Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))), NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=4)))), NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))), NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See / var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the replica i Have this Problem?
firewall Ports are open.
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))), NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=4)))), NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))), NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See / var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
rob
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))), NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahost ed.org
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))), NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
rob
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
rob
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
OK is on the way ;)
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
> Hello, > > > > > > this is a new installed Server CentOS 7.7 > > > > > > but it is not possible to configure this for IPA replica > I have this Error > > > > > > ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: > GeneralName(componentType=NamedTypes(NamedType('rfc822Name', > IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, > tagId=1)))), > > > > NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, > tagFormat=0, tagId=2)))), NamedType('directoryName', > Name(componentType=NamedTypes(NamedType('', RDNSequence())), > tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
> NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), > Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', > OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, > tagId=7)))), > > > > > > NamedType('registeredID', ObjectIdentifier('<no value>')))) > ipapython.admintool: ERROR The ipa-replica-install command failed. > See > /
var/log/ipareplica-install.log for more information
> > > > I install before ipa-client-install, this is working but afterward > for > the > > > > >
replica i Have this Problem?
> > > > firewall Ports are open. > > >
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
OK is on the way ;)
Can you provide the output of:
python -c 'from urllib3.contrib import pyopenssl'
rob
Am Freitag, 3. Januar 2020, 17:23:46 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA-
users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via
FreeIPA-users:
> Günther J. Niederwimmer via FreeIPA-users wrote: > > > > > > > >> Hello, >> >> >> >> >> >> >> >> this is a new installed Server CentOS 7.7 >> >> >> >> >> >> >> >> but it is not possible to configure this for IPA replica >> I have this Error >> >> >> >> >> >> >> >> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: >> GeneralName(componentType=NamedTypes(NamedType('rfc822Name', >> IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >> tagId=1)))), >> >> >> >> >> >> NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, >> tagFormat=0, tagId=2)))), NamedType('directoryName', >> Name(componentType=NamedTypes(NamedType('', RDNSequence())), >> tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
>> NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), >> Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', >> OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >> tagId=7)))), >> >> >> >> >> >> >> >> NamedType('registeredID', ObjectIdentifier('<no value>')))) >> ipapython.admintool: ERROR The ipa-replica-install command >> failed. >> See >> /
var/log/ipareplica-install.log for more information
>> >> >> >> >> I install before ipa-client-install, this is working but afterward >> for >> the >> >> >> >> >> >> >> replica i Have this Problem?
>> >> >> >> >> firewall Ports are open. >> >> >> >> > > > > > > > > > More context from the log would help.
I send it to you Rob
> And can you confirm what version of python-pyasn1 is installed, and > that > you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
OK is on the way ;)
Can you provide the output of:
python -c 'from urllib3.contrib import pyopenssl'
there is NO output on master or replica
Thanks for the Help.
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 17:23:46 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA-
users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
> Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via > > FreeIPA-users: > > > > > >> Günther J. Niederwimmer via FreeIPA-users wrote: >> >> >> >> >> >> >> >>> Hello, >>> >>> >>> >>> >>> >>> >>> >>> this is a new installed Server CentOS 7.7 >>> >>> >>> >>> >>> >>> >>> >>> but it is not possible to configure this for IPA replica >>> I have this Error >>> >>> >>> >>> >>> >>> >>> >>> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: >>> GeneralName(componentType=NamedTypes(NamedType('rfc822Name', >>> IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >>> tagId=1)))), >>> >>> >>> >>> >>> >>> NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, >>> tagFormat=0, tagId=2)))), NamedType('directoryName', >>> Name(componentType=NamedTypes(NamedType('', RDNSequence())), >>> tagSet=TagSet((), > > > > Tag(tagClass=128, tagFormat=0, tagId=4)))), > > > >>> NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), >>> Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', >>> OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >>> tagId=7)))), >>> >>> >>> >>> >>> >>> >>> >>> NamedType('registeredID', ObjectIdentifier('<no value>')))) >>> ipapython.admintool: ERROR The ipa-replica-install command >>> failed. >>> See >>> / > > > > var/log/ipareplica-install.log for more information > > > >>> >>> >>> >>> >>> I install before ipa-client-install, this is working but afterward >>> for >>> the >>> >>> >>> >>> >>> >>> >>> > replica i Have this Problem? > > > >>> >>> >>> >>> >>> firewall Ports are open. >>> >>> >>> >>> >> >> >> >> >> >> >> >> >> More context from the log would help. > > > > > > I send it to you Rob > > > > > > >> And can you confirm what version of python-pyasn1 is installed, and >> that >> you don't have a pip-version installed. > > > > > > this version is installed > Paket python2-pyasn1-0.1.9-7.el7.noarch > > > > > > normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
OK is on the way ;)
Can you provide the output of:
python -c 'from urllib3.contrib import pyopenssl'
there is NO output on master or replica
Thanks for the Help.
