Hide Forgot
This bug is created as a clone of upstream ticket: https://fedorahosted.org/pki/ticket/1644 Case being a site has customized its cipher lists (sslRangeCiphers) in server.xml throughout all CS instances. new cipher list being a lot more stringent. When installing new cs instance, the default ciphers does not overlap with the already-installed servers, including the Security Domain CA, hence making it not able to connect. Workaround is to loosen the ciphers on the SD CA and possibly others required during installation; however, that is not ideal, as it requires making changes and restarting the affected servers and changing them back later. It would make better sense to allow admin to customize the cipher list of the to-be-installed instance before the actual installation.
fixed by edewata: This can be done without adding new parameters: http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list
[root@auto-hv-02-guest05 ~]# rpm -qi pki-ca Name : pki-ca Version : 10.3.3 Release : 8.el7 Architecture: noarch Install Date: Sun 04 Sep 2016 05:27:32 PM EDT Group : System Environment/Daemons Size : 2430595 License : GPLv2 Signature : (none) Source RPM : pki-core-10.3.3-8.el7.src.rpm Build Date : Tue 30 Aug 2016 03:23:27 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://pki.fedoraproject.org/ Summary : Certificate System - Certificate Authority Followed http://pki.fedoraproject.org/wiki/Custom_Installation#Customizing_TLS_cipher_list to customize cipher list before CA configuration.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2396.html