On 04/06/2016 12:23 AM, Jeremy Utley wrote:
> Hello all!
> 
> Is there any known issues with registering a CentOS 6 client with a CentOS 7 
> FreeIPA server?  I just tried to register my first C6 client (fully updated) 
> with our new FreeIPA infrastructure installed on C7, and I'm getting an NSS 
> error:
> 
> args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b 
> dc=ipa,dc=domain,dc=com -d
> stdout=
> stderr=XML-RPC CALL:
> 
> <?xml version="1.0" encoding="UTF-8"?>\r\n
> <methodCall>\r\n
> <methodName>join</methodName>\r\n
> <params>\r\n
> <param><value><array><data>\r\n
> <value><string>hostname.domain.com 
> <http://hostname.domain.com></string></value>\r\n
> </data></array></value></param>\r\n
> <param><value><struct>\r\n
> <member><name>nsosversion</name>\r\n
> <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
> <member><name>nshardwareplatform</name>\r\n
> <value><string>x86_64</string></value></member>\r\n
> </struct></value></param>\r\n
> </params>\r\n
> </methodCall>\r\n
> 
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port 443 (#0)
> *   Trying 192.168.150.2... * Connected to ds02.domain.com 
> <http://ds02.domain.com> (192.168.150.2) port 443 (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> *   CAfile: /etc/ipa/ca.crt
>    CApath: none
> * NSS error -12190
> * Closing connection #0
> libcurl failed to execute the HTTP POST transaction.  SSL connect error
> 
> Looking up that NSS error, it seems to indicate a SSL protocol error.  
> Looking 
> at my FreeIPA webserver configuration, I'm allowing TLSv1.0, TLSv1.1, TLSv1.2:
> 
> The oddest part is that, from the client, I can use wget to connect to the 
> IPA 
> server, but can not use curl:
> 
> [root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
> --2016-04-05 17:42:50-- https://ds02.domain.com/
> Resolving ds02.domain.com... 192.168.150.2
> Connecting to ds02.domain.com <http://ds02.domain.com>|192.168.150.2|:443... 
> connected.
> WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s 
> certificate, 
> issued by “/O=IPA.DOMAIN.COM/CN=Certificate 
> <http://IPA.DOMAIN.COM/CN=Certificate> Authority”:
>    Self-signed certificate encountered.
> HTTP request sent, awaiting response... 301 Moved Permanently
> Location: https://ds02.domain.com/ipa/ui [following]
> 
> 
> [root@hostname ~]# curl -v -k https://ds02.domain.com/
> * About to connect() to ds02.domain.com <http://ds02.domain.com> port 443 (#0)
> *   Trying 192.168.150.2... connected
> * Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2) port 
> 443 
> (#0)
> * Initializing NSS with certpath: sql:/etc/pki/nssdb
> * warning: ignoring value of ssl.verifyhost
> * NSS error -12190
> * Closing connection #0
> * SSL connect error
> curl: (35) SSL connect error
> 
> However, the same curl command, run from another C7 host, works just fine.  
> Something incompatible in the NSS libraries maybe?
> 
> Thanks for any help you can provide!
> 
> Jeremy

Any chance it is related to this thread:
https://www.redhat.com/archives/freeipa-users/2016-March/msg00305.html
and is resolved just with nss update on the client side?

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to