Was able to trace down the problem.  Since this system is within a PCI
zone, I need high security, and followed instructions at
https://access.redhat.com/articles/1467293, and disabled TLSv1.0.
Evidently, the NSS libraries on C6 do not support TLS versions higher than
1.0, because once I put TLSv1.0 back into the config, it worked again.

Thanks for the help!

Jeremy

On Tue, Apr 5, 2016 at 5:36 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Jeremy Utley wrote:
>
>> Hello all!
>>
>> Is there any known issues with registering a CentOS 6 client with a
>> CentOS 7 FreeIPA server?  I just tried to register my first C6 client
>> (fully updated) with our new FreeIPA infrastructure installed on C7, and
>> I'm getting an NSS error:
>>
>> args=/usr/sbin/ipa-join -s ds02.domain.com <http://ds02.domain.com> -b
>> dc=ipa,dc=domain,dc=com -d
>> stdout=
>> stderr=XML-RPC CALL:
>>
>> <?xml version="1.0" encoding="UTF-8"?>\r\n
>> <methodCall>\r\n
>> <methodName>join</methodName>\r\n
>> <params>\r\n
>> <param><value><array><data>\r\n
>> <value><string>hostname.domain.com
>> <http://hostname.domain.com></string></value>\r\n
>> </data></array></value></param>\r\n
>> <param><value><struct>\r\n
>> <member><name>nsosversion</name>\r\n
>> <value><string>2.6.32-573.18.1.el6.x86_64</string></value></member>\r\n
>> <member><name>nshardwareplatform</name>\r\n
>> <value><string>x86_64</string></value></member>\r\n
>> </struct></value></param>\r\n
>> </params>\r\n
>> </methodCall>\r\n
>>
>> * About to connect() to ds02.domain.com <http://ds02.domain.com> port
>> 443 (#0)
>> *   Trying 192.168.150.2... * Connected to ds02.domain.com
>> <http://ds02.domain.com> (192.168.150.2) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> *   CAfile: /etc/ipa/ca.crt
>>    CApath: none
>> * NSS error -12190
>> * Closing connection #0
>> libcurl failed to execute the HTTP POST transaction.  SSL connect error
>>
>> Looking up that NSS error, it seems to indicate a SSL protocol error.
>> Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
>> TLSv1.1, TLSv1.2:
>>
>
> Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the
> NSSProtocols from /etc/httpd/conf.d/nss.conf on the server?
>
> The oddest part is that, from the client, I can use wget to connect to
>> the IPA server, but can not use curl:
>>
>> [root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
>> --2016-04-05 17:42:50-- https://ds02.domain.com/
>> Resolving ds02.domain.com... 192.168.150.2
>> Connecting to ds02.domain.com
>> <http://ds02.domain.com>|192.168.150.2|:443... connected.
>> WARNING: cannot verify ds02.domain.com <http://ds02.domain.com>’s
>> certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate
>> <http://IPA.DOMAIN.COM/CN=Certificate> Authority”:
>>    Self-signed certificate encountered.
>> HTTP request sent, awaiting response... 301 Moved Permanently
>> Location: https://ds02.domain.com/ipa/ui [following]
>>
>>
>> [root@hostname ~]# curl -v -k https://ds02.domain.com/
>> * About to connect() to ds02.domain.com <http://ds02.domain.com> port
>> 443 (#0)
>> *   Trying 192.168.150.2... connected
>> * Connected to ds02.domain.com <http://ds02.domain.com> (192.168.150.2)
>> port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * warning: ignoring value of ssl.verifyhost
>> * NSS error -12190
>> * Closing connection #0
>> * SSL connect error
>> curl: (35) SSL connect error
>>
>
> They are linked against different crypto providers (OpenSSL and NSS)
>
> However, the same curl command, run from another C7 host, works just
>> fine.  Something incompatible in the NSS libraries maybe?
>>
>
> It might be helpful to look at the output of:
>
> $ openssl s_client -host ds02.domain.com -port 443
>
> To test all the protocols you can do a test with each: -tls1, -tls1_1 and
> -tls1_2
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to