Client is running ipa-client-3.0.0-47.el6.centos.1.x86_64 on CentOS 6
Servers are running ipa-server-4.2.0-15.0.1.el7.centos.6.x86_64 on CentOS 7
When I try to join the CentOS 6 client to the CentOS 7 servers,
ipa-client-install is unable to access /ipa/xml, throwing the following error:
...
Connecting: [2001:630:1:177::98]:0
Failed to set TLS range to tls1.0, tls1.2
Could not connect socket to [2001:630:1:177::98]:443, error:
(SSL_ERROR_INVALID_VERSION_RANGE) SSL version range is not valid.
...
The full log follows, but I don't see anything interesting or unusual, other
than HTTPS connections are established OK earlier in the installation process.
I could use a bit of help resolving this - full client debug follows. Both
systems are running nss 3.19.1 which *should* support TLS1.2., so I'm unsure
where to start fixing this.
Thanks,
Adam Bishop
gpg: 0x6609D460
jisc.ac.uk
---
Starting IPA discovery with domain=example.org, servers=None,
hostname=rms1.example.org
Search for LDAP SRV record in example.org
Search DNS for SRV record of _ldap._tcp.example.org.
DNS record found:
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.}
DNS record found:
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.}
[Kerberos realm search]
Search DNS for TXT record of _kerberos.example.org.
DNS record found:
DNSResult::name:_kerberos.example.org.,type:16,class:1,rdata={data:example.org}
Search DNS for SRV record of _kerberos._udp.example.org.
DNS record found:
DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:swi-ipa-001.example.org.}
DNS record found:
DNSResult::name:_kerberos._udp.example.org.,type:33,class:1,rdata={priority:0,port:88,weight:100,server:atl-ipa-001.example.org.}
[LDAP server check]
Verifying that atl-ipa-001.example.org (realm example.org) is an IPA server
Init LDAP connection with: ldap://atl-ipa-001.example.org:389
Search LDAP server for IPA base DN
Check if naming context 'dc=example,dc=org' is for IPA
Naming context 'dc=example,dc=org' is a valid IPA context
Search for (objectClass=krbRealmContainer) in dc=example,dc=org (sub)
Found: cn=example.org,cn=kerberos,dc=example,dc=org
Discovery result: Success; server=atl-ipa-001.example.org, domain=example.org,
kdc=swi-ipa-001.example.org,atl-ipa-001.example.org, basedn=dc=example,dc=org
Validated servers: atl-ipa-001.example.org
will use discovered domain: example.org
Start searching for LDAP SRV record in "example.org" (Validating DNS Discovery)
and its sub-domains
Search DNS for SRV record of _ldap._tcp.example.org.
DNS record found:
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:swi-ipa-001.example.org.}
DNS record found:
DNSResult::name:_ldap._tcp.example.org.,type:33,class:1,rdata={priority:0,port:389,weight:100,server:atl-ipa-001.example.org.}
DNS validated, enabling discovery
will use discovered server: atl-ipa-001.example.org
Discovery was successful!
will use discovered realm: example.org
will use discovered basedn: dc=example,dc=org
Hostname: rms1.example.org
Hostname source: Machine's FQDN
Realm: example.org
Realm source: Discovered from LDAP DNS records in atl-ipa-001.example.org
DNS Domain: example.org
DNS Domain source: Discovered LDAP SRV records from example.org
IPA Server: atl-ipa-001.example.org
IPA Server source: Discovered from LDAP DNS records in atl-ipa-001.example.org
BaseDN: dc=example,dc=org
BaseDN source: From IPA server ldap://atl-ipa-001.example.org:389
Continue to configure the system with these values? [no]: yes
args=/usr/sbin/ipa-rmkeytab -k /etc/krb5.keytab -r example.org
stdout=
stderr=realm not found
User authorized to enroll computers: admin
will use principal provided as option: admin
Synchronizing time with KDC...
Search DNS for SRV record of _ntp._udp.example.org.
No DNS record found
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
args=/usr/sbin/ntpdate -U ntp -s -b -v atl-ipa-001.example.org
stdout=
stderr=
Unable to sync time with IPA NTP server, assuming the time is in sync. Please
check that 123 UDP port is opened.
Writing Kerberos configuration to /tmp/tmpX2eUdM:
#File modified by ipa-client-install
includedir /var/lib/sss/pubconf/krb5.include.d/
[libdefaults]
default_realm = example.org
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
ticket_lifetime = 24h
forwardable = yes
udp_preference_limit = 0
[realms]
example.org = {
kdc = atl-ipa-001.example.org:88
master_kdc = atl-ipa-001.example.org:88
admin_server = atl-ipa-001.example.org:749
default_domain = example.org
pkinit_anchors = FILE:/etc/ipa/ca.crt
}
[domain_realm]
.example.org = example.org
example.org =