Re: [Freeipa-users] DS failed after upgrade
Hi all, Either I was to worn out last night, or another update has happened. This morning the directory server did start after the update. local dns zones however where not available again after the update ipa-ldap-updater did not help to fix it. The are again only 7 DNS aci objects are still in the ds.( same as before when it failed ) I also noticed that there are also quite a lot lower case dns aci objects. Rob 2014-11-07 10:25 GMT+01:00 Martin Basti : > Changed subject. > Rob CCed > > On 07/11/14 09:52, Martin Basti wrote: > > Forward message back to list > > > Original Message Subject: Re: [Freeipa-users] dns > stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob > VerduijnTo: Martin > Basti > > Hi again, > > I tried the update to 4.1.1 > It didn't went well, actually it went worse than to 4.1. > Now the directory service went down and was no longer able to start. > > Some part of the logs is below. > Besides the warnings about a weak cipher there was not much in the > journalctl. > > It's getting late overhere, I'll dig into the logs tomorrow. > > Rob > > Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory > Server TJAKO-THUIS > Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory > Server TJAKO-THUIS.. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_des_sha is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_3des_sha is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since > allowWeakCipher is "on" (default setting for the backward compatibility). > We strongly recommend to set it to "off". Please replace the value of > allowWeakCipher with "off" in the encryption config entry > cn=encryption,cn=config and restart the server. > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. > Ignoring fortezza > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in > NSS 3.17. Ignoring fortezza_rc4_128_sha > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher suite fortezza_null is not available in NSS > 3.17. Ignoring fortezza_null > Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 > +0100] - SSL alert: Cipher tls_rsa_export1024_with_rc4_56_sha is weak. It > is enabled since allowWeakCipher is "on" (default setting for the backward > compatibility). We strongly recom
Re: [Freeipa-users] DS failed after upgrade
Changed subject. Rob CCed On 07/11/14 09:52, Martin Basti wrote: Forward message back to list Original Message Subject:Re: [Freeipa-users] dns stops working after upgrade Date: Thu, 6 Nov 2014 21:42:55 +0100 From: Rob Verduijn To: Martin Basti Hi again, I tried the update to 4.1.1 It didn't went well, actually it went worse than to 4.1. Now the directory service went down and was no longer able to start. Some part of the logs is below. Besides the warnings about a weak cipher there was not much in the journalctl. It's getting late overhere, I'll dig into the logs tomorrow. Rob Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory Server TJAKO-THUIS Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory Server TJAKO-THUIS.. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not available in NSS 3.17. Ignoring fortezza Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_rc4_128_sha is not available in NSS 3.17. Ignoring fortezza_rc4_128_sha Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null is not available in NSS 3.17. Ignoring fortezza_null Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher tls_rsa_export1024_with_rc4_56_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the server. Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: [06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher tls_rsa_export1024_with_des_cbc_sha is weak. It is enabled since allowWeakCipher is "on" (default setting for the backward compatibility). We strongly recommend to set it to "off". Please replace the value of allowWeakCipher with "off" in the encryption config entry cn=encryption,cn=config and restart the
