[Freeipa-devel] [IMPORTANT] nss-3.28.1-1.2.fc25 from updates-testing breaks FreeIPA
Martin Babinsky
mbabinsk at redhat.com
Fri Jan 20 14:57:37 UTC 2017
On 01/20/2017 10:13 AM, Martin Babinsky wrote:
> On 01/20/2017 10:05 AM, Martin Babinsky wrote:
>> Hi list,
>>
>> I have noticed the following failures in our Travis CI during server
>> installation phase:
>>
>> https://paste.fedoraproject.org/531238/84902361/
>>
>> After inspecting ipaclient-install.log the following error can be
>> observed:
>> """
>> 2017-01-20T08:47:51Z DEBUG Verifying that master.ipa.test (realm
>> IPA.TEST) is an IPA server
>> 2017-01-20T08:47:51Z DEBUG Init LDAP connection to:
>> ldap://master.ipa.test:389
>> 2017-01-20T08:47:51Z DEBUG Error checking LDAP: Connect error: TLS error
>> -12286:Cannot communicate securely with peer: no common encryption
>> algorithm(s).
>> 2017-01-20T08:47:51Z WARNING Skip master.ipa.test: cannot verify if this
>> is an IPA server
>> 2017-01-20T08:47:51Z DEBUG Discovery result: UNKNOWN_ERROR; server=None,
>> domain=ipa.test, kdc=master.ipa.test, basedn=None
>> """
>>
>> Digging deeper into the issue reveals that it is caused by recent
>> addition of nss-3.28.1-1.2.fc25.x86_64 (since the installation works
>> fine using older 3.27.0-1.3.fc25 package). I was unable to find this
>> build in Bodhi so it seems that it was pushed to updates-testing
>> directly, probably as a security update.
>>
>> Should I open a bugzilla against NSS so that the maintainers know about
>> this issue? Or is it caused on FreeIPA side and we need to update our
>> codebase?
>>
>> Interestingly, a packaging bug[1] prevented me to downgrade to working
>> version, so after update we are left with unusable environment with no
>> easy way to revert to a working configuration. In the meanwhile I advise
>> you to disable updates-testing on F25 altogether until the issue is
>> resolved. I will also prepare and test a new Docker Image for Travis
>> that will (hopefully) restore CI to working state.
>>
>> [1] https://paste.fedoraproject.org/531240/49028321/
>>
>
> update: I have found the respective build in Bodhi[1] marked as
> unpushed, so we just have to wait until it is kicked out of
> updates-testing.
>
> [1] https://bodhi.fedoraproject.org/updates/FEDORA-2017-e42b513012
>
update: I have re-built the test runner image with disabled updates
testing. The Travis CI jobs should be green again if you restart them.
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list