On Tue, Oct 01, 2019 at 07:14:17PM +1000, Fraser Tweedale via FreeIPA-users wrote:
On Tue, Oct 01, 2019 at 10:51:37AM +0300, Alexander Bokovoy via FreeIPA-users wrote:
On ti, 01 loka 2019, Dmitry Perets via FreeIPA-users wrote:
Hi,
Posting back here, in case someone gets this issue in the future...
The problem turned out to be that IPA put wrong CA cert subject in the LDAP entry under "uid=ipakra,ou=people,o=kra,o=ipaca". It looked like this:
dn: uid=ipakra,ou=people,o=kra,o=ipaca description: 2;7;CN=Certificate Authority,O=<my_realm>;CN=IPA RA,O=<my_realm> uid: ipakra sn: IPA KRA User usertype: undefined userCertificate:: <here cert comes> objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser cn: IPA KRA User
So there are a couple of requirements that this entry must satisfy, such as:
- `userCertificate` must contain the cert from /var/lib/ipa/ra-agent.pem
- `description` must contain cert serial number (it's the second integer, usually 7)
- `description` must further contain the issuer of that the cert and its subject (CN=IPA RA...)
So in our case, the problem was with the wrong issuer. `CN=Certificate Authority` is the default issuer subject, but in my environment I actually use a custom one:
$ openssl x509 -noout -issuer -subject -in /var/lib/ipa/ra-agent.pem issuer= /CN=My CA/O=<my_realm> subject= /O=<my_realm>/CN=IPA RA
This looks like actual IPA RA subject is fixed in the code in ipaserver/install/krainstance.py:
class KRAInstance(DogtagInstance): ..... def __create_kra_agent(self): ..... # create ipakra user with RA agent certificate user_dn = DN(('uid', "ipakra"), ('ou', 'people'), self.basedn) entry = conn.make_entry( user_dn, objectClass=['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'cmsuser'], uid=["ipakra"], sn=["IPA KRA User"], cn=["IPA KRA User"], usertype=["undefined"], userCertificate=[cert], description=['2;%s;%s;%s' % ( cert.serial_number, DN(self.subject), DN(('CN', 'IPA RA'), self.subject_base))]) conn.add_entry(entry)
I think it should be picked up from the cert. Time for a ticket?
Time for a ticket, yes. But the above code looks ok. The problem is 'self.subject' (the issuer DN) contains the wrong value. I'll follow the reproducer steps to see what's going on. I suspect KRAInstance instance is not initialised properly for some operation.
Ticket: https://pagure.io/freeipa/issue/8084
I will work on this in the next sprint (which starts in a couple of days).
Cheers, Fraser