[Freeipa-users] Fwd: Re: dns stops working after upgrade

[Martin Basti]

Forward message back to list

-------- Original Message --------
Subject:        Re: [Freeipa-users] dns stops working after upgrade
Date:   Thu, 6 Nov 2014 21:42:55 +0100
From:   Rob Verduijn <rob.verdu...@gmail.com>
To:     Martin Basti <mba...@redhat.com>



Hi again,

I tried the update to 4.1.1
It didn't went well, actually it went worse than to 4.1.
Now the directory service went down and was no longer able to start.

Some part of the logs is below.
Besides the warnings about a weak cipher there was not much in the 
journalctl.

It's getting late overhere, I'll dig into the logs tomorrow.

Rob

Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Starting 389 Directory 
Server TJAKO-THUIS....
Nov 06 21:34:58 freeipa.tjako.thuis systemd[1]: Started 389 Directory 
Server TJAKO-THUIS..
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_128_md5 is 
weak. It is enabled since allowWeakCipher is "on" (default setting for 
the backward compatibility). We strongly recommend to set it to "off".  
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc4_40_md5 is weak. 
It is enabled since allowWeakCipher is "on" (default setting for the 
backward compatibility). We strongly recommend to set it to "off".  
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_rc2_40_md5 is weak. 
It is enabled since allowWeakCipher is "on" (default setting for the 
backward compatibility). We strongly recommend to set it to "off".  
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_des_sha is weak. It 
is enabled since allowWeakCipher is "on" (default setting for the 
backward compatibility). We strongly recommend to set it to "off".  
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_des_sha is 
weak. It is enabled since allowWeakCipher is "on" (default setting for 
the backward compatibility). We strongly recommend to set it to "off". 
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_3des_sha is weak. 
It is enabled since allowWeakCipher is "on" (default setting for the 
backward compatibility). We strongly recommend to set it to "off".  
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher rsa_fips_3des_sha is 
weak. It is enabled since allowWeakCipher is "on" (default setting for 
the backward compatibility). We strongly recommend to set it to "off". 
Please replace the value of allowWeakCipher with "off" in the encryption 
config entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza is not 
available in NSS 3.17.  Ignoring fortezza
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite 
fortezza_rc4_128_sha is not available in NSS 3.17.  Ignoring 
fortezza_rc4_128_sha
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher suite fortezza_null is 
not available in NSS 3.17.  Ignoring fortezza_null
Nov 06 21:34:58 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:58 +0100] - SSL alert: Cipher 
tls_rsa_export1024_with_rc4_56_sha is weak.  It is enabled since 
allowWeakCipher is "on" (default setting for the backward 
compatibility). We strongly recommend to set it to "off".  Please 
replace the value of allowWeakCipher with "off" in the encryption config 
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: Cipher 
tls_rsa_export1024_with_des_cbc_sha is weak.  It is enabled since 
allowWeakCipher is "on" (default setting for the backward 
compatibility). We strongly recommend to set it to "off".  Please 
replace the value of allowWeakCipher with "off" in the encryption config 
entry cn=encryption,cn=config and restart the server.
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: Configured NSS Ciphers
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: 
SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_3DES_EDE_CBC_SHA: 
enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_RC4_128_MD5: 
enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: SSL_RSA_FIPS_WITH_DES_CBC_SHA: 
enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: TLS_RSA_WITH_DES_CBC_SHA: 
enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: 
TLS_RSA_EXPORT1024_WITH_RC4_56_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: 
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: 
TLS_RSA_EXPORT_WITH_RC4_40_MD5: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] - SSL alert: 
TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5: enabled, (WEAK CIPHER)
Nov 06 21:34:59 freeipa.tjako.thuis ns-slapd[2244]: 
[06/Nov/2014:21:34:59 +0100] SSL Initialization - SSL version range: 
min: TLS1.0, max: TLS1.2
Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: 
dirsrv@TJAKO-THUIS.service: main process exited, code=exited, 
status=1/FAILURE
Nov 06 21:35:01 freeipa.tjako.thuis systemd[1]: Unit 
dirsrv@TJAKO-THUIS.service entered failed state.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project