Was able to trace down the problem. Since this system is within a PCI zone, I need high security, and followed instructions at https://access.redhat.com/articles/1467293, and disabled TLSv1.0. Evidently, the NSS libraries on C6 do not support TLS versions higher than 1.0, because once I put TLSv1.0 back into the config, it worked again.
Thanks for the help! Jeremy On Tue, Apr 5, 2016 at 5:36 PM, Rob Crittenden <rcrit...@redhat.com> wrote: > Jeremy Utley wrote: > >> Hello all! >> >> Is there any known issues with registering a CentOS 6 client with a >> CentOS 7 FreeIPA server? I just tried to register my first C6 client >> (fully updated) with our new FreeIPA infrastructure installed on C7, and >> I'm getting an NSS error: >> >> args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b >> dc=ipa,dc=domain,dc=com -d >> stdout= >> stderr=XML-RPC CALL: >> >> <?xml version="1.0" encoding="UTF-8"?>\r\n >> <methodCall>\r\n >> <methodName>join</methodName>\r\n >> <params>\r\n >> <param><value><array><data>\r\n >> <value><string>hostname.domain.com >> <http://hostname.domain.com></string></value>\r\n >> </data></array></value></param>\r\n >> <param><value><struct>\r\n >> <member><name>nsosversion</name>\r\n >> <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n >> <member><name>nshardwareplatform</name>\r\n >> <value><string>x86_64</string></value></member>\r\n >> </struct></value></param>\r\n >> </params>\r\n >> </methodCall>\r\n >> >> * About to connect() to ds02.domain.com <http://ds02.domain.com> port >> 443 (#0) >> * Trying 192.168.150.2... * Connected to ds02.domain.com >> <http://ds02.domain.com> (192.168.150.2) port 443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * CAfile: /etc/ipa/ca.crt >> CApath: none >> * NSS error -12190 >> * Closing connection #0 >> libcurl failed to execute the HTTP POST transaction. SSL connect error >> >> Looking up that NSS error, it seems to indicate a SSL protocol error. >> Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0, >> TLSv1.1, TLSv1.2: >> > > Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the > NSSProtocols from /etc/httpd/conf.d/nss.conf on the server? > > The oddest part is that, from the client, I can use wget to connect to >> the IPA server, but can not use curl: >> >> [root@hostname ~]# wget --no-check-certificate https://ds02.domain.com >> --2016-04-05 17:42:50-- https://ds02.domain.com/ >> Resolving ds02.domain.com... 192.168.150.2 >> Connecting to ds02.domain.com >> <http://ds02.domain.com>|192.168.150.2|:443... connected. >> WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s >> certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate >> <http://IPA.DOMAIN.COM/CN=Certificate> Authority”: >> Self-signed certificate encountered. >> HTTP request sent, awaiting response... 301 Moved Permanently >> Location: https://ds02.domain.com/ipa/ui [following] >> >> >> [root@hostname ~]# curl -v -k https://ds02.domain.com/ >> * About to connect() to ds02.domain.com <http://ds02.domain.com> port >> 443 (#0) >> * Trying 192.168.150.2... connected >> * Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2) >> port 443 (#0) >> * Initializing NSS with certpath: sql:/etc/pki/nssdb >> * warning: ignoring value of ssl.verifyhost >> * NSS error -12190 >> * Closing connection #0 >> * SSL connect error >> curl: (35) SSL connect error >> > > They are linked against different crypto providers (OpenSSL and NSS) > > However, the same curl command, run from another C7 host, works just >> fine. Something incompatible in the NSS libraries maybe? >> > > It might be helpful to look at the output of: > > $ openssl s_client -host ds02.domain.com -port 443 > > To test all the protocols you can do a test with each: -tls1, -tls1_1 and > -tls1_2 > > rob >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project