[Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)

Martin Basti mbasti at redhat.com
Fri Nov 7 12:56:25 UTC 2014 

On 07/11/14 13:52, Rob Verduijn wrote:
> Hi all,
>
> Either I was to worn out last night, or another update has happened.
> This morning the directory server did start after the update.
> local dns zones however where not available again after the update
> ipa-ldap-updater did not help to fix it.
>
> The are again only 7 DNS aci objects are still in the ds.( same as 
> before when it failed )
> I also noticed that there are also quite a lot lower case dns aci objects.
>
> Rob
>
>
Hi,

do you have any errors in /var/log/ipaupgrade.log ?
>
>
> 2014-11-07 10:25 GMT+01:00 Martin Basti <mbasti at redhat.com 
> <mailto:mbasti at redhat.com>>:
>
>     Changed subject.
>     Rob CCed
>
>     On 07/11/14 09:52, Martin Basti wrote:
>>     Forward message back to list
>>
>>
>>     -------- Original Message --------
>>     Subject: 	Re: [Freeipa-users] dns stops working after upgrade
>>     Date: 	Thu, 6 Nov 2014 21:42:55 +0100
>>     From: 	Rob Verduijn <rob.verduijn at gmail.com>
>>     <mailto:rob.verduijn at gmail.com>
>>     To: 	Martin Basti <mbasti at redhat.com> <mailto:mbasti at redhat.com>
>>
>>
>>
>>     Hi again,
>>
>>     I tried the update to 4.1.1
>>     It didn't went well, actually it went worse than to 4.1.
>>     Now the directory service went down and was no longer able to start.
>>
>>     Some part of the logs is below.
>>     Besides the warnings about a weak cipher there was not much in
>>     the journalctl.
>>
>>     It's getting late overhere, I'll dig into the logs tomorrow.
>>
>>     Rob
>>
>>     Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
>>     Directory Server TJAKO-THUIS....
>>     Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
>>     Directory Server TJAKO-THUIS..
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5
>>     is weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5
>>     is weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5
>>     is weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is
>>     weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha
>>     is weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is
>>     weak. It is enabled since allowWeakCipher is "on" (default
>>     setting for the backward compatibility). We strongly recommend to
>>     set it to "off".  Please replace the value of allowWeakCipher
>>     with "off" in the encryption config entry cn=encryption,cn=config
>>     and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>     rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is
>>     "on" (default setting for the backward compatibility). We
>>     strongly recommend to set it to "off".  Please replace the value
>>     of allowWeakCipher with "off" in the encryption config entry
>>     cn=encryption,cn=config and restart the server.
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza
>>     is not available in NSS 3.17.  Ignoring fortezza
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>     fortezza_rc4_128_sha is not available in NSS 3.17.  Ignoring
>>     fortezza_rc4_128_sha
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>>     fortezza_null is not available in NSS 3.17.  Ignoring fortezza_null
>>     Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>>     tls_rsa_export1024_with_rc4_56_sha is weak.  It is enabled since
>>     allowWeakCipher is "on" (default setting for the backward
>>     compatibility). We strongly recommend to set it to "off".  Please
>>     replace the value of allowWeakCipher with "off" in the encryption
>>     config entry cn=encryption,cn=config and restart the server.
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
>>     tls_rsa_export1024_with_des_cbc_sha is weak.  It is enabled since
>>     allowWeakCipher is "on" (default setting for the backward
>>     compatibility). We strongly recommend to set it to "off".  Please
>>     replace the value of allowWeakCipher with "off" in the encryption
>>     config entry cn=encryption,cn=config and restart the server.
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:        
>>     TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:        
>>     TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] - SSL alert:
>>     TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
>>     Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>>     [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version
>>     range: min: TLS1.0, max: TLS1.2
>>     Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>>     dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>:
>>     main process exited, code=exited, status=1/FAILURE
>>     Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>>     dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>
>>     entered failed state.
>>
>>
>>
>
>
>     -- 
>     Martin Basti
>
>


-- 
Martin Basti

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/285d87b4/attachment.htm>

More information about the Freeipa-users mailing list