<div dir="ltr"><div><div>Was able to trace down the problem. Since this system is within a PCI zone, I need high security, and followed instructions at <a href="https://access.redhat.com/articles/1467293">https://access.redhat.com/articles/1467293</a>, and disabled TLSv1.0. Evidently, the NSS libraries on C6 do not support TLS versions higher than 1.0, because once I put TLSv1.0 back into the config, it worked again. </div>Thanks for the help! </div>Jeremy </div><div class="gmail_extra"> <div class="gmail_quote">On Tue, Apr 5, 2016 at 5:36 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>> wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeremy Utley wrote: <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> Hello all! Is there any known issues with registering a CentOS 6 client with a CentOS 7 FreeIPA server? I just tried to register my first C6 client (fully updated) with our new FreeIPA infrastructure installed on C7, and I'm getting an NSS error: args=/usr/sbin/ipa-join -s <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>> -b dc=ipa,dc=domain,dc=com -d stdout= stderr=XML-RPC CALL: <?xml version="1.0" encoding="UTF-8"?>\r\n <methodCall>\r\n <methodName>join</methodName>\r\n <params>\r\n <param><value><array><data>\r\n <value><string><a href="http://hostname.domain.com" rel="noreferrer" target="_blank">hostname.domain.com</a> <<a href="http://hostname.domain.com" rel="noreferrer" target="_blank">http://hostname.domain.com</a>></string></value>\r\n </data></array></value></param>\r\n <param><value><struct>\r\n <member><name>nsosversion</name>\r\n <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n <member><name>nshardwareplatform</name>\r\n <value><string>x86_64</string></value></member>\r\n </struct></value></param>\r\n </params>\r\n </methodCall>\r\n * About to connect() to <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>> port 443 (#0) * Trying 192.168.150.2... * Connected to <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>> (192.168.150.2) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /etc/ipa/ca.crt CApath: none * NSS error -12190 * Closing connection #0 libcurl failed to execute the HTTP POST transaction. SSL connect error Looking up that NSS error, it seems to indicate a SSL protocol error. Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0, TLSv1.1, TLSv1.2: </blockquote> Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the NSSProtocols from /etc/httpd/conf.d/nss.conf on the server? <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> The oddest part is that, from the client, I can use wget to connect to the IPA server, but can not use curl: [root@hostname ~]# wget --no-check-certificate <a href="https://ds02.domain.com" rel="noreferrer" target="_blank">https://ds02.domain.com</a> --2016-04-05 17:42:50-- <a href="https://ds02.domain.com/" rel="noreferrer" target="_blank">https://ds02.domain.com/</a> Resolving ds02.domain.com... 192.168.150.2 Connecting to <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>>|192.168.150.2|:443... connected. WARNING: cannot verify <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>>’s certificate, issued by “/O=<a href="http://IPA.DOMAIN.COM/CN=Certificate" rel="noreferrer" target="_blank">IPA.DOMAIN.COM/CN=Certificate</a> <<a href="http://IPA.DOMAIN.COM/CN=Certificate" rel="noreferrer" target="_blank">http://IPA.DOMAIN.COM/CN=Certificate</a>> Authority”: Self-signed certificate encountered. HTTP request sent, awaiting response... 301 Moved Permanently Location: <a href="https://ds02.domain.com/ipa/ui" rel="noreferrer" target="_blank">https://ds02.domain.com/ipa/ui</a> [following] [root@hostname ~]# curl -v -k <a href="https://ds02.domain.com/" rel="noreferrer" target="_blank">https://ds02.domain.com/</a> * About to connect() to <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>> port 443 (#0) * Trying 192.168.150.2... connected * Connected to <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> <<a href="http://ds02.domain.com" rel="noreferrer" target="_blank">http://ds02.domain.com</a>> (192.168.150.2) port 443 (#0) * Initializing NSS with certpath: sql:/etc/pki/nssdb * warning: ignoring value of ssl.verifyhost * NSS error -12190 * Closing connection #0 * SSL connect error curl: (35) SSL connect error </blockquote> They are linked against different crypto providers (OpenSSL and NSS) <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> However, the same curl command, run from another C7 host, works just fine. Something incompatible in the NSS libraries maybe? </blockquote> It might be helpful to look at the output of: $ openssl s_client -host <a href="http://ds02.domain.com" rel="noreferrer" target="_blank">ds02.domain.com</a> -port 443 To test all the protocols you can do a test with each: -tls1, -tls1_1 and -tls1_2 rob </blockquote></div> </div>