[root@client01 ~]# rpm -qa openldap openldap-2.4.46-10.el8.x86_64 [root@server2 ~]# certutil -L -d /etc/dirsrv/slapd-IPA-DOMAIN-ORG -n Server-Cert Certificate: Data: Version: 3 (0x2) Serial Number: 268370363 (0xfff01bb) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IPA.DOMAIN.ORG" Validity: Not Before: Fri Feb 16 21:18:08 2018 Not After : Mon Feb 17 21:18:08 2020 Subject: "CN=server2.ipa.domain.org,O=IPA.DOMAIN.ORG" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: d7:d3:51:8e:a0:99:a3:9f:30:d2:49:98:a8:ef:41:21: 7c:ab:98:87:59:85:6d:15:fd:09:43:63:f9:e7:98:bc: ... 66:63:cd:58:ca:a4:93:99:33:68:08:7b:76:07:a6:9b Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: 74:...:63: c1:37:5b:e9
Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.ipa.domain.org/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.ipa.domain.org/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca" Name: Certificate Subject Key ID Data: b4:...:60: 71:ef:da:b7 Name: Certificate Subject Alt Name Other Name: "ldap/server2.ipa.domain....@ipa.domain.org" OID: Microsoft NT Principal Name Other Name: Sequence { [0]: { 1b:0d:4....:52:47 } [1]: { Sequence { [0]: { 1 (0x1) } [1]: { Sequence { 1b:04:...:70 1b:17:....32:2e:69:70:61: 2e:75:.....6f:72:67 } } } } } OID: OID.1.3.6.1.5.2.2 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: 84:51:79:32:49:f3:46:89:c0:56:0b:d0:5a:dd:d0:4e: ... 88:15:49:b0:fd:4b:cd:dd:9e:0c:a3:2a:a5:83:ec:13 Fingerprint (SHA-256): F5:72:8D:E8:A8:8A:....6:A2:B8:4B:FF:E2 Fingerprint (SHA1): A6:32:14:.....46:4A:97:A0:67:A3 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User Thanks & Regards. -----Original Message----- From: Florence Blanc-Renaud <f...@redhat.com> Sent: Friday, January 10, 2020 15:56 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; Christian Heimes <chei...@redhat.com> Cc: SOLER SANGUESA Miguel <sol...@unicc.org> Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client On 1/10/20 2:55 PM, SOLER SANGUESA Miguel via FreeIPA-users wrote: > Hello Christian, > > It is an standard installation. > > [root@server2 ~]# cat /proc/sys/crypto/fips_enabled > 0 > Can you also check the following: - which version of openldap is installed on the client: rpm -qa openldap - does the LDAP server certificate contain SAN extensions: on the master certutil -L -d /etc/dirsrv/slap-<DOMAIN> -n Server-Cert flo > Thanks & Regards. > > -----Original Message----- > From: Christian Heimes <chei...@redhat.com> > Sent: Friday, January 10, 2020 13:13 > To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>; > Florence Blanc-Renaud <f...@redhat.com> > Cc: SOLER SANGUESA Miguel <sol...@unicc.org> > Subject: Re: [Freeipa-users] Re: Problem adding a RHEL 8.1 client > > On 10/01/2020 12.49, SOLER SANGUESA Miguel via FreeIPA-users wrote: >> Seems that I have found the problem. It is TLSv1.3, I have tried to connect >> with TLSv1.2 and connection was OK: > Hi, > > is the IPA server on RHEL 7.7 in FIPS mode or is it a standard installation? > There have been known issues with FIPS mode, NSS (crypto library used by > 389-DS), and TLS 1.3 in the past. > > I'm going to create a reproducer setup and try to come up with a workaround > now. > > Christian > > -- > Christian Heimes > Principal Software Engineer, Identity Management and Platform Security > > Red Hat GmbH, > https://eur02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.d > e.redhat.com%2F&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef76942 > 2dca8808d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C637142 > 650019201441&sdata=wOiZtK7TmzbzBxXkNjvEY86ac7atC0MserZNmv66d2Y%3D& > amp;reserved=0, Registered seat: Grasbrunn, Commercial register: > Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, > Laurie Krebs, Michael O'Neill, Thomas Savage > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs > .fedoraproject.org%2Fen-US%2Fproject%2Fcode-of-conduct%2F&data=02% > 7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5 > 739f8400593ede80266830257%7C0%7C0%7C637142650019201441&sdata=AsNrN > 498wAYwaVBEK5q12rgNTUzuvlu6y2Pk4ALb%2BmU%3D&reserved=0 > List Guidelines: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedo > raproject.org%2Fwiki%2FMailing_list_guidelines&data=02%7C01%7Csole > rm%40unicc.org%7C7b73eebef769422dca8808d795dd4c7d%7Ca33def5739f8400593 > ede80266830257%7C0%7C0%7C637142650019211408&sdata=S5581w0eMy9DZIAJ > Mzk3P0nNbD1IGKWnHZLnZzReq%2FI%3D&reserved=0 > List Archives: > https://eur02.safelinks.protection.outlook.com/?url=https%3A%2F%2Flist > s.fedorahosted.org%2Farchives%2Flist%2Ffreeipa-users%40lists.fedorahos > ted.org&data=02%7C01%7Csolerm%40unicc.org%7C7b73eebef769422dca8808 > d795dd4c7d%7Ca33def5739f8400593ede80266830257%7C0%7C0%7C63714265001921 > 1408&sdata=XPSc6N3MH%2FTICWZUU1PpTIH5UHcUU2gXSe6ZZQyQMF0%3D&re > served=0 > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org