Re: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients

2016-04-06 Thread Jeremy Utley
Was able to trace down the problem.  Since this system is within a PCI
zone, I need high security, and followed instructions at
https://access.redhat.com/articles/1467293, and disabled TLSv1.0.
Evidently, the NSS libraries on C6 do not support TLS versions higher than
1.0, because once I put TLSv1.0 back into the config, it worked again.

Thanks for the help!

Jeremy

On Tue, Apr 5, 2016 at 5:36 PM, Rob Crittenden  wrote:

> Jeremy Utley wrote:
>
>> Hello all!
>>
>> Is there any known issues with registering a CentOS 6 client with a
>> CentOS 7 FreeIPA server?  I just tried to register my first C6 client
>> (fully updated) with our new FreeIPA infrastructure installed on C7, and
>> I'm getting an NSS error:
>>
>> args=/usr/sbin/ipa-join -s ds02.domain.com  -b
>> dc=ipa,dc=domain,dc=com -d
>> stdout=
>> stderr=XML-RPC CALL:
>>
>> \r\n
>> \r\n
>> join\r\n
>> \r\n
>> \r\n
>> hostname.domain.com
>> \r\n
>> \r\n
>> \r\n
>> nsosversion\r\n
>> 2.6.32-573.18.1.el6.x86_64\r\n
>> nshardwareplatform\r\n
>> x86_64\r\n
>> \r\n
>> \r\n
>> \r\n
>>
>> * About to connect() to ds02.domain.com  port
>> 443 (#0)
>> *   Trying 192.168.150.2... * Connected to ds02.domain.com
>>  (192.168.150.2) port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> *   CAfile: /etc/ipa/ca.crt
>>CApath: none
>> * NSS error -12190
>> * Closing connection #0
>> libcurl failed to execute the HTTP POST transaction.  SSL connect error
>>
>> Looking up that NSS error, it seems to indicate a SSL protocol error.
>> Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
>> TLSv1.1, TLSv1.2:
>>
>
> Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the
> NSSProtocols from /etc/httpd/conf.d/nss.conf on the server?
>
> The oddest part is that, from the client, I can use wget to connect to
>> the IPA server, but can not use curl:
>>
>> [root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
>> --2016-04-05 17:42:50-- https://ds02.domain.com/
>> Resolving ds02.domain.com... 192.168.150.2
>> Connecting to ds02.domain.com
>> |192.168.150.2|:443... connected.
>> WARNING: cannot verify ds02.domain.com ’s
>> certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate
>>  Authority”:
>>Self-signed certificate encountered.
>> HTTP request sent, awaiting response... 301 Moved Permanently
>> Location: https://ds02.domain.com/ipa/ui [following]
>>
>>
>> [root@hostname ~]# curl -v -k https://ds02.domain.com/
>> * About to connect() to ds02.domain.com  port
>> 443 (#0)
>> *   Trying 192.168.150.2... connected
>> * Connected to ds02.domain.com  (192.168.150.2)
>> port 443 (#0)
>> * Initializing NSS with certpath: sql:/etc/pki/nssdb
>> * warning: ignoring value of ssl.verifyhost
>> * NSS error -12190
>> * Closing connection #0
>> * SSL connect error
>> curl: (35) SSL connect error
>>
>
> They are linked against different crypto providers (OpenSSL and NSS)
>
> However, the same curl command, run from another C7 host, works just
>> fine.  Something incompatible in the NSS libraries maybe?
>>
>
> It might be helpful to look at the output of:
>
> $ openssl s_client -host ds02.domain.com -port 443
>
> To test all the protocols you can do a test with each: -tls1, -tls1_1 and
> -tls1_2
>
> rob
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] Centos 7 IPA server, Centos 6 Clients

2016-04-05 Thread Rob Crittenden

Jeremy Utley wrote:

Hello all!

