Jeremy Utley wrote:
Hello all!

Is there any known issues with registering a CentOS 6 client with a
CentOS 7 FreeIPA server?  I just tried to register my first C6 client
(fully updated) with our new FreeIPA infrastructure installed on C7, and
I'm getting an NSS error:

args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b
dc=ipa,dc=domain,dc=com -d
stdout=
stderr=XML-RPC CALL:

<?xml version="1.0" encoding="UTF-8"?>\r\n
<methodCall>\r\n
<methodName>join</methodName>\r\n
<params>\r\n
<param><value><array><data>\r\n
<value><string>hostname.domain.com
<http://hostname.domain.com></string></value>\r\n
</data></array></value></param>\r\n
<param><value><struct>\r\n
<member><name>nsosversion</name>\r\n
<value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
<member><name>nshardwareplatform</name>\r\n
<value><string>x86_64</string></value></member>\r\n
</struct></value></param>\r\n
</params>\r\n
</methodCall>\r\n

* About to connect() to ds02.domain.com <http://ds02.domain.com> port
443 (#0)
*   Trying 192.168.150.2... * Connected to ds02.domain.com
<http://ds02.domain.com> (192.168.150.2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
   CApath: none
* NSS error -12190
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Looking up that NSS error, it seems to indicate a SSL protocol error.
Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
TLSv1.1, TLSv1.2:

Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the NSSProtocols from /etc/httpd/conf.d/nss.conf on the server?

The oddest part is that, from the client, I can use wget to connect to
the IPA server, but can not use curl:

[root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
--2016-04-05 17:42:50-- https://ds02.domain.com/
Resolving ds02.domain.com... 192.168.150.2
Connecting to ds02.domain.com
<http://ds02.domain.com>|192.168.150.2|:443... connected.
WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s
certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate
<http://IPA.DOMAIN.COM/CN=Certificate> Authority”:
   Self-signed certificate encountered.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ds02.domain.com/ipa/ui [following]


[root@hostname ~]# curl -v -k https://ds02.domain.com/
* About to connect() to ds02.domain.com <http://ds02.domain.com> port
443 (#0)
*   Trying 192.168.150.2... connected
* Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2)
port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12190
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

They are linked against different crypto providers (OpenSSL and NSS)

However, the same curl command, run from another C7 host, works just
fine.  Something incompatible in the NSS libraries maybe?

It might be helpful to look at the output of:

$ openssl s_client -host ds02.domain.com -port 443

To test all the protocols you can do a test with each: -tls1, -tls1_1 and -tls1_2

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to