On Thu, Jun 17, 2021, at 9:54 AM, Bret Wortman via FreeIPA-users wrote: > On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote: > > On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote: > > > On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote: > > > > Bret Wortman via FreeIPA-users wrote: > > > > > This appears to be the error, or at least it's the only "fatal" I > > > > > could find in the stream and it's near enough to the end of traffic > > > > > that it seems likely. I'm no expert on Wireshark so I'm hoping > > > > > someone is willing to take a peek and let me know if there's > > > > > something obvious here. > > > > > > > > > > https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178 > > > > > > > > > > > > > > > > > > Are you sure you aren't seeing a connect error on the F21 Apache server? > > > > This looks to me like an untrusted CA or something like it. > > > > > > Not that I'm aware of. We haven't touched those servers in ages (hence > > > the F21). Where would we be most likely to see the connect error on the > > > server? I may have missed a log file. > > > > Bingo! > > > > 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET > > /ca/rest/securityDomain/domainInfo HTTP/1.1" 200 190 > > 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET > > /ca/rest/account/login HTTP/1.1" 200 188 > > 192.168.2.215 - - [17/Jun/2021:07:11:30 -0400] "GET > > /ca/rest/account/logout HTTP/1.1" 204 - > > [Thu Jun 17 07:11:41.806659 2021] [:error] [pid 921] SSL Library Error: > > -12286 No common encryption algorithm(s) with client > > > > I don't think we adjusted the SSL configs on either end... > > So I took the cypher list from the new box and copied it to the other > and added it to httpd/conf.d/nss.conf and then the two ends could talk > again. We got as far as this now: > > Done configuring certificate server (pki-tomcatd). > Applying LDAP updates > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/10]: stopping directory server > [2/10]: saving configuration > [3/10]: disabling listeners > [4/10]: enabling DS global lock > [5/10]: disabling Schema Compat > [6/10]: starting directory server > [7/10]: upgrading server > [8/10]: stopping directory server > [9/10]: restoring configuration > [10/10]: starting directory server > Done. > Finalize replication settings > Your system may be partly configured. > Run /usr/sbin/ipa-server-install --uninstall to clean up. > > ipapython.admintool: ERROR Server is unwilling to perform: > modification of attribute nsds5ReplicaReleaseTimeout is not allowed in > replica entry > ipapython.admintool: ERROR The ipa-replica-install command failed. > See /var/log/ipareplica-install.log for more information > > Is there a simple workaround for this? >
In my Googling for an answer I found some earlier threads that might never have been resolved, but Florence asked some early questions that I thought I'd answer right now: On ipa1 (original F21 server): # rpm -qa | grep 389 389-ds-base-libs-1.3.3.13-1.fc21.x86_64 389-ds-base-1.3.3.13-1.fc21.x86_64 # ldapsearch -Y GSSAPI -h ipa1 -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes | grep -i nsds5replicareleasetimeout SASL/GSSAPI authentication started SASL username: ad...@our.net SASL SSF: 56 SASL data security layer installed. attributetypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) On ipa2c7 (new C7 server we're trying to add as a replica): # rpm -qa | grep 389 389-ds-base-libs-1.3.10.2-10.el7_9.x86_64 389-ds-base-1.3.10.2-10.el7_9.x86_64 # ldapsearch -Y GSSAPI -h ipa1 -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes | grep -i nsds5replicareleasetimeout SASL/GSSAPI authentication started SASL username: host/ipa2c7.wedgeofli...@our.net SASL SSF: 256 SASL data security layer installed. attributetypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout' DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) ) > > > > > > Have you replaced any of your IPA certs on the F21 server? Signed the > > > > IPA CA with an external? > > > > > > I'll double-check today but not that I'm aware of. > > > _______________________________________________ > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > > To unsubscribe send an email to > > > freeipa-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: > > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > Do not reply to spam on the list, report it: > > > https://pagure.io/fedora-infrastructure > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > Do not reply to spam on the list, report it: > > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure