FreeIPA ReadTheDocs site
by Alexander Bokovoy
Hi,
Thanks to Christian Heimes' work, we now have auto-generated FreeIPA
documentation at https://freeipa.readthedocs.io/en/latest/. It currently
only includes in-tree design documents and FreeIPA workshop but more to
come as older design pages and HOW TOs get converted to upstream git
tree.
If anyone wants to help with the conversion, please don't hesitate to
contact me or Christian.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
4 years, 1 month
Can't SSH to client after migrate
by Faraz Younus
Hello Team,
I migrated freeipa client which is having 3.0 version to new freeipa server
version 4.6 and host is successfully enrolled on new IPA server but I can
not ssh into the client machine.
ssh faraz.younus(a)client.example.com
faraz.younus(a)client.example.com's password:
Permission denied, please try again.
Is this the version issue due to which I can't login via ssh ?
Looking forward to your reply.
Thanks
Faraz
4 years, 1 month
Samba file server authentication issues
by Michael Deffenbaugh
Hey all,
I'm having issues getting a setting up a Samba file server using IPA as
an authentication source on my network. I followed the guide based off of
the mailing list chatter
<https://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA>.
No success.
When I try to authenticate using kerberos (or password), I get an access
denied error on the client when running "smbclient -k -L
fs01.svr.ipa.domain":
session setup failed: NT_STATUS_ACCESS_DENIED
And it tries to revert to local user lookup on the server:
[2020/03/20 02:47:32.669898, 3]
../auth/kerberos/gssapi_pac.c:123(gssapi_obtain_pac_blob)
gssapi_obtain_pac_blob: obtaining PAC via GSSAPI gss_get_name_attribute
failed: The operation or option is not available or unsupported: No such
file or directory
[2020/03/20 02:47:32.670131, 3]
../auth/gensec/gensec_util.c:55(gensec_generate_session_info_pac)
gensec_generate_session_info_pac: Unable to find PAC for mddeff@<IPA.DOMAIN>,
resorting to local user lookup
------ Server Config -----
[global]
workgroup = SVR
realm = SVR.IPA.DOMAIN
dedicated keytab file = /etc/samba/samba.keytab
kerberos method = dedicated keytab
use kerberos keytab = true
log file = /var/log/samba/log.%m
log level = 3
security = ads
----------
Client:
Fedora 30
File Server:
CentOS 7.7, Samba 4.9.1, ipa-client 4.6.5
selinux is enabled.
Any thoughts? Thanks in advance!
Regards,
Mike
4 years, 1 month
Web UI is slow and unresponsive
by Boyd Ako
So, I have a server setup with just three users and less than 10 systems attached to it. But, for some reason when I try to login via the webui it normally just hangs at the "Authenticating..." point. Sometimes if I'm lucky I actually get in to the interface. However, anything that I click on has the "working..." wheel of death and if it does load the data for the page it takes forever.
Environment:
-"At home" no production environment.
- Home router is set to use internal BIND DNS server and the IPA server for DNS
- IPA server is set to use the BIND DNS server for forwarding
- BIND DNS server's primary function is Blackhole DNS forwarding server
- IPA server is set to be an internal self-signed CA/RA
Things I've tried:
1) reboot the server Result: No Change.
2) Tried using Chrome, Firefox, Safari, and Opera with cache clearing. Result: No Change
3) Tried logging in via User Name and password. Result: No change
4) Tried logging in via PKCS#11 soft-token. Result: No change
5) login to the IPA server, start kerberos session, and run `ipa user-find`. Result: command hangs
6) login to the IPA client, start kerberos session, and run `ipa user-find`. Result: command hangs
When monitoring `journalctl -xf` when doing so the only things I see is things like the following:
Mar 20 17:25:33 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:25:43 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:25:52 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:25:54 ipa.neverland.ddns.me ns-slapd[2810]: GSSAPI server step 1
Mar 20 17:25:54 ipa.neverland.ddns.me ns-slapd[2810]: GSSAPI server step 2
Mar 20 17:25:54 ipa.neverland.ddns.me ns-slapd[2810]: GSSAPI server step 3
Mar 20 17:25:57 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:25:59 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:26:05 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:26:25 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:26:27 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
Mar 20 17:26:28 ipa.neverland.ddns.me named-pkcs11[2857]: resolver priming query complete
7) Tried to understand the log output of `journalctl -xf` when I do `systemctl restart ipa`, which can be found at https://pastebin.com/7sMAp7Zh
8) Tried using curl with kerberos to access Web API. Result: No change. Note: This and all other web-based access sometimes errors out with a vague "Internal Error" message.
