Hi, On Tue, Aug 1, 2023 at 7:50 AM Harald Dunkel via FreeIPA-users < [email protected]> wrote:
> Hi folks, > > our security scanner complains about weak ciphers in Rocky 8 > (httpd and ssh). security policy is set to "DEFAULT". If I set > it to "FUTURE", then httpd is not started anymore (breaking > ipa.service) due to some short keys. From the httpd error > log: > IdM doesn't support running with FUTURE crypto policy, please see the note at the end of this section: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/installing_identity_management/preparing-the-system-for-ipa-server-installation_installing-identity-management#system-requirements-in-ipa_preparing-the-system-for-ipa-server-installation flo > [Tue Aug 01 07:15:37.847520 2023] [suexec:notice] [pid 13991:tid > 140196092746048] AH01232: suEXEC mechanism enabled (wrapper: > /usr/sbin/suexec) > [Tue Aug 01 07:15:37.849785 2023] [ssl:emerg] [pid 13991:tid > 140196092746048] AH02562: Failed to configure certificate > ipaca8.example.com:443:0 (with chain), check /var/lib/ipa/certs/httpd.crt > [Tue Aug 01 07:15:37.849826 2023] [ssl:emerg] [pid 13991:tid > 140196092746048] SSL Library Error: error:140AB18F:SSL > routines:SSL_CTX_use_certificate:ee key too small > AH00016: Configuration Failed > > The httpd key and cert was generated by FreeIPA just a few > weeks ago, so I wonder how to proceed in this case? Upgrade > to Rocky 9 to get better defaults? > > > Regards > > Harri > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
