On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > > Bret Wortman via FreeIPA-users wrote: > > > > This appears to be the error, or at least it's the only "fatal" I could > > > > find in the stream and it's near enough to the end of traffic that it > > > > seems likely. I'm no expert on Wireshark so I'm hoping someone is > > > > willing to take a peek and let me know if there's something obvious > > > > here. > > > > > > > > https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178 > > > > > > > > > > > > > > Are you sure you aren't seeing a connect error on the F21 Apache server? > > > This looks to me like an untrusted CA or something like it. > > > > Not that I'm aware of. We haven't touched those servers in ages (hence > > the F21). Where would we be most likely to see the connect error on the > > server? I may have missed a log file. > > Bingo! > > 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET > /ca/rest/securityDomain/domainInfo HTTP/1.1" 200 190 > 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET > /ca/rest/account/login HTTP/1.1" 200 188 > 192.168.2.215 - - [17/Jun/2021:07:11:30 -0400] "GET > /ca/rest/account/logout HTTP/1.1" 204 - > [Thu Jun 17 07:11:41.806659 2021] [:error] [pid 921] SSL Library Error: > -12286 No common encryption algorithm(s) with client > > I don't think we adjusted the SSL configs on either end...
So I took the cypher list from the new box and copied it to the other and added it to httpd/conf.d/nss.conf and then the two ends could talk again. We got as far as this now: Done configuring certificate server (pki-tomcatd). Applying LDAP updates Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/10]: stopping directory server [2/10]: saving configuration [3/10]: disabling listeners [4/10]: enabling DS global lock [5/10]: disabling Schema Compat [6/10]: starting directory server [7/10]: upgrading server [8/10]: stopping directory server [9/10]: restoring configuration [10/10]: starting directory server Done. Finalize replication settings Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipapython.admintool: ERROR Server is unwilling to perform: modification of attribute nsds5ReplicaReleaseTimeout is not allowed in replica entry ipapython.admintool: ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Is there a simple workaround for this? > > > > Have you replaced any of your IPA certs on the F21 server? Signed the > > > IPA CA with an external? > > > > I'll double-check today but not that I'm aware of. > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure