) OpenSSL/1.1.1g configured -- resuming normal operations
[Fri Jan 22 09:04:27.269235 2021] [core:notice] [pid 20640:tid 140227249404224] AH00094: Command line: '/usr/sbin/httpd -D FOREGROUND'
[Fri Jan 22 09:05:18.119708 2021] [md:warn] [pid 20643:tid 140226689185536] acme problem unknown: http status 500
[Fri Jan 22 09:05:18.121377 2021] [md:error] [pid 20643:tid 140226689185536] (20014)Internal error (specific information not available): AH10056: processing client.testrelm.test: unexpected http status: 500
[Fri Jan 22 09:05:23.464752 2021] [md:warn] [pid 20643:tid 140226689185536] acme problem unknown: http status 500
[Fri Jan 22 09:05:23.464978 2021] [md:error] [pid 20643:tid 140226689185536] (20014)Internal error (specific information not available): AH10056: processing client.testrelm.test: unexpected http status: 500
[Fri Jan 22 09:05:33.820761 2021] [md:warn] [pid 20643:tid 140226689185536] acme problem unknown: http status 500
[Fri Jan 22 09:05:33.821028 2021] [md:error] [pid 20643:tid 140226689185536] (20014)Internal error (specific information not available): AH10056: processing client.testrelm.test: unexpected http status: 500
[Fri Jan 22 09:05:54.177045 2021] [md:warn] [pid 20643:tid 140226689185536] acme problem unknown: http status 500
[Fri Jan 22 09:05:54.178009 2021] [md:error] [pid 20643:tid 140226689185536] (20014)Internal error (specific information not available): AH10056: processing client.testrelm.test: unexpected http status: 500

Comment 1 Mohammad Rizwan 2021-01-22 14:09:16 UTC
Created attachment 1749794 [details]
letsencrypt.log

version:
ipa-client-4.9.0-1.module+el8.4.0+9275+6e05eb02.x86_64
ipa-server-4.9.0-1.module+el8.4.0+9274+259c83ee.x86_64

Comment 2 Mohammad Rizwan 2021-01-22 14:20:14 UTC
version:
pki-acme-10.10.3-1.module+el8.4.0+9456+88377f87.noarch

Comment 3 Mohammad Rizwan 2021-01-22 14:24:48 UTC
Rob have raised a PR to test Endi's copr build here: https://github.com/freeipa/freeipa/pull/5464
This PR also replicates "acme.errors.ClientError: <Response [500]>" error.

Comment 4 Rob Crittenden 2021-01-22 14:29:08 UTC
Re-assigning to the PKI team for evaluation since the ACME service is raising a 500 to the request.

If this indeed an unauthorized request it should return a 401 I think. I'm also unclear why the request is unauthorized as registration was successful.

The topology is a single IPA server and client.

Comment 5 Endi Sukma Dewata 2021-01-22 15:57:10 UTC
The error was coming from the CA. Could you provide the CA debug log
and the ACME's issuer.conf?

When was the last time ACME was tested to work in IPA (using the
@pki/master COPR repo instead of mine)?

Comment 6 Endi Sukma Dewata 2021-01-22 16:19:28 UTC
Just to clarify, my COPR repo contains the build for this PR:
https://github.com/dogtagpki/pki/pull/3435
which is meant to fix the load balancing issue between multiple
IPA servers.

If this problem is happening with a single IPA server using the
@pki/master repo, that would be a different issue.

Please also note that we now have a CI test that validates ACME
using certbot:
https://github.com/dogtagpki/pki/blob/master/.github/workflows/acme-tests.yml

Comment 7 Rob Crittenden 2021-01-22 17:34:57 UTC
This bug is against the current compose for RHEL 8.4. The upstream test seems to be failing in a similar way and was included only for reference.

Comment 8 Endi Sukma Dewata 2021-01-26 01:24:20 UTC
Apparently IPA is using acmeIPAServerCert profile (which is defined
in IPA) which requires profile auth, and the profile auth in ACME fails
due to a regression. ACME in PKI has been tested using acmeServerCert
profile which uses REST auth instead of profile auth so doesn't have
this problem.

The following PR should fix the regression and add a CI test for ACME
in IPA:
https://github.com/dogtagpki/pki/pull/3445

Please file a separate ticket for the load balancing issue. Thanks.

