tls-compatibility

Today we were trying to join RHEL-6 clients to our new IPA server. Most of the servers got registered and very few RHEL6 systems were failing to join.

We ran the ipa-client-install with -d option for debugging and we got the below output.

2017-05-24T09:39:46Z DEBUG stderr=libcurl failed to execute the HTTP POST transaction. SSL connect error

2017-05-24T09:39:46Z ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction. SSL connect error

2017-05-24T09:39:46Z ERROR Installation failed. Rolling back changes.
2017-05-24T09:39:46Z ERROR IPA client is not configured on this system.

The error we end up is,
ERROR Joining realm failed: libcurl failed to execute the HTTP POST transaction.  SSL connect error

Since the client is trying the connect to the IPA Server https (Apache) we have checked the Apache error log aswell.
SSL Library Error: -12279 Client is using unsupported SSL versio

Debugging
As we matched the error, It was very clear that the client was using a version which was not supported by the IPA server. We have run the curl command from the client and it was not going through.
 curl https://ipa.example.com/

 

Solution
The SolutionĀ to the issue was to update libcurl and nssĀ on the client system. The IPA was using tlsv1.2 and we need to update those packages so that libcurl will initiate the https request with –tlsv1.2 option as default.

yum update -y curl libcurl nss

Once we updated the curl was going through and the IPA was able to register with the server with out any issues.

Comments

comments