Hello,
I'm trying to add a RHEL 8.1 client with the following spec: OS: RHEL 8.1 (Ootpa) IPA: ipa-client-4.8.0-10 SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has: OS: RHEL 7.7 (Maipo) IPA: ipa-server-4.6.5-11.el7_7.3 SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error: This program will set up IPA client. Version 4.8.0
Discovery was successful! Do you want to configure chrony with NTP server or pool address? [no]: Client hostname: client01.svc.domain.org Realm: IPA.DOMAIN.ORG DNS Domain: ipa.domain.org IPA Server: icidmpdc1.ipa.domain.org BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes Synchronizing time Configuration of chrony was changed by installer. Attempting to sync time with chronyc. Time synchronization was successful. Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG Valid From: 2016-03-04 15:13:38 Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session Failed to bind to server! Retrying with pre-4.0 keytab retrieval method... Unable to initialize STARTTLS session Failed to bind to server! Failed to get keytab child exited with 9
Installation failed. Rolling back changes. Disabling client Kerberos and LDAP configurations Restoring client configuration files nslcd daemon is not installed, skip configuration Client uninstall complete. The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0. Can anyone please, let me know why it is not working?
Thanks & Regards.
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I’m trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using “ipa-client-install” I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the “join”. It doesn’t happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL: - INFO - Security Initialization - SSL info: Enabling default cipher set. - INFO - Security Initialization - SSL info: Configured NSS Ciphers - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [... list of all ciphers] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello,
The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I'm trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL: - INFO - Security Initialization - SSL info: Enabling default cipher set. - INFO - Security Initialization - SSL info: Configured NSS Ciphers - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [... list of all ciphers] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0
Hello again,
I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1 --- Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org
issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority
--- Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain) ---
Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello,
The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I'm trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL: - INFO - Security Initialization - SSL info: Enabling default cipher set. - INFO - Security Initialization - SSL info: Configured NSS Ciphers - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [... list of all ciphers] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no ---
Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1685470
now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636
It connects using TLSv1.2, but it still not working the join to IDM.
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello again,
I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1 --- Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org
issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority
--- Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits --- SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain --- New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain) ---
Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello,
The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I'm trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL: - INFO - Security Initialization - SSL info: Enabling default cipher set. - INFO - Security Initialization - SSL info: Configured NSS Ciphers - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [... list of all ciphers] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0
Hi,
can you try to run the following on the client: $ update-crypto-policies --set LEGACY then retry the client install?
(This is a workaround described in https://access.redhat.com/articles/3642912. RHEL8 enables less ciphersuites and protocols)
flo
On 1/10/20 12:49 PM, SOLER SANGUESA Miguel wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no
Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://bugzilla.redhat.com/show_bug.cgi?id=1685470
now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636
It connects using TLSv1.2, but it still not working the join to IDM.
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello again,
I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1
Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority
Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org
issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority
Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain)
Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello,
The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I'm trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL:
- INFO - Security Initialization - SSL info: Enabling default cipher set.
- INFO - Security Initialization - SSL info: Configured NSS Ciphers
- INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256:
enabled [... list of all ciphers]
- INFO - Security Initialization - SSL info:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
- INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FXm p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714197160195 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&re served=0
Hello,
I already tested that and I have the same error.
Thanks & Regards.
______________________________
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 13:06 To: SOLER SANGUESA Miguel solerm@unicc.org; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
Hi,
can you try to run the following on the client: $ update-crypto-policies --set LEGACY then retry the client install?
(This is a workaround described in https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Faccess.red.... RHEL8 enables less ciphersuites and protocols)
flo
On 1/10/20 12:49 PM, SOLER SANGUESA Miguel wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK: [root@client01 ~]# openssl s_client -connect server2.ipa.unicc.org:636 -tls1_2 ... Client Certificate Types: RSA sign, ECDSA sign, DSA sign Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2694 bytes and written 339 bytes Verification error: self signed certificate in certificate chain
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: B1CA329B2A6E4B33F8850112EDCE76273A47C407526C4CC6497FAF05322031C2 Session-ID-ctx: Master-Key: 0443C4A385C5445DB9B17CA6C6C463B686EBA71D60C451276970AE0892C574E19B899FCB653840E1DA7C0B0E1458FF65 PSK identity: None PSK identity hint: None SRP username: None Start Time: 1578655322 Timeout : 7200 (sec) Verify return code: 19 (self signed certificate in certificate chain) Extended master secret: no
Do you know why it is not working with TLSv1.3 and how can I fix it? I have still no luck with adding the server to IDM. I have followed the workaround described here: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugz illa.redhat.com%2Fshow_bug.cgi%3Fid%3D1685470&data=02%7C01%7Csoler m%40unicc.org%7C4895772460b64be3239908d795c57a07%7Ca33def5739f8400593e de80266830257%7C0%7C0%7C637142547701419753&sdata=i5Oxh5gvxpf29%2F8 EJMuYpIbCuCW8xu9f%2B%2Bkw9b42TTY%3D&reserved=0
now if I test the connection with: openssl s_client -connect server2.ipa.unicc.org:636
It connects using TLSv1.2, but it still not working the join to IDM.
