Hello all!

Is there any known issues with registering a CentOS 6 client with a CentOS
7 FreeIPA server?  I just tried to register my first C6 client (fully
updated) with our new FreeIPA infrastructure installed on C7, and I'm
getting an NSS error:

args=/usr/sbin/ipa-join -s ds02.domain.com -b dc=ipa,dc=domain,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>hostname.domain.com</string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to ds02.domain.com port 443 (#0)
*   Trying 192.168.150.2... * Connected to ds02.domain.com (192.168.150.2)
port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS error -12190
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Looking up that NSS error, it seems to indicate a SSL protocol error.
Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
TLSv1.1, TLSv1.2:

The oddest part is that, from the client, I can use wget to connect to the
IPA server, but can not use curl:

[root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
--2016-04-05 17:42:50--  https://ds02.domain.com/
Resolving ds02.domain.com... 192.168.150.2
Connecting to ds02.domain.com|192.168.150.2|:443... connected.
WARNING: cannot verify ds02.domain.com’s certificate, issued by “/O=
IPA.DOMAIN.COM/CN=Certificate Authority”:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ds02.domain.com/ipa/ui [following]


[root@hostname ~]# curl -v -k https://ds02.domain.com/
* About to connect() to ds02.domain.com port 443 (#0)
*   Trying 192.168.150.2... connected
* Connected to ds02.domain.com (192.168.150.2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12190
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

However, the same curl command, run from another C7 host, works just fine.
Something incompatible in the NSS libraries maybe?

Thanks for any help you can provide!

Jeremy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to