Sean Hogan wrote: > Hi Jakub, > > I ended up re-enrolling the box and it is behaving as expected except I > am not getting a host cert. Robert indicated auto host cert no longer > avail with rhel 7 but using the --request -cert option on enroll to get > a host cert if I wanted one. I did so and get this in the install log > > > *2016-11-16T22:00:53Z DEBUG Starting external process* > *2016-11-16T22:00:53Z DEBUG args='/bin/systemctl' 'is-active' > 'certmonger.service'* > *2016-11-16T22:00:53Z DEBUG Process finished, return code=0* > *2016-11-16T22:00:53Z DEBUG stdout=active* > > *2016-11-16T22:00:53Z DEBUG stderr=* > *2016-11-16T22:00:53Z ERROR certmonger request for host certificate failed*
Did you cut off the reason reported for the request failing? > Maybe this is an issue with RHEL 7(4.x) client hitting a RHEL 6 (3.x) > IPA server? You could look in the server logs for details. > As for crypto on RHEL 6 IPA I have (if this is what you looking for). > However this is modified version as it took me a while to get this list > to pass tenable scans by modding the dse files. > [root@ipa1 ~]# nmap --script ssl-enum-ciphers -p 636 `hostname` These are the TLS settings for LDAP, not the Kerberos encryption types supported. You instead want to run: $ ldapsearch -x -D 'cn=directory manager' -W -s base -b cn=EXAMPLE.COM,cn=kerberos,dc=example,dc=com krbSupportedEncSaltTypes rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