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:46 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello again,
I have tried to create a connection with the cipher is used on the client install and I get this: [root@client01 ~]# openssl s_client -connect server2.ipa.domain.org:636 -cipher ECDHE-RSA-AES256-GCM-SHA384 CONNECTED(00000003) depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify error:num=19:self signed certificate in certificate chain verify return:1 depth=1 O = IPA.DOMAIN.ORG, CN = Certificate Authority verify return:1 depth=0 O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org verify return:1
Certificate chain 0 s:O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org i:O = IPA.DOMAIN.ORG, CN = Certificate Authority 1 s:O = IPA.DOMAIN.ORG, CN = Certificate Authority i:O = IPA.DOMAIN.ORG, CN = Certificate Authority
Server certificate -----BEGIN CERTIFICATE----- MIIEtTCCA52gAwIBAgIED/8BuzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1J .... 3Z4Moyqlg+wT -----END CERTIFICATE----- subject=O = IPA.DOMAIN.ORG, CN = server2.ipa.domain.org
issuer=O = IPA.DOMAIN.ORG, CN = Certificate Authority
Acceptable client certificate CA names O = IPA.DOMAIN.ORG, CN = Certificate Authority Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA-PSS+SHA256:RSA-P SS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:RSA+SHA1:DSA +SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:R SA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512 Peer signing digest: SHA256 Peer signature type: RSA-PSS Server Temp Key: X25519, 253 bits
SSL handshake has read 2734 bytes and written 365 bytes Verification error: self signed certificate in certificate chain
New, TLSv1.3, Cipher is TLS_AES_128_GCM_SHA256 <------- Changes the cipher, but it is also enbled on server side. Server public key is 2048 bit Secure Renegotiation IS NOT supported <------------- ???? Compression: NONE Expansion: NONE No ALPN negotiated Early data was not sent Verify return code: 19 (self signed certificate in certificate chain)
Executing the same command on a RHEL 7 I don't have the err=19 (self signed certificate complain), also the " Shared Requested Signature Algorithms" are more and " Server Temp Key" different: Shared Requested Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:ECDSA+SHA1:RSA+SHA256:RSA+SHA38 4:RSA+SHA512:RSA+SHA1:DSA+SHA256:DSA+SHA384:DSA+SHA512:DSA+SHA1 Server Temp Key: ECDH, P-256, 256 bits
Thanks & Regards.