Comment 16 Mohammad Rizwan 2021-02-11 07:34:23 UTC
version:
pki-acme-10.10.4-1.module+el8.4.0+9861+7cddd5b6.noarch

using : http://download.devel.redhat.com/rhel-8/nightly/RHEL-8/RHEL-8.4.0-20210211.n.0/compose/AppStream/x86_64/os/


[root@client1 ~]# certbot --server https://ipa-ca.testrelm.test/acme/directory register -m myusuf --agree-tos
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: y
Account registered.
[root@client1 ~]# 
[root@client1 ~]# 
[root@client1 ~]# 
[root@client1 ~]# certbot --server https://ipa-ca.testrelm.test/acme/directory  certonly --domain `hostname` --standalone
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for client1.testrelm.test
Performing the following challenges:
http-01 challenge for client1.testrelm.test
Waiting for verification...
Cleaning up challenges
Subscribe to the EFF mailing list (email: myusuf).
We were unable to subscribe you the EFF mailing list because your e-mail address appears to be invalid. You can try again later by visiting https://act.eff.org.

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/client1.testrelm.test/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/client1.testrelm.test/privkey.pem
   Your certificate will expire on 2021-05-12. To obtain a new or
   tweaked version of this certificate in the future, simply run
   certbot again. To non-interactively renew *all* of your
   certificates, run "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

[root@client1 ~]# 
[root@client1 ~]#  openssl x509 -text  -in /etc/letsencrypt/live/client1.testrelm.test/fullchain.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 11 (0xb)
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: O = TESTRELM.TEST, CN = Certificate Authority
        Validity
            Not Before: Feb 11 07:30:16 2021 GMT
            Not After : May 12 06:30:16 2021 GMT
        Subject: CN = client1.testrelm.test
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d6:8f:d0:03:3b:81:80:53:cd:ee:9b:b5:5d:38:
                    4a:8c:de:3d:eb:18:9f:0c:c9:2e:ea:3d:3d:1a:39:
                    b1:a3:df:0f:1f:37:d4:ab:a9:44:68:59:1a:70:bb:
                    e2:da:1f:a7:57:a2:f0:40:27:14:60:a9:eb:03:29:
                    68:64:02:c0:b8:a2:90:1d:06:0e:05:a9:b2:80:1e:
                    dd:b4:58:be:c7:a2:8c:aa:a6:c8:c6:e7:3c:92:38:
                    82:33:4d:4e:56:39:eb:eb:42:0e:a4:f3:c6:9c:0f:
                    d1:62:3f:9f:63:48:f4:aa:4e:73:62:51:0a:ae:2d:
                    e5:44:14:e8:08:18:9b:f6:05:e1:af:f6:a2:0c:a3:
                    4a:0c:a5:b7:95:7c:0d:27:6b:68:bc:92:05:06:ba:
                    4d:07:f9:37:d9:6c:ea:a2:45:d4:c5:5d:02:4b:b7:
                    e9:8f:fc:27:c3:ae:e1:6c:fd:03:99:cb:68:28:b0:
                    76:63:96:32:4a:fc:89:9e:bc:6a:98:24:d2:9b:08:
                    19:6e:a5:f2:2b:9e:0d:7c:4b:1c:6b:c4:b8:17:98:
                    4d:8d:7f:cd:c6:c5:8a:55:b1:4d:2a:c9:c5:29:92:
                    95:2a:43:58:37:66:5d:65:bf:9d:4e:f7:98:ae:a0:
                    32:6d:a9:10:7d:54:6e:8f:42:f5:5a:f1:18:f1:7b:
                    73:21
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Subject Key Identifier: 
                13:31:48:45:C2:7F:FE:D7:65:65:63:09:37:9C:85:5F:02:FA:3C:37
            X509v3 Authority Key Identifier: 
                keyid:04:B4:A0:1D:DF:56:E2:4F:4F:A9:B2:BE:2F:D5:19:0C:3E:FE:7D:84

            Authority Information Access: 
                OCSP - URI:http://ipa-ca.testrelm.test/ca/ocsp

            X509v3 Subject Alternative Name: 
                DNS:client1.testrelm.test
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://ipa-ca.testrelm.test/ipa/crl/MasterCRL.bin
                CRL Issuer:
                  DirName:O = ipaca, CN = Certificate Authority

