[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings
Gentle bump (whilst I remember to nudge this). TL;DR Does anyone know the likely implications of error messages such as: "Setting property 'enableOCSP' to 'false' did not find a matching property." (then repeated for several other properties) On 4 January 2018 at 14:52, David Harveywrote: > Point No.2 Is now sorted. It was the old missing Subject Alternative Name > extension in certificate problem (which I had only seen with https until > now!). > I would still love to know if I need to live in fear of the other errors > though :) > > On 4 January 2018 at 12:25, David Harvey > wrote: > >> Dear list, >> >> In trying to escape from the various issues facing the ubuntu freeipa, I >> attempted to make the switch to Fedora 26 (same freeipa version 4.4.4). >> >> This seemed to go well (adding new replica first, and then replacing the >> ubuntu based installs), but I notice on my fedora boxes several warnings in >> /v/l/messages (pasted below). Firstly, are these harmful, and what might I >> need to rectify!? I have a half baked theory that this might relate to some >> of the aspects that were broken in ubuntu and carrying their breakage >> across to the new platform! >> >> Secondly - could they relate to an issue I am seeing where one specific >> LDAPS client application is failing to verify the ldap server cert (even >> thought other clients are quite happy talking to it) since the ipa server >> reinstall? >> >> Advice appreciated, thank you in advance! >> >> David >> >> >> >> >> Jan 4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file >> [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: >> [false] >> Jan 4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114 >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'enableOCSP' to 'false' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspResponderURL' to 'http://ipa3.thomac.net:9080/c >> a/ocsp' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspResponderCertNickname' to 'ocspSigningCert >> cert-pki-ca' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspCacheSize' to '1000' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspMinCacheEntryDuration' to '60' did not find a >> matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a >> matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ocspTimeout' to '10' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'strictCiphers' to 'true' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did >> not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_ >> RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_ >> RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,- >> SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_ >> SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_ >> 128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_ >> 3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_ >> EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZ >> A_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_ >> WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_ >> EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_ >> CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a matching >> property. >> Jan 4 11:53:10 ipa3 server[1357]: WARNING: >> [SetAllPropertiesRule]{Server/Service/Connector} >> Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_ >> CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_ >> WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, >> +TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_ >> AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+ >>
[Freeipa-users] Re: Ubuntu -> Fedora and tomcat SetAllPropertiesRule warnings
Point No.2 Is now sorted. It was the old missing Subject Alternative Name extension in certificate problem (which I had only seen with https until now!). I would still love to know if I need to live in fear of the other errors though :) On 4 January 2018 at 12:25, David Harveywrote: > Dear list, > > In trying to escape from the various issues facing the ubuntu freeipa, I > attempted to make the switch to Fedora 26 (same freeipa version 4.4.4). > > This seemed to go well (adding new replica first, and then replacing the > ubuntu based installs), but I notice on my fedora boxes several warnings in > /v/l/messages (pasted below). Firstly, are these harmful, and what might I > need to rectify!? I have a half baked theory that this might relate to some > of the aspects that were broken in ubuntu and carrying their breakage > across to the new platform! > > Secondly - could they relate to an issue I am seeing where one specific > LDAPS client application is failing to verify the ldap server cert (even > thought other clients are quite happy talking to it) since the ipa server > reinstall? > > Advice appreciated, thank you in advance! > > David > > > > > Jan 4 11:53:09 ipa3 server[1357]: WARNING: Problem with JAR file > [/usr/share/pki/server/common/lib/symkey.jar], exists: [false], canRead: > [false] > Jan 4 11:53:09 ipa3 ntpd[1200]: Soliciting pool server 45.79.111.114 > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'enableOCSP' to 'false' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspResponderURL' to 'http://ipa3.thomac.net:9080/ > ca/ocsp' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspResponderCertNickname' to 'ocspSigningCert > cert-pki-ca' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspCacheSize' to '1000' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspMinCacheEntryDuration' to '60' did not find a > matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspMaxCacheEntryDuration' to '120' did not find a > matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ocspTimeout' to '10' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'strictCiphers' to 'true' did not find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'sslOptions' to 'ssl2=false,ssl3=false,tls=true' did not > find a matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ssl2Ciphers' to '-SSL2_RC4_128_WITH_MD5,-SSL2_ > RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,- > SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_ > WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5' did not find a matching > property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'ssl3Ciphers' to '-SSL3_FORTEZZA_DMS_WITH_NULL_ > SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_ > RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_ > WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_ > RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_ > FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_ > RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,- > TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_ > AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA' did not find a > matching property. > Jan 4 11:53:10 ipa3 server[1357]: WARNING: > [SetAllPropertiesRule]{Server/Service/Connector} > Setting property 'tlsCiphers' to '-TLS_ECDH_ECDSA_WITH_AES_128_ > CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_ > RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_ > SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_ > WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_ > SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_ > CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_ > 3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,- > TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_ > AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_ > DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_ > SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_ >