-----Original Message----- From: SOLER SANGUESA Miguel Sent: Friday, January 10, 2020 10:26 To: Florence Blanc-Renaud flo@redhat.com; FreeIPA users list freeipa-users@lists.fedorahosted.org Subject: RE: [Freeipa-users] Problem adding a RHEL 8.1 client
Hello,
The list of ciphers seems OK (it is the one showed on the debug logs: " TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled"), and also the SSL version range is from TLS1.0 to TLS1.3. I have also added lines with 'ERR' or 'WARN': [10/Jan/2020:08:53:57.993429356 +0100] - ERR - oc_check_allowed_sv - Entry "cn=encryption,cn=config" -- attribute "CACertExtractFile" not allowed [10/Jan/2020:08:53:57.999532781 +0100] - WARN - Security Initialization - SSL alert: Sending pin request to SVRCore. You may need to run systemd-tty-ask-password-agent to provide the password. [10/Jan/2020:08:53:58.005282229 +0100] - INFO - slapd_extract_cert - SERVER CERT NAME: Server-Cert [10/Jan/2020:08:53:58.013492586 +0100] - INFO - Security Initialization - SSL info: Enabling default cipher set. [10/Jan/2020:08:53:58.021112518 +0100] - INFO - Security Initialization - SSL info: Configured NSS Ciphers [10/Jan/2020:08:53:58.023818570 +0100] - INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.025012562 +0100] - INFO - Security Initialization - SSL info: TLS_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.026865854 +0100] - INFO - Security Initialization - SSL info: TLS_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.027909825 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.028910559 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.030192210 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.032707645 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.038511038 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.042101912 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.047331242 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.053222255 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.059417443 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.065215952 +0100] - INFO - Security Initialization - SSL info: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.066816630 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.070814501 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.076808934 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.082326398 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.085812594 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.088603987 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256: enabled [10/Jan/2020:08:53:58.095429780 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.097605520 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_DSS_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.099003065 +0100] - INFO - Security Initialization - SSL info: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.101106312 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_GCM_SHA384: enabled [10/Jan/2020:08:53:58.102701393 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA: enabled [10/Jan/2020:08:53:58.105723970 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_256_CBC_SHA256: enabled [10/Jan/2020:08:53:58.107107490 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_GCM_SHA256: enabled [10/Jan/2020:08:53:58.110522147 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA: enabled [10/Jan/2020:08:53:58.113200222 +0100] - INFO - Security Initialization - SSL info: TLS_RSA_WITH_AES_128_CBC_SHA256: enabled [10/Jan/2020:08:53:58.126201090 +0100] - INFO - Security Initialization - slapd_ssl_init2 - Configured SSL version range: min: TLS1.0, max: TLS1.3 ... [10/Jan/2020:08:54:02.128378609 +0100] - WARN - default_mr_indexer_create - Plugin [caseIgnoreIA5Match] does not handle caseExactIA5Match ... [10/Jan/2020:08:54:02.268900495 +0100] - ERR - schema-compat-plugin - scheduled schema-compat-plugin tree scan in about 5 seconds after the server startup! [10/Jan/2020:08:54:02.283005210 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=ng,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.284850029 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target ou=sudoers,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.291534216 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=users,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.296575693 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.300672868 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.306498604 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.312925397 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.316251285 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.318903023 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.324020591 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.327893713 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.334512981 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.338954980 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.341830396 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=vaults,cn=kra,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.343118609 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=computers,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.346506279 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=groups,cn=compat,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.359003489 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.361548258 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=casigningcert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=ipa,dc=domain,dc=org does not exist [10/Jan/2020:08:54:02.449783407 +0100] - WARN - NSACLPlugin - acl_parse - The ACL target cn=automember rebuild membership,cn=tasks,cn=config does not exist [10/Jan/2020:08:54:02.489813637 +0100] - INFO - slapd_daemon - slapd started. Listening on All Interfaces port 389 for LDAP requests [10/Jan/2020:08:54:02.498610374 +0100] - INFO - slapd_daemon - Listening on All Interfaces port 636 for LDAPS requests [10/Jan/2020:08:54:02.502099316 +0100] - INFO - slapd_daemon - Listening on /var/run/slapd-IPA-DOMAIN-ORG.socket for LDAPI requests [10/Jan/2020:08:54:02.506101255 +0100] - ERR - set_krb5_creds - Could not get initial credentials for principal [ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG] in keytab [FILE:/etc/dirsrv/ds.keytab]: -1765328324 (Generic error (see e-text)) [10/Jan/2020:08:54:02.560926332 +0100] - ERR - schema-compat-plugin - schema-compat-plugin tree scan will start in about 5 seconds! [10/Jan/2020:08:54:11.584790390 +0100] - ERR - schema-compat-plugin - warning: no entries set up under cn=computers, cn=compat,dc=ipa,dc=domain,dc=org [10/Jan/2020:08:54:11.592447129 +0100] - ERR - schema-compat-plugin - Finished plugin initialization.
On the client side, seems it is also abailabe: [root@client01 ~]# openssl ciphers -v | grep ECDHE-RSA-AES256-GCM ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH Au=RSA Enc=AESGCM(256) Mac=AEAD
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Thursday, January 09, 2020 21:06 To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Problem adding a RHEL 8.1 client
On 1/9/20 4:07 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello,
I'm trying to add a RHEL 8.1 client with the following spec:
OS: RHEL 8.1 (Ootpa)
IPA: ipa-client-4.8.0-10
SSSD: sssd-2.2.0-19.el8.x86_64
My IDM server has:
OS: RHEL 7.7 (Maipo)
IPA: ipa-server-4.6.5-11.el7_7.3
SSSD: sssd-1.16.4-21.el7_7.1
When I try to add the client using "ipa-client-install" I get the error:
This program will set up IPA client.