4 years, 1 month
Re: freeIPA in a complex multi-subnet, multi-domain, multi-identity provider lab environment
by Todd Grayson
Thanks Rob, Thanks Angus,
I am aware of how to point the client to the specific IPA server, what I'm struggling more with is freeIPA in an environment where its not using DNS for domain and realm resolution for kerberos, which does work today.
I should have limited my question to the following:
Is it possible to use ipaClient but manage static mappings in the krb5.conf [realm] and [domain realm] and run with dns_lookup_kdc=false and dns_lookup_realm=false (including the krb5.conf on the ipa server itself so its aware of all). The question from Angus makes me believe that having the dns_lookup* = false is a unsupported context in an IPA environment.
Thanks for your feedback.
4 years, 1 month
Ansible and Kerberos
by Kimmo Rantala
Hi,
I searched the interwebs but didn't find definite answer.
We are enrolling clients with ansible like this:
shell: ipa-client-install -U {{ ipa_extra_params }} --domain={{ ipa_domain }} --principal={{ ipa_admin_user }} --password={{ ipa_admin_password }} --mkhomedir --force-join --hostname={{ instance_hostname.stdout }}.{{ ipa_domain }}
This works fine.
After enrolling we want to edit the attributes of the newly enrolled host. We do that like this:
shell: echo {{ ipa_admin_password }} | kinit enroller@{{ ipa_domain|upper }} && ipa host-mod --setattr=userclass="{{ host_user_class }}" {{ instance_hostname.stdout }}.{{ ipa_domain }}
This also works fine but we don't love the fact that we echo the password to kinit. I know that there is the keytab route but that would require moving the keytab file to the host first. While this is not in any way impossible, we would like to "see all the cards".
What would be the best practice(tm) for this?
4 years, 1 month
Ubuntu client: Kerberos works, authentication does not
by Nicholas DeMarco
Hello, I've worked through many issues learning and implementing FreeIPA in
my realm. Thanks to many for the helpful direction.
One Ubuntu client is not behaving. It joined successfully, but will not
authenticate. Kerberos works:
# kinit ndemarco
# klist
Ticket cache: KEYRING:persistent:0:0
Default principal: ndemarco(a)PCHEM.PRO
Valid starting Expires Service principal
03/07/2020 12:20:20 03/08/2020 13:20:17 krbtgt/PCHEM.PRO(a)PCHEM.PRO
However, I cannot login as the same user. The password is not recognized.
No local user with the same name:
# getent passwd | grep ndemarco
None of the SSSD logs show anything interesting.
I'm a learner. Please give me a hint++ on where to look next.
Sincerely,
Nick
4 years, 1 month
external users trust AD in the foreman
by Natxo Asenjo
hi,
according to the satellite documentation (
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/...)
this should work, but it's a bit unclear as to how.
Let's see, we have a cross realm trust between an AD (2016) and RHEL 7.7. I
have an external group mapped in IdM to an AD group, I can login using ssh
with my AD user to the host running the foreman which is member of IdM (not
satellite, I know, but we require some functionality in the foreman not
available in satellite). So far so good.
But what exactly do I need to do now? According to the manual:
https://access.redhat.com/documentation/en-us/red_hat_satellite/6.4/html/...
13.3.6. Configuring the IdM Server to Use Cross-Forest Trust
On the IdM server, configure the server to use cross-forest trust.
*Procedure*
1.
Enable HBAC:
1. Create an external group and add the AD group to it.
2. Add the new external group to a POSIX group.
3. Use the POSIX group in a HBAC rule.
2.
Configure sssd to transfer additional attributes of AD users.
-
Add the AD user attributes to the *nss* and *domain* sections in
/etc/sssd/sssd.conf.
For example:
[nss]
user_attributes=+mail, +sn, +givenname
[domain/EXAMPLE]
ldap_user_extra_attrs=mail, sn, givenname
So I have the external group mapped to a posix group, I can login with my
AD user so that takes care of 1. a) 1 b) and 1 c).
Point 2 means I need to modify sssd.conf in the foreman host, I think.
And then?
--
Groeten,
natxo
4 years, 1 month
A fix for stuck certificates with the "NEWLY_ADDED_NEED_KEYINFO_READ_PIN" status
by Sam Morris
I noticed that a certificate request on a CentOS 8 server (running ipa-
server 4.8.0-13.module_el8.1.0+265+e1e65be4) got stuck:
Request ID '20200123083218':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM
subject: CN=ipa2.ipa.example.com,O=IPA.EXAMPLE.COM
expires: 2021-12-19 18:32:27 UTC
dns: ipa2.ipa.example.com
principal name: HTTP/ipa2.ipa.example.com(a)IPA.EXAMPLE.COM
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
I was able to fix this with the following command:
# ipa-getcert start-tracking -i 20200123083218 -p /var/lib/ipa/passwds/ipa2.ipa.example.com-443-RSA
Hopefully someone else will find that useful.