    Signature Algorithm: sha256WithRSAEncryption
         70:03:23:56:41:38:77:83:37:10:7b:ba:00:49:f4:be:5c:00:
         32:79:d9:2c:44:a4:27:c5:da:07:63:e9:18:ce:b6:b6:19:55:
         41:6d:fc:9b:09:bb:dd:35:6f:9e:e3:89:2a:db:0e:3c:98:78:
         94:92:c2:46:ed:52:a0:12:79:00:d0:56:59:32:b1:06:ef:e6:
         d0:de:ef:82:7e:a1:50:90:b3:fc:3b:e4:17:9e:c4:c1:7f:48:
         fe:ce:5c:5f:2d:62:6e:98:13:ed:0e:00:4e:72:ef:cd:56:e9:
         74:c4:89:36:1f:0e:4e:76:7c:3c:71:07:44:a6:f6:07:9a:e7:
         7a:48:cb:52:49:51:b2:19:0f:be:2b:dd:4a:d0:2a:f1:5d:6c:
         ff:eb:82:1c:c0:ab:19:94:cc:0f:5f:db:aa:bd:29:2a:29:ba:
         bd:84:d9:32:89:08:f6:34:ef:08:9f:a4:4a:81:10:08:a8:fc:
         fb:9d:04:af:b4:70:94:d4:6f:ad:8f:60:91:21:d1:05:b2:ad:
         80:b1:77:24:5b:3d:7f:12:85:7f:d4:dd:57:38:2f:dd:bf:a7:
         31:33:6d:02:dc:b2:0c:ab:21:7a:50:6d:01:d7:92:97:b8:41:
         16:6f:ef:ed:ff:3b:1e:dd:bf:d0:69:b1:37:cb:da:d6:c1:be:
         89:3b:94:7a:61:28:f2:72:13:6c:09:3e:89:fe:a7:e0:5c:3a:
         fd:f2:a6:d8:7e:89:1b:88:77:14:dc:57:09:fd:24:bb:07:dc:
         6e:8e:af:43:1b:e5:e6:f7:eb:ff:39:77:5c:17:6e:4f:10:84:
         6d:15:dd:4a:89:05:55:dd:d4:01:4a:65:25:4a:16:51:e1:e7:
         4b:5b:4a:6c:43:be:e7:35:da:9f:70:5d:0f:e4:84:63:34:e3:
         ec:49:93:06:36:9f:27:37:65:e5:a7:44:60:13:9f:b3:fd:a4:
         45:8e:d6:66:88:2d:6c:33:39:78:0c:4b:dd:ee:a6:56:4c:82:
         6b:b7:cb:b3:ad:da
-----BEGIN CERTIFICATE-----
MIIEpTCCAw2gAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNU
UkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMjEw
MjExMDczMDE2WhcNMjEwNTEyMDYzMDE2WjAgMR4wHAYDVQQDDBVjbGllbnQxLnRl
c3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDWj9AD
O4GAU83um7VdOEqM3j3rGJ8MyS7qPT0aObGj3w8fN9SrqURoWRpwu+LaH6dXovBA
JxRgqesDKWhkAsC4opAdBg4FqbKAHt20WL7HooyqpsjG5zySOIIzTU5WOevrQg6k
88acD9FiP59jSPSqTnNiUQquLeVEFOgIGJv2BeGv9qIMo0oMpbeVfA0na2i8kgUG
uk0H+TfZbOqiRdTFXQJLt+mP/CfDruFs/QOZy2gosHZjljJK/ImevGqYJNKbCBlu
pfIrng18SxxrxLgXmE2Nf83GxYpVsU0qycUpkpUqQ1g3Zl1lv51O95iuoDJtqRB9
VG6PQvVa8Rjxe3MhAgMBAAGjggFQMIIBTDAOBgNVHQ8BAf8EBAMCBaAwHQYDVR0l
BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMB0GA1UdDgQWBBQTMUhFwn/+12VlYwk3
nIVfAvo8NzAfBgNVHSMEGDAWgBQEtKAd31biT0+psr4v1RkMPv59hDA/BggrBgEF
BQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVz
dC9jYS9vY3NwMCAGA1UdEQQZMBeCFWNsaWVudDEudGVzdHJlbG0udGVzdDB4BgNV
HR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2Ny
bC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwV
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MA0GCSqGSIb3DQEBCwUAA4IBgQBwAyNWQTh3
gzcQe7oASfS+XAAyedksRKQnxdoHY+kYzra2GVVBbfybCbvdNW+e44kq2w48mHiU
ksJG7VKgEnkA0FZZMrEG7+bQ3u+CfqFQkLP8O+QXnsTBf0j+zlxfLWJumBPtDgBO
cu/NVul0xIk2Hw5Odnw8cQdEpvYHmud6SMtSSVGyGQ++K91K0CrxXWz/64IcwKsZ
lMwPX9uqvSkqKbq9hNkyiQj2NO8In6RKgRAIqPz7nQSvtHCU1G+tj2CRIdEFsq2A
sXckWz1/EoV/1N1XOC/dv6cxM20C3LIMqyF6UG0B15KXuEEWb+/t/zse3b/QabE3
y9rWwb6JO5R6YSjychNsCT6J/qfgXDr98qbYfokbiHcU3FcJ/SS7B9xujq9DG+Xm
9+v/OXdcF25PEIRtFd1KiQVV3dQBSmUlShZR4edLW0psQ77nNdqfcF0P5IRjNOPs
SZMGNp8nN2Xlp0RgE5+z/aRFjtZmiC1sMzl4DEvd7qZWTIJrt8uzrdo=
-----END CERTIFICATE-----

Comment 18 errata-xmlrpc 2021-05-18 15:25:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: pki-core:10.6 and pki-deps:10.6 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:1775


Note You need to log in before you can comment on or make changes to this bug.