Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 17:23:46 CET schrieb Rob Crittenden via
FreeIPA-
users:
> Günther J. Niederwimmer via FreeIPA-users wrote:
>
>> Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via
>> FreeIPA-
users:
>>
>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>
>>>
>>>
>>>> Hallo,
>>>>
>>>>
>>>>
>>>> Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via
>>>> FreeIPA-users:
>>>>
>>>>
>>>>
>>>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob
Crittenden via
>>>>>>
>>>>>> FreeIPA-users:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> this is a new installed Server CentOS 7.7
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> but it is not possible to configure this for IPA replica
>>>>>>>> I have this Error
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in
asn1Spec:
>>>>>>>>
GeneralName(componentType=NamedTypes(NamedType('rfc822Name',
>>>>>>>> IA5String(tagSet=TagSet((), Tag(tagClass=128,
tagFormat=0,
>>>>>>>> tagId=1)))),
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NamedType('dNSName', IA5String(tagSet=TagSet((),
Tag(tagClass=128,
>>>>>>>> tagFormat=0, tagId=2)))),
NamedType('directoryName',
>>>>>>>> Name(componentType=NamedTypes(NamedType('',
RDNSequence())),
>>>>>>>> tagSet=TagSet((),
>>>>>>
>>>>>>
>>>>>>
>>>>>> Tag(tagClass=128, tagFormat=0, tagId=4)))),
>>>>>>
>>>>>>
>>>>>>
>>>>>>>> NamedType('uniformResourceIdentifier',
IA5String(tagSet=TagSet((),
>>>>>>>> Tag(tagClass=128, tagFormat=0, tagId=6)))),
NamedType('iPAddress',
>>>>>>>> OctetString(tagSet=TagSet((), Tag(tagClass=128,
tagFormat=0,
>>>>>>>> tagId=7)))),
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> NamedType('registeredID',
ObjectIdentifier('<no value>'))))
>>>>>>>> ipapython.admintool: ERROR The ipa-replica-install
command
>>>>>>>> failed.
>>>>>>>> See
>>>>>>>> /
>>>>>>
>>>>>>
>>>>>>
>>>>>> var/log/ipareplica-install.log for more information
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I install before ipa-client-install, this is working but
afterward
>>>>>>>> for
>>>>>>>> the
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>> replica i Have this Problem?
>>>>>>
>>>>>>
>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> firewall Ports are open.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> More context from the log would help.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I send it to you Rob
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> And can you confirm what version of python-pyasn1 is
installed, and
>>>>>>> that
>>>>>>> you don't have a pip-version installed.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> this version is installed
>>>>>> Paket python2-pyasn1-0.1.9-7.el7.noarch
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> normal installation
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> It is blowing up trying to fetch the subject-alt names out of the
>>>>> Apache
>>>>> cert on the original master (ipa.xxx.xxx). You didn't happen to
>>>>> replace
>>>>> the Apache cert on ipa.xxx.xxx did you?
>>>>
>>>>
>>>>
>>>>
>>>> NO, this is a "normal" Installation without changing anything
?
>>>>
>>>>
>>>>
>>>> I make no experiments with certificates?
>>>>
>>>>
>>>>
>>>> the only thing I remember
>>>> I have set in host
>>>>
>>>>
>>>>
>>>> xxx.xxx.xxx.xxx
ipa.example.com
>>>> 2000:yy:yy:yy:yy
ipa.example.com
>>>> xxx.xxx.xxx.xxx ipa.example.com.lan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Can you provide the PEM for that cert?
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>> On ipa.xxx.xxx:
>>>>> # certutil -L -d /etc/httpd/alias -n Server-Cert -a
>>>>
>>>>
>>>>
>>>>
>>>> I have a normal certificate
>>>> -----BEGIN CERTIFICATE-----
>>>> ................................
>>>> ................
>>>> .........
>>>> -----END CERTIFICATE-----
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> It could be useful for us to see the contents of the cert to see if we
>>> can duplicate the failure.
>>
>>
>> OK is on the way ;)
>>
>
>
> Can you provide the output of:
>
> python -c 'from urllib3.contrib import pyopenssl'
there is NO output on master or replica
Thanks for the Help.
So that's the problem.
See if you have python[2]-ndg[-_]httpsclient installed.
I don't believe that RHEL ships this package, maybe it is available in
CentOS. You could try removing the package and trying the install again.
rob