Version 4.8.0
Discovery was successful!
Do you want to configure chrony with NTP server or pool address? [no]:
Client hostname: client01.svc.domain.org
Realm: IPA.DOMAIN.ORG
DNS Domain: ipa.domain.org
IPA Server: icidmpdc1.ipa.domain.org
BaseDN: dc=ipa,dc=domain,dc=org
Continue to configure the system with these values? [no]: yes
Synchronizing time
Configuration of chrony was changed by installer.
Attempting to sync time with chronyc.
Time synchronization was successful.
Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Issuer: CN=Certificate Authority,O=IPA.DOMAIN.ORG
Valid From: 2016-03-04 15:13:38
Valid Until: 2036-03-04 15:13:38
Joining realm failed: Unable to initialize STARTTLS session
Failed to bind to server!
Retrying with pre-4.0 keytab retrieval method...
Unable to initialize STARTTLS session
Failed to bind to server!
Failed to get keytab
child exited with 9
Installation failed. Rolling back changes.
Disabling client Kerberos and LDAP configurations
Restoring client configuration files
nslcd daemon is not installed, skip configuration
Client uninstall complete.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information
The entire debug log is attached. It fails doing the "join". It doesn't happened when I add a client with RHEL 7.X, also I think it was also working with RHEL 8.0.
Can anyone please, let me know why it is not working?
Hi,
can you paste the content of /var/log/dirsrv/slapd-<DOMAIN>/errors (on the master) that is related to SSL:
- INFO - Security Initialization - SSL info: Enabling default cipher set.
- INFO - Security Initialization - SSL info: Configured NSS Ciphers
- INFO - Security Initialization - SSL info: TLS_AES_128_GCM_SHA256:
enabled [... list of all ciphers]
- INFO - Security Initialization - SSL info:
TLS_RSA_WITH_AES_128_CBC_SHA256: enabled
- INFO - Security Initialization - slapd_ssl_init2 - Configured SSL
version range: min: TLS1.0, max: TLS1.3
The full list of ciphers and the SSL range may help understand the issue.
flo
Thanks & Regards.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdoc s .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02 % 7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def 5 739f8400593ede80266830257%7C0%7C0%7C637141971601947392&sdata=%2FX m p17T3G8G6HelhTlBMbbwk2Z0XRRbk1JOMsEZAfXM%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffed o raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csol e rm%40unicc.org%7C572ac438c3f44f353f6208d7953f57d3%7Ca33def5739f840059 3 ede80266830257%7C0%7C0%7C637141971601957347&sdata=KCpN67a3VP%2B7W 1 TWNLSjIjlcJTioY6phCrJPjIWB%2BFE%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flis t s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedoraho s ted.org&data=02%7C01%7Csolerm%40unicc.org%7C572ac438c3f44f353f620 8 d7953f57d3%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C6371419716019 5 7347&sdata=ayLDi6PUsROquosBP%2Bkbh9KGoPGGHL4PyIabw3FloKQ%3D&r e served=0
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0
Thanks & Regards.
-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0
Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap
- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert
flo
Thanks & Regards.
-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, http://www.de.redhat.com/, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64
[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.ipa.domain.org/ca/ocsp"
Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment
Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate
Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca"
Name: Certificate Subject Key ID Data: b4:...:60: 71:ef:da:b7
Name: Certificate Subject Alt Name Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG" OID: Microsoft NT Principal Name Other Name: Sequence { [0]: { 1b:0d:4....:52:47 } [1]: { Sequence { [0]: { 1 (0x1) } [1]: { Sequence { 1b:04:...:70 1b:17:....32:2e:69:70:61: 2e:75:.....6f:72:67 } } } } } OID: OID.1.3.6.1.5.2.2
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: ... 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 Fingerprint (SHA-256): F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 Fingerprint (SHA1): A6:32:14:.....46:4A:97:A0:67:A3
Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0
Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap
- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert
flo
Thanks & Regards.
-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0
On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64
[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.ipa.domain.org/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca" Name: Certificate Subject Key ID Data: b4:...:60: 71:ef:da:b7 Name: Certificate Subject Alt Name Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG" OID: Microsoft NT Principal Name
Bingo, I think we found the issue. Please see https://bugzilla.redhat.com/show_bug.cgi?id=1781799#c11.
