<div dir="ltr">Hi all,<div><br></div><div>Either I was to worn out last night, or another update has happened.</div><div>This morning the directory server did start after the update.</div><div>local dns zones however where not available again after the update </div><div>ipa-ldap-updater did not help to fix it.</div><div><br></div><div>The are again only 7 DNS aci objects are still in the ds.( same as before when it failed )</div><div>I also noticed that there are also quite a lot lower case dns aci objects.</div><div><br></div><div>Rob</div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-07 10:25 GMT+01:00 Martin Basti <span dir="ltr"><<a href="mailto:mbasti@redhat.com" target="_blank">mbasti@redhat.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Changed subject.<br>
Rob CCed <br>
<br>
On 07/11/14 09:52, Martin Basti wrote:<br>
</div>
<blockquote type="cite">
Forward message back to list<br>
<div><br>
<br>
-------- Original Message --------
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Subject:
</th>
<td>Re: [Freeipa-users] dns stops working after upgrade</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">Date:
</th>
<td>Thu, 6 Nov 2014 21:42:55 +0100</td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">From:
</th>
<td>Rob Verduijn <a href="mailto:rob.verduijn@gmail.com" target="_blank"><rob.verduijn@gmail.com></a></td>
</tr>
<tr>
<th align="RIGHT" nowrap valign="BASELINE">To: </th>
<td>Martin Basti <a href="mailto:mbasti@redhat.com" target="_blank"><mbasti@redhat.com></a></td>
</tr>
</tbody>
</table>
<br>
<br>
<div dir="ltr">Hi again,
<div><br>
</div>
<div>I tried the update to 4.1.1</div>
<div>It didn't went well, actually it went worse than to 4.1.</div>
<div>Now the directory service went down and was no longer
able to start.</div>
<div><br>
</div>
<div>Some part of the logs is below.</div>
<div>Besides the warnings about a weak cipher there was not
much in the journalctl.</div>
<div><br>
</div>
<div>It's getting late overhere, I'll dig into the logs
tomorrow.</div>
<div><br>
</div>
<div>Rob</div>
<div><br>
</div>
<div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]:
Starting 389 Directory Server TJAKO-THUIS....</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started
389 Directory Server TJAKO-THUIS..</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc4_128_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc4_40_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_rc2_40_md5 is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_des_sha is weak. It is enabled since allowWeakCipher
is "on" (default setting for the backward compatibility).
We strongly recommend to set it to "off". Please replace
the value of allowWeakCipher with "off" in the encryption
config entry cn=encryption,cn=config and restart the
server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_fips_des_sha is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_3des_sha is weak. It is enabled since allowWeakCipher
is "on" (default setting for the backward compatibility).
We strongly recommend to set it to "off". Please replace
the value of allowWeakCipher with "off" in the encryption
config entry cn=encryption,cn=config and restart the
server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
rsa_fips_3des_sha is weak. It is enabled since
allowWeakCipher is "on" (default setting for the backward
compatibility). We strongly recommend to set it to "off".
Please replace the value of allowWeakCipher with "off" in
the encryption config entry cn=encryption,cn=config and
restart the server.</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza is not available in NSS 3.17. Ignoring fortezza</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza_rc4_128_sha is not available in NSS 3.17.
Ignoring fortezza_rc4_128_sha</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
fortezza_null is not available in NSS 3.17. Ignoring
fortezza_null</div>
<div>Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled
since allowWeakCipher is "on" (default setting for the
backward compatibility). We strongly recommend to set it
to "off". Please replace the value of allowWeakCipher
with "off" in the encryption config entry
cn=encryption,cn=config and restart the server.</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
tls_rsa_export1024_with_des_cbc_sha is weak. It is
enabled since allowWeakCipher is "on" (default setting for
the backward compatibility). We strongly recommend to set
it to "off". Please replace the value of allowWeakCipher
with "off" in the encryption config entry
cn=encryption,cn=config and restart the server.</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS
Ciphers</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK
CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] - SSL alert:
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)</div>
<div>Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
[06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL
version range: min: TLS1.0, max: TLS1.2</div>
<div>Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: <a href="mailto:dirsrv@TJAKO-THUIS.service" target="_blank">dirsrv@TJAKO-THUIS.service</a>:
main process exited, code=exited, status=1/FAILURE</div>
<div>Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit <a href="mailto:dirsrv@TJAKO-THUIS.service" target="_blank">dirsrv@TJAKO-THUIS.service</a>
entered failed state.</div>
</div>
</div>
<div class="gmail_extra"><br>
</div>
</div>
<br>
<fieldset></fieldset>
<br><span class="HOEnZb"><font color="#888888">
</font></span></blockquote><span class="HOEnZb"><font color="#888888">
<br>
<br>
<pre cols="72">--
Martin Basti</pre>
</font></span></div>
</blockquote></div><br></div>