[Freeipa-users] Centos 7 IPA server, Centos 6 Clients
Martin Kosek
mkosek at redhat.com
Wed Apr 6 10:18:40 UTC 2016
On 04/06/2016 12:23 AM, Jeremy Utley wrote:
> Hello all!
>
> Is there any known issues with registering a CentOS 6 client with a CentOS 7
> FreeIPA server? I just tried to register my first C6 client (fully updated)
> with our new FreeIPA infrastructure installed on C7, and I'm getting an NSS error:
>
> args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b
> dc=ipa,dc=domain,dc=com -d
> stdout=
> stderr=XML-RPC CALL:
>
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>hostname.domain.com <http://hostname.domain.com></string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
>
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port 443 (#0)
> * Trying 192.168.150.2... * Connected to ds02.domain.com
> <http://ds02.domain.com> (192.168.150.2) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * CAfile: /etc/ipa/ca.crt
> CApath: none
> * NSS error -12190
> * Closing connection #0
> libcurl failed to execute the HTTP POST transaction. SSL connect error
>
> Looking up that NSS error, it seems to indicate a SSL protocol error. Looking
> at my FreeIPA webserver configuration, I'm allowing TLSv1.0, TLSv1.1, TLSv1.2:
>
> The oddest part is that, from the client, I can use wget to connect to the IPA
> server, but can not use curl:
>
> [root at hostname ~]# wget --no-check-certificate https://ds02.domain.com
> --2016-04-05 17:42:50-- https://ds02.domain.com/
> Resolving ds02.domain.com... 192.168.150.2
> Connecting to ds02.domain.com <http://ds02.domain.com>|192.168.150.2|:443...
> connected.
> WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s certificate,
> issued by “/O=IPA.DOMAIN.COM/CN=Certificate
> <http://IPA.DOMAIN.COM/CN=Certificate> Authority”:
> Self-signed certificate encountered.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://ds02.domain.com/ipa/ui [following]
>
>
> [root at hostname ~]# curl -v -k https://ds02.domain.com/
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port 443 (#0)
> * Trying 192.168.150.2... connected
> * Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2) port 443
> (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * NSS error -12190
> * Closing connection #0
> * SSL connect error
> curl: (35) SSL connect error
>
> However, the same curl command, run from another C7 host, works just fine.
> Something incompatible in the NSS libraries maybe?
>
> Thanks for any help you can provide!
>
> Jeremy
Any chance it is related to this thread:
https://www.redhat.com/archives/freeipa-users/2016-March/msg00305.html
and is resolved just with nss update on the client side?
More information about the Freeipa-users
mailing list