[Freeipa-users] Centos 7 IPA server, Centos 6 Clients
Rob Crittenden
rcritten at redhat.com
Tue Apr 5 22:36:19 UTC 2016
Jeremy Utley wrote:
> Hello all!
>
> Is there any known issues with registering a CentOS 6 client with a
> CentOS 7 FreeIPA server? I just tried to register my first C6 client
> (fully updated) with our new FreeIPA infrastructure installed on C7, and
> I'm getting an NSS error:
>
> args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b
> dc=ipa,dc=domain,dc=com -d
> stdout=
> stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>hostname.domain.com
> <http://hostname.domain.com></string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port
> 443 (#0)
> * Trying 192.168.150.2... * Connected to ds02.domain.com
> <http://ds02.domain.com> (192.168.150.2) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * NSS error -12190
> * Closing connection #0
> libcurl failed to execute the HTTP POST transaction. SSL connect error
>
> Looking up that NSS error, it seems to indicate a SSL protocol error.
> Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
> TLSv1.1, TLSv1.2:
Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the
NSSProtocols from /etc/httpd/conf.d/nss.conf on the server?
> The oddest part is that, from the client, I can use wget to connect to
> the IPA server, but can not use curl:
>
> [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com
> --2016-04-05 17:42:50-- https://ds02.domain.com/
> Resolving ds02.domain.com... 192.168.150.2
> Connecting to ds02.domain.com
> <http://ds02.domain.com>|192.168.150.2|:443... connected.
> WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s
> certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate
> <http://IPA.DOMAIN.COM/CN=Certificate> Authority”:
> Self-signed certificate encountered.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://ds02.domain.com/ipa/ui [following]
>
>
> [root at hostname ~]# curl -v -k https://ds02.domain.com/
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port
> 443 (#0)
> * Trying 192.168.150.2... connected
> * Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2)
> port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * NSS error -12190
> * Closing connection #0
> * SSL connect error
> curl: (35) SSL connect error
They are linked against different crypto providers (OpenSSL and NSS)
> However, the same curl command, run from another C7 host, works just
> fine. Something incompatible in the NSS libraries maybe?
It might be helpful to look at the output of:
$ openssl s_client -host ds02.domain.com -port 443
To test all the protocols you can do a test with each: -tls1, -tls1_1
and -tls1_2
rob
More information about the Freeipa-users
mailing list