(Thanks to Rob for his advice in [0]; the command I used modified the
existing request without having to delete and re-create it from
scratch.)
[0] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A
892B 1855 D20B 4202 5CDA 27B9
4 years, 1 month
Vault API failure on CentOS 8 unless TLSv1.3 is disabled
by Sam Morris
I noticed that one of my FreeIPA servers is missing the Vault tab in
the web UI.
I've got a workaround but it seems a bit fishy and I wondered if
someone else could suggest a better fix.
The server in question is the only one that runs CentOS 8 (ipa-server
4.8.0-13.module_el8.1.0+265+e1e65be4). My other servers are running
CentOS 7 and work fine.
The command 'ipa vaultconfig-show' fails when run against the bad
server with:
[admin@client ~]$ ipa -vv vaultconfig-show
[...]
ipa: INFO: Request: {
"id": 0,
"method": "vaultconfig_show/1",
"params": [
[],
{
"version": "2.233"
}
]
}
ipa: INFO: Response: {
"error": {
"code": 903,
"data": {},
"message": "an internal error has occurred",
"name": "InternalError"
},
"id": 0,
"principal": "admin(a)IPA.EXAMPLE.COM",
"result": null,
"version": "4.8.0"
}
ipa: ERROR: an internal error has occurred
The corresponding httpd logs on the server (192.0.2.1 is my client, the
server is [2001:db8::1]) contain:
==> /var/log/httpd/access_log <==
192.0.2.1 - admin(a)IPA.EXAMPLE.COM [18/Mar/2020:08:31:50 +0000] "POST /ipa/json HTTP/1.1" 200 210
==> /var/log/httpd/error_log <==
[Wed Mar 18 08:31:51.760354 2020] [:warn] [pid 22279:tid 139671875061504] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin(a)IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml
[Wed Mar 18 08:31:51.807084 2020] [wsgi:error] [pid 22274:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin(a)IPA.EXAMPLE.COM: ping(): SUCCESS
==> /var/log/httpd/access_log <==
192.0.2.1 - admin(a)IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 276
==> /var/log/httpd/error_log <==
[Wed Mar 18 08:31:51.917275 2020] [:warn] [pid 22279:tid 139671891846912] [client 192.0.2.1:62546] failed to set perms (3140) on file (/run/ipa/ccaches/admin(a)IPA.EXAMPLE.COM)!, referer: https://ipa2.ipa.example.com/ipa/xml
==> /var/log/httpd/access_log <==
2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /pki/rest/info HTTP/1.1" 404 211
==> /var/log/httpd/error_log <==
[Wed Mar 18 08:31:52.582003 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH: verify client post handshake
[Wed Mar 18 08:31:52.582101 2020] [ssl:error] [pid 23219:tid 139671598266112] [client 2001:db8::1:44620] AH10158: cannot perform post-handshake authentication
[Wed Mar 18 08:31:52.582207 2020] [ssl:error] [pid 23219:tid 139671598266112] SSL Library Error: error:14268117:SSL routines:SSL_verify_client_post_handshake:extension not received
==> /var/log/httpd/access_log <==
2001:db8::1 - - [18/Mar/2020:08:31:52 +0000] "GET /kra/rest/config/cert/transport HTTP/1.1" 403 298
==> /var/log/httpd/error_log <==
[Wed Mar 18 08:31:52.586053 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: ERROR: non-public: HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport
[Wed Mar 18 08:31:52.586100 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last):
[Wed Mar 18 08:31:52.586106 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 429, in handler
[Wed Mar 18 08:31:52.586112 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json = exc_val.response.json()
[Wed Mar 18 08:31:52.586116 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 897, in json
[Wed Mar 18 08:31:52.586121 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return complexjson.loads(self.text, **kwargs)
[Wed Mar 18 08:31:52.586127 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/__init__.py", line 354, in loads
[Wed Mar 18 08:31:52.586133 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return _default_decoder.decode(s)
[Wed Mar 18 08:31:52.586137 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 339, in decode
[Wed Mar 18 08:31:52.586142 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] obj, end = self.raw_decode(s, idx=_w(s, 0).end())
[Wed Mar 18 08:31:52.586146 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib64/python3.6/json/decoder.py", line 357, in raw_decode
[Wed Mar 18 08:31:52.586151 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise JSONDecodeError("Expecting value", s, err.value) from None
[Wed Mar 18 08:31:52.586156 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] json.decoder.JSONDecodeError: Expecting value: line 1 column 1 (char 0)
[Wed Mar 18 08:31:52.586160 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546]
[Wed Mar 18 08:31:52.586165 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] During handling of the above exception, another exception occurred:
[Wed Mar 18 08:31:52.586169 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546]