Is there any known issues with registering a CentOS 6 client with a
CentOS 7 FreeIPA server?  I just tried to register my first C6 client
(fully updated) with our new FreeIPA infrastructure installed on C7, and
I'm getting an NSS error:

args=/usr/sbin/ipa-join -s ds02.domain.com  -b
dc=ipa,dc=domain,dc=com -d
stdout=
stderr=XML-RPC CALL:

\r\n
\r\n
join\r\n
\r\n
\r\n
hostname.domain.com
\r\n
\r\n
\r\n
nsosversion\r\n
2.6.32-573.18.1.el6.x86_64\r\n
nshardwareplatform\r\n
x86_64\r\n
\r\n
\r\n
\r\n

* About to connect() to ds02.domain.com  port
443 (#0)
*   Trying 192.168.150.2... * Connected to ds02.domain.com
 (192.168.150.2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
   CApath: none
* NSS error -12190
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Looking up that NSS error, it seems to indicate a SSL protocol error.
Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
TLSv1.1, TLSv1.2:


Right, it is SSL_ERROR_PROTOCOL_VERSION_ALERT. Can you show the 
NSSProtocols from /etc/httpd/conf.d/nss.conf on the server?



The oddest part is that, from the client, I can use wget to connect to
the IPA server, but can not use curl:

[root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
--2016-04-05 17:42:50-- https://ds02.domain.com/
Resolving ds02.domain.com... 192.168.150.2
Connecting to ds02.domain.com
|192.168.150.2|:443... connected.
WARNING: cannot verify ds02.domain.com ’s
certificate, issued by “/O=IPA.DOMAIN.COM/CN=Certificate
 Authority”:
   Self-signed certificate encountered.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ds02.domain.com/ipa/ui [following]


[root@hostname ~]# curl -v -k https://ds02.domain.com/
* About to connect() to ds02.domain.com  port
443 (#0)
*   Trying 192.168.150.2... connected
* Connected to ds02.domain.com  (192.168.150.2)
port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12190
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error


They are linked against different crypto providers (OpenSSL and NSS)


However, the same curl command, run from another C7 host, works just
fine.  Something incompatible in the NSS libraries maybe?


It might be helpful to look at the output of:

$ openssl s_client -host ds02.domain.com -port 443

To test all the protocols you can do a test with each: -tls1, -tls1_1 
and -tls1_2


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


[Freeipa-users] Centos 7 IPA server, Centos 6 Clients

2016-04-05 Thread Jeremy Utley
Hello all!

Is there any known issues with registering a CentOS 6 client with a CentOS
7 FreeIPA server?  I just tried to register my first C6 client (fully
updated) with our new FreeIPA infrastructure installed on C7, and I'm
getting an NSS error:

args=/usr/sbin/ipa-join -s ds02.domain.com -b dc=ipa,dc=domain,dc=com -d
stdout=
stderr=XML-RPC CALL:

\r\n
\r\n
join\r\n
\r\n
\r\n
hostname.domain.com\r\n
\r\n
\r\n
nsosversion\r\n
2.6.32-573.18.1.el6.x86_64\r\n
nshardwareplatform\r\n
x86_64\r\n
\r\n
\r\n
\r\n

* About to connect() to ds02.domain.com port 443 (#0)
*   Trying 192.168.150.2... * Connected to ds02.domain.com (192.168.150.2)
port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/ipa/ca.crt
  CApath: none
* NSS error -12190
* Closing connection #0
libcurl failed to execute the HTTP POST transaction.  SSL connect error

Looking up that NSS error, it seems to indicate a SSL protocol error.
Looking at my FreeIPA webserver configuration, I'm allowing TLSv1.0,
TLSv1.1, TLSv1.2:

The oddest part is that, from the client, I can use wget to connect to the
IPA server, but can not use curl:

[root@hostname ~]# wget --no-check-certificate https://ds02.domain.com
--2016-04-05 17:42:50--  https://ds02.domain.com/
Resolving ds02.domain.com... 192.168.150.2
Connecting to ds02.domain.com|192.168.150.2|:443... connected.
WARNING: cannot verify ds02.domain.com’s certificate, issued by “/O=
IPA.DOMAIN.COM/CN=Certificate Authority”:
  Self-signed certificate encountered.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://ds02.domain.com/ipa/ui [following]


[root@hostname ~]# curl -v -k https://ds02.domain.com/
* About to connect() to ds02.domain.com port 443 (#0)
*   Trying 192.168.150.2... connected
* Connected to ds02.domain.com (192.168.150.2) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* warning: ignoring value of ssl.verifyhost
* NSS error -12190
* Closing connection #0
* SSL connect error
curl: (35) SSL connect error

However, the same curl command, run from another C7 host, works just fine.
Something incompatible in the NSS libraries maybe?

Thanks for any help you can provide!

Jeremy
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project