[Freeipa-users] DS failed after upgrade
Martin Basti
mbasti at redhat.com
Fri Nov 7 09:25:51 UTC 2014
Changed subject.
Rob CCed
On 07/11/14 09:52, Martin Basti wrote:
> Forward message back to list
>
>
> -------- Original Message --------
> Subject: Re: [Freeipa-users] dns stops working after upgrade
> Date: Thu, 6 Nov 2014 21:42:55 +0100
> From: Rob Verduijn <rob.verduijn at gmail.com>
> To: Martin Basti <mbasti at redhat.com>
>
>
>
> Hi again,
>
> I tried the update to 4.1.1
> It didn't went well, actually it went worse than to 4.1.
> Now the directory service went down and was no longer able to start.
>
> Some part of the logs is below.
> Besides the warnings about a weak cipher there was not much in the
> journalctl.
>
> It's getting late overhere, I'll dig into the logs tomorrow.
>
> Rob
>
> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory
> Server TJAKO-THUIS....
> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory
> Server TJAKO-THUIS..
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is
> weak. It is enabled since allowWeakCipher is "on" (default setting for
> the backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is
> weak. It is enabled since allowWeakCipher is "on" (default setting for
> the backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is
> weak. It is enabled since allowWeakCipher is "on" (default setting for
> the backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak.
> It is enabled since allowWeakCipher is "on" (default setting for the
> backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is
> weak. It is enabled since allowWeakCipher is "on" (default setting for
> the backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak.
> It is enabled since allowWeakCipher is "on" (default setting for the
> backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is
> weak. It is enabled since allowWeakCipher is "on" (default setting for
> the backward compatibility). We strongly recommend to set it to "off".
> Please replace the value of allowWeakCipher with "off" in the
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not
> available in NSS 3.17. Ignoring fortezza
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
> fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring
> fortezza_rc4_128_sha
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null
> is not available in NSS 3.17. Ignoring fortezza_null
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
> tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled since
> allowWeakCipher is "on" (default setting for the backward
> compatibility). We strongly recommend to set it to "off". Please
> replace the value of allowWeakCipher with "off" in the encryption
> config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
> tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled since
> allowWeakCipher is "on" (default setting for the backward
> compatibility). We strongly recommend to set it to "off". Please
> replace the value of allowWeakCipher with "off" in the encryption
> config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_RC4_128_MD5:
> enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA:
> enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] - SSL alert:
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version range:
> min: TLS1.0, max: TLS1.2
> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
> dirsrv at TJAKO-THUIS.service: main process exited, code=exited,
> status=1/FAILURE
> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
> dirsrv at TJAKO-THUIS.service entered failed state.
>
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/20fa4768/attachment.htm>
More information about the Freeipa-users
mailing list