[Wed Mar 18 08:31:52.586174 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] Traceback (most recent call last):
[Wed Mar 18 08:31:52.586179 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/rpcserver.py", line 368, in wsgi_execute
[Wed Mar 18 08:31:52.586184 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] result = command(*args, **options)
[Wed Mar 18 08:31:52.586189 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 450, in __call__
[Wed Mar 18 08:31:52.586194 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.__do_call(*args, **options)
[Wed Mar 18 08:31:52.586199 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 478, in __do_call
[Wed Mar 18 08:31:52.586204 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ret = self.run(*args, **options)
[Wed Mar 18 08:31:52.586209 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipalib/frontend.py", line 800, in run
[Wed Mar 18 08:31:52.586214 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return self.execute(*args, **options)
[Wed Mar 18 08:31:52.586252 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/ipaserver/plugins/vault.py", line 1003, in execute
[Wed Mar 18 08:31:52.586258 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] transport_cert = kra_client.system_certs.get_transport_cert()
[Wed Mar 18 08:31:52.586263 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 434, in handler
[Wed Mar 18 08:31:52.586267 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] six.reraise(exc_type, exc_val, exc_tb)
[Wed Mar 18 08:31:52.586272 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/six.py", line 693, in reraise
[Wed Mar 18 08:31:52.586277 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise value
[Wed Mar 18 08:31:52.586281 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/__init__.py", line 423, in handler
[Wed Mar 18 08:31:52.586286 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return fn_call(inst, *args, **kwargs)
[Wed Mar 18 08:31:52.586290 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/systemcert.py", line 54, in get_transport_cert
[Wed Mar 18 08:31:52.586295 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] response = self.connection.get(url, self.headers)
[Wed Mar 18 08:31:52.586300 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 46, in wrapper
[Wed Mar 18 08:31:52.586305 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] return func(self, *args, **kwargs)
[Wed Mar 18 08:31:52.586309 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/pki/client.py", line 165, in get
[Wed Mar 18 08:31:52.586314 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] r.raise_for_status()
[Wed Mar 18 08:31:52.586319 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] File "/usr/lib/python3.6/site-packages/requests/models.py", line 940, in raise_for_status
[Wed Mar 18 08:31:52.586324 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] raise HTTPError(http_error_msg, response=self)
[Wed Mar 18 08:31:52.586330 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] requests.exceptions.HTTPError: 403 Client Error: Forbidden for url: https://ipa2.ipa.example.com:443/kra/rest/config/cert/transport
[Wed Mar 18 08:31:52.586340 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546]
[Wed Mar 18 08:31:52.586647 2020] [wsgi:error] [pid 22275:tid 139672253028096] [remote 192.0.2.1:62546] ipa: INFO: [jsonserver_session] admin(a)IPA.EXAMPLE.COM: vaultconfig_show/1(version='2.235'): InternalError
==> /var/log/httpd/access_log <==
192.0.2.1 - admin(a)IPA.EXAMPLE.COM [18/Mar/2020:08:31:51 +0000] "POST /ipa/session/json HTTP/1.1" 200 173
It looks like the ipa api server requests
/kra/rest/config/cert/transport, which httpd normally proxies through
to tomcat; but there's something about the request that causes mod_ssl
to reject it ("cannot perform post-handshake authentication").
Unauthenticated requests to that URL work fine:
# curl -s https://ipa2.ipa.example.com/kra/rest/config/cert/transport | head -n1
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><CertData xmlns:ns2="http://www.w3.org/2005/Atom" id="0xb"><Encoded>-----BEGIN CERTIFICATE-----
If I reconfigure httpd with "SSLProtocol +TLSv1.2 -TLSv1.3" then the
problem goes away. As far as I know, the default in RHEL 8 is to _not_
include an SSLProtocol line so that the system-wide crypto-policies(5)
will be used. Hence this feels like the wrong solution to me.
Interestingly, "SSLProtocol -TLSv1.3" causes httpd to fail to start
with "AH02231: No SSL protocols available [hint: SSLProtocol]"... even
though (testing with sslyze), no SSLProtocol directive leaves only
TLSv1.2 and TLSv1.3 enabled...
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A
892B 1855 D20B 4202 5CDA 27B9
4 years, 1 month