[Freeipa-users] DS failed after upgrade

Martin Basti mbasti at redhat.com
Fri Nov 7 09:25:51 UTC 2014 

Changed subject.
Rob CCed

On 07/11/14 09:52, Martin Basti wrote:
> Forward message back to list
>
>
> -------- Original Message --------
> Subject: 	Re: [Freeipa-users] dns stops working after upgrade
> Date: 	Thu, 6 Nov 2014 21:42:55 +0100
> From: 	Rob Verduijn <rob.verduijn at gmail.com>
> To: 	Martin Basti <mbasti at redhat.com>
>
>
>
> Hi again,
>
> I tried the update to 4.1.1
> It didn't went well, actually it went worse than to 4.1.
> Now the directory service went down and was no longer able to start.
>
> Some part of the logs is below.
> Besides the warnings about a weak cipher there was not much in the 
> journalctl.
>
> It's getting late overhere, I'll dig into the logs tomorrow.
>
> Rob
>
> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory 
> Server TJAKO-THUIS....
> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory 
> Server TJAKO-THUIS..
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is 
> weak. It is enabled since allowWeakCipher is "on" (default setting for 
> the backward compatibility). We strongly recommend to set it to "off". 
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is 
> weak. It is enabled since allowWeakCipher is "on" (default setting for 
> the backward compatibility). We strongly recommend to set it to "off". 
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is 
> weak. It is enabled since allowWeakCipher is "on" (default setting for 
> the backward compatibility). We strongly recommend to set it to "off". 
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. 
> It is enabled since allowWeakCipher is "on" (default setting for the 
> backward compatibility). We strongly recommend to set it to "off".  
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is 
> weak. It is enabled since allowWeakCipher is "on" (default setting for 
> the backward compatibility). We strongly recommend to set it to "off". 
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. 
> It is enabled since allowWeakCipher is "on" (default setting for the 
> backward compatibility). We strongly recommend to set it to "off".  
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is 
> weak. It is enabled since allowWeakCipher is "on" (default setting for 
> the backward compatibility). We strongly recommend to set it to "off". 
> Please replace the value of allowWeakCipher with "off" in the 
> encryption config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not 
> available in NSS 3.17.  Ignoring fortezza
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite 
> fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring 
> fortezza_rc4_128_sha
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null 
> is not available in NSS 3.17.  Ignoring fortezza_null
> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher 
> tls_rsa_export1024_with_rc4_56_sha is weak.  It is enabled since 
> allowWeakCipher is "on" (default setting for the backward 
> compatibility). We strongly recommend to set it to "off".  Please 
> replace the value of allowWeakCipher with "off" in the encryption 
> config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher 
> tls_rsa_export1024_with_des_cbc_sha is weak.  It is enabled since 
> allowWeakCipher is "on" (default setting for the backward 
> compatibility). We strongly recommend to set it to "off".  Please 
> replace the value of allowWeakCipher with "off" in the encryption 
> config entry cn=encryption,cn=config and restart the server.
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: 
> enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: 
> enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] - SSL alert: 
> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version range: 
> min: TLS1.0, max: TLS1.2
> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: 
> dirsrv at TJAKO-THUIS.service: main process exited, code=exited, 
> status=1/FAILURE
> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit 
> dirsrv at TJAKO-THUIS.service entered failed state.
>
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/20fa4768/attachment.htm>

More information about the Freeipa-users mailing list