You can try to replace your LDAP server cert with a certificate containing the hostname in the Subject Alt Name extension. On the server: (backup the /etc/dirsrv/slapd NSS database first) getcert list -d /etc/dirsrv/slapd-<DOMAIN> Note the tracking id
getcert resubmit -i <id> -D `hostname`
This will renew the server cert with a new cert having the additional SAN extension containing the hostname.
After that, retry the client install, crossing my fingers but this should succeed. flo
Other Name: Sequence { [0]: { 1b:0d:4....:52:47 } [1]: { Sequence { [0]: { 1 (0x1) } [1]: { Sequence { 1b:04:...:70 1b:17:....32:2e:69:70:61: 2e:75:.....6f:72:67 } } } } } OID: OID.1.3.6.1.5.2.2 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: ... 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 Fingerprint (SHA-256): F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 Fingerprint (SHA1): A6:32:14:.....46:4A:97:A0:67:A3 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0
Can you also check the following:
- which version of openldap is installed on the client:
rpm -qa openldap
- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert
flo
Thanks & Regards.
-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello,
You are right! It worked.
Thank you very much.
Thanks & Regards.
-----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 16:33 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 1/10/20 4:08 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64
[root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fca%2Focsp&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&sdata=arWUGijmT70YJRCudab7s7mXjzpW1%2BKUnMt%2FfhgctVc%3D&reserved=0" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Distribution point: URI: "https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fipa-ca.ipa.domain.org%2Fipa%2Fcrl%2FMasterCRL.bin&data=02%7C01%7Csolerm%40unicc.org%7C9fb1a6e9d8434f0ba92108d795e25a09%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142671715901182&sdata=CCV49RQ8VghhJSedgltyNB%2F39hX7i1GlZflO%2BE91BYc%3D&reserved=0" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca" Name: Certificate Subject Key ID Data: b4:...:60: 71:ef:da:b7 Name: Certificate Subject Alt Name Other Name: "ldap/server2.ipa.domain.org@IPA.DOMAIN.ORG" OID: Microsoft NT Principal Name
Bingo, I think we found the issue. Please see https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbugzilla.r....
You can try to replace your LDAP server cert with a certificate containing the hostname in the Subject Alt Name extension. On the server: (backup the /etc/dirsrv/slapd NSS database first) getcert list -d /etc/dirsrv/slapd-<DOMAIN> Note the tracking id
getcert resubmit -i <id> -D `hostname`
This will renew the server cert with a new cert having the additional SAN extension containing the hostname.
After that, retry the client install, crossing my fingers but this should succeed. flo
Other Name: Sequence { [0]: { 1b:0d:4....:52:47 } [1]: { Sequence { [0]: { 1 (0x1) } [1]: { Sequence { 1b:04:...:70 1b:17:....32:2e:69:70:61: 2e:75:.....6f:72:67 } } } } } OID: OID.1.3.6.1.5.2.2 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: ... 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 Fingerprint (SHA-256): F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 Fingerprint (SHA1): A6:32:14:.....46:4A:97:A0:67:A3 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud flo@redhat.com Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Christian Heimes cheimes@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Hello Christian,
It is an standard installation.
[root@server2 ~]# cat /proc/sys/crypto/fips_enabled 0
Can you also check the following:
- which version of openldap is installed on the client:
rpm -qa openldap
- does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert
flo
Thanks & Regards.
-----Original Message----- From: Christian Heimes cheimes@redhat.com Sent: Friday, January 10, 2020 13:13 To: FreeIPA users list freeipa-users@lists.fedorahosted.org; Florence Blanc-Renaud flo@redhat.com Cc: SOLER SANGUESA Miguel solerm@unicc.org Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client
On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote:
Seems that I have found the problem. It is TLSv1.3, I have tried to connect with TLSv1.2 and connection was OK:
Hi,
is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? There have been known issues with FIPS mode, NSS (crypto library used by 389-DS), and TLS 1.3 in the past.
I'm going to create a reproducer setup and try to come up with a workaround now.
Christian
-- Christian Heimes Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& amp;reserved=0, Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Laurie Krebs, Michael O'Neill, Thomas Savage
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re served=0
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fedor... List Guidelines: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproj... List Archives: https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedo...
freeipa-users@lists.fedorahosted.org