Bret Wortman via FreeIPA-users wrote:
On Thu, Jun 17, 2021, at 9:54 AM, Bret Wortman via FreeIPA-users
wrote:
> On Thu, Jun 17, 2021, at 7:15 AM, Bret Wortman via FreeIPA-users wrote:
>> On Tue, Jun 15, 2021, at 5:47 AM, Bret Wortman via FreeIPA-users wrote:
>>> On Mon, Jun 14, 2021, at 3:47 PM, Rob Crittenden wrote:
>>>> Bret Wortman via FreeIPA-users wrote:
>>>>> This appears to be the error, or at least it's the only
"fatal" I could find in the stream and it's near enough to the end of
traffic that it seems likely. I'm no expert on Wireshark so I'm hoping someone is
willing to take a peek and let me know if there's something obvious here.
>>>>>
>>>>>
https://gist.github.com/wortmanb/d3b1cb38e894d1fb0578ab05e459b178
>>>>>
>>>>>
>>>>
>>>> Are you sure you aren't seeing a connect error on the F21 Apache
server?
>>>> This looks to me like an untrusted CA or something like it.
>>>
>>> Not that I'm aware of. We haven't touched those servers in ages
(hence
>>> the F21). Where would we be most likely to see the connect error on the
>>> server? I may have missed a log file.
>>
>> Bingo!
>>
>> 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET
>> /ca/rest/securityDomain/domainInfo HTTP/1.1" 200 190
>> 192.168.2.215 - - [17/Jun/2021:07:11:28 -0400] "GET
>> /ca/rest/account/login HTTP/1.1" 200 188
>> 192.168.2.215 - - [17/Jun/2021:07:11:30 -0400] "GET
>> /ca/rest/account/logout HTTP/1.1" 204 -
>> [Thu Jun 17 07:11:41.806659 2021] [:error] [pid 921] SSL Library Error:
>> -12286 No common encryption algorithm(s) with client
>>
>> I don't think we adjusted the SSL configs on either end...
>
> So I took the cypher list from the new box and copied it to the other
> and added it to httpd/conf.d/nss.conf and then the two ends could talk
> again. We got as far as this now:
>
> Done configuring certificate server (pki-tomcatd).
> Applying LDAP updates
> Upgrading IPA:. Estimated time: 1 minute 30 seconds
> [1/10]: stopping directory server
> [2/10]: saving configuration
> [3/10]: disabling listeners
> [4/10]: enabling DS global lock
> [5/10]: disabling Schema Compat
> [6/10]: starting directory server
> [7/10]: upgrading server
> [8/10]: stopping directory server
> [9/10]: restoring configuration
> [10/10]: starting directory server
> Done.
> Finalize replication settings
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipapython.admintool: ERROR Server is unwilling to perform:
> modification of attribute nsds5ReplicaReleaseTimeout is not allowed in
> replica entry
> ipapython.admintool: ERROR The ipa-replica-install command failed.
> See /var/log/ipareplica-install.log for more information
>
> Is there a simple workaround for this?
I think it will involve editing code on the C7 server.
/usr/lib/python2.7/site-packages/ipaserver/install/replication.py
REPLICA_CREATION_SETTINGS and REPLICA_FINAL_SETTINGS.
Remove the nsds5ReplicaReleaseTimeout from both then try the install again.
When (hopefully) the install is succesfully restore the code, either by
manually adding it back in or re-installing the python2-ipaserver
package (preferred as it will verify correctly with rpm).
If you want to read about the reasoning of the change see
https://pagure.io/freeipa/issue/7617 and the associated PR.
rob
>
In my Googling for an answer I found some earlier threads that might never have been
resolved, but Florence asked some early questions that I thought I'd answer right
now:
On ipa1 (original F21 server):
# rpm -qa | grep 389
389-ds-base-libs-1.3.3.13-1.fc21.x86_64
389-ds-base-1.3.3.13-1.fc21.x86_64
# ldapsearch -Y GSSAPI -h ipa1 -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes |
grep -i nsds5replicareleasetimeout
SASL/GSSAPI authentication started
SASL username: admin(a)OUR.NET
SASL SSF: 56
SASL data security layer installed.
attributetypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout'
DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) )
On ipa2c7 (new C7 server we're trying to add as a replica):
# rpm -qa | grep 389
389-ds-base-libs-1.3.10.2-10.el7_9.x86_64
389-ds-base-1.3.10.2-10.el7_9.x86_64
# ldapsearch -Y GSSAPI -h ipa1 -b cn=schema -s base -o ldif-wrap=no -LLL attributetypes |
grep -i nsds5replicareleasetimeout
SASL/GSSAPI authentication started
SASL username: host/ipa2c7.wedgeofli.me(a)OUR.NET
SASL SSF: 256
SASL data security layer installed.
attributetypes: ( 2.16.840.1.113730.3.1.2333 NAME 'nsds5ReplicaReleaseTimeout'
DESC 'Netscape defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
SINGLE-VALUE X-ORIGIN ( 'Netscape Directory Server' 'user defined' ) )
>>
>>>> Have you replaced any of your IPA certs on the F21 server? Signed the
>>>> IPA CA with an external?
>>>
>>> I'll double-check today but not that I'm aware of.
>>> _______________________________________________
>>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to
>>> freeipa-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
>>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>>> Do not reply to spam on the list, report it:
>>>
https://pagure.io/fedora-infrastructure
>>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to
>> freeipa-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
>>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Do not reply to spam on the list, report it:
>>
https://pagure.io/fedora-infrastructure
>>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure