[Freeipa-users] DNS stops working after upgrade (was DS failed after upgrade)
Martin Basti
mbasti at redhat.com
Fri Nov 7 12:56:25 UTC 2014
On 07/11/14 13:52, Rob Verduijn wrote:
> Hi all,
>
> Either I was to worn out last night, or another update has happened.
> This morning the directory server did start after the update.
> local dns zones however where not available again after the update
> ipa-ldap-updater did not help to fix it.
>
> The are again only 7 DNS aci objects are still in the ds.( same as
> before when it failed )
> I also noticed that there are also quite a lot lower case dns aci objects.
>
> Rob
>
>
Hi,
do you have any errors in /var/log/ipaupgrade.log ?
>
>
> 2014-11-07 10:25 GMT+01:00 Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>>:
>
> Changed subject.
> Rob CCed
>
> On 07/11/14 09:52, Martin Basti wrote:
>> Forward message back to list
>>
>>
>> -------- Original Message --------
>> Subject: Re: [Freeipa-users] dns stops working after upgrade
>> Date: Thu, 6 Nov 2014 21:42:55 +0100
>> From: Rob Verduijn <rob.verduijn at gmail.com>
>> <mailto:rob.verduijn at gmail.com>
>> To: Martin Basti <mbasti at redhat.com> <mailto:mbasti at redhat.com>
>>
>>
>>
>> Hi again,
>>
>> I tried the update to 4.1.1
>> It didn't went well, actually it went worse than to 4.1.
>> Now the directory service went down and was no longer able to start.
>>
>> Some part of the logs is below.
>> Besides the warnings about a weak cipher there was not much in
>> the journalctl.
>>
>> It's getting late overhere, I'll dig into the logs tomorrow.
>>
>> Rob
>>
>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389
>> Directory Server TJAKO-THUIS....
>> Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389
>> Directory Server TJAKO-THUIS..
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5
>> is weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5
>> is weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5
>> is weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is
>> weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha
>> is weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is
>> weak. It is enabled since allowWeakCipher is "on" (default
>> setting for the backward compatibility). We strongly recommend to
>> set it to "off". Please replace the value of allowWeakCipher
>> with "off" in the encryption config entry cn=encryption,cn=config
>> and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>> rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is
>> "on" (default setting for the backward compatibility). We
>> strongly recommend to set it to "off". Please replace the value
>> of allowWeakCipher with "off" in the encryption config entry
>> cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza
>> is not available in NSS 3.17. Ignoring fortezza
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>> fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring
>> fortezza_rc4_128_sha
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite
>> fortezza_null is not available in NSS 3.17. Ignoring fortezza_null
>> Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher
>> tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward
>> compatibility). We strongly recommend to set it to "off". Please
>> replace the value of allowWeakCipher with "off" in the encryption
>> config entry cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher
>> tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled since
>> allowWeakCipher is "on" (default setting for the backward
>> compatibility). We strongly recommend to set it to "off". Please
>> replace the value of allowWeakCipher with "off" in the encryption
>> config entry cn=encryption,cn=config and restart the server.
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_WITH_RC4_128_MD5: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> SSL_RSA_FIPS_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] - SSL alert:
>> TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
>> Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]:
>> [06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version
>> range: min: TLS1.0, max: TLS1.2
>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]:
>> dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>:
>> main process exited, code=exited, status=1/FAILURE
>> Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit
>> dirsrv at TJAKO-THUIS.service <mailto:dirsrv at TJAKO-THUIS.service>
>> entered failed state.
>>
>>
>>
>
>
> --
> Martin Basti
>
>
--
Martin Basti
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141107/285d87b4/attachment.htm>
More information about the Freeipa-users
mailing list