So that's the problem.
See if you have python[2]-ndg[-_]httpsclient installed.
I don't believe that RHEL ships this package, maybe it is available in CentOS. You could try removing the package and trying the install again.
rob
Am Freitag, 3. Januar 2020, 17:58:00 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 17:23:46 CET schrieb Rob Crittenden via FreeIPA-
users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA-
users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via
FreeIPA-users:
> Günther J. Niederwimmer via FreeIPA-users wrote: > > > > > > > >> Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden >> via >> >> >> >> FreeIPA-users: >> >> >> >> >> >> >> >>> Günther J. Niederwimmer via FreeIPA-users wrote: >>> >>> >>> >>> >>> >>> >>> >>> >>> >>>> Hello, >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> this is a new installed Server CentOS 7.7 >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> but it is not possible to configure this for IPA replica >>>> I have this Error >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: >>>> >>>> GeneralName(componentType=NamedTypes(NamedType('rfc822Name', >>>> IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >>>> tagId=1)))), >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, >>>> >>>> tagFormat=0, tagId=2)))), NamedType('directoryName', >>>> Name(componentType=NamedTypes(NamedType('', RDNSequence())), >>>> tagSet=TagSet((), >> >> >> >> >> Tag(tagClass=128, tagFormat=0, tagId=4)))), >> >> >> >> >>>> NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), >>>> >>>> Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', >>>> >>>> OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, >>>> tagId=7)))), >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> NamedType('registeredID', ObjectIdentifier('<no value>')))) >>>> ipapython.admintool: ERROR The ipa-replica-install command >>>> failed. >>>> See >>>> / >> >> >> >> >> var/log/ipareplica-install.log for more information >> >> >> >> >>>> >>>> >>>> >>>> >>>> >>>> I install before ipa-client-install, this is working but >>>> afterward >>>> for >>>> the >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >> replica i Have this Problem? >> >> >> >> >>>> >>>> >>>> >>>> >>>> >>>> firewall Ports are open. >>>> >>>> >>>> >>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> >>> More context from the log would help. >> >> >> >> >> >> >> >> I send it to you Rob >> >> >> >> >> >> >> >> >>> And can you confirm what version of python-pyasn1 is installed, >>> and >>> that >>> you don't have a pip-version installed. >> >> >> >> >> >> >> >> this version is installed >> Paket python2-pyasn1-0.1.9-7.el7.noarch >> >> >> >> >> >> >> >> normal installation > > > > > > > > > It is blowing up trying to fetch the subject-alt names out of the > Apache > cert on the original master (ipa.xxx.xxx). You didn't happen to > replace > the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
> Can you provide the PEM for that cert? > > > > >
> On ipa.xxx.xxx: > # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
OK is on the way ;)
Can you provide the output of:
python -c 'from urllib3.contrib import pyopenssl'
there is NO output on master or replica
Thanks for the Help.
So that's the problem.
See if you have python[2]-ndg[-_]httpsclient installed.
I don't believe that RHEL ships this package, maybe it is available in CentOS. You could try removing the package and trying the install again.
Yes I found a package from epel ?? python-ndg_httpsclient.noarch 0.3.2-1.el7 @epel
why this installed I cant say I install only fail2ban from epel ?
NEW information by erase this package, it is from the certbot installation ?
now I test the installation again!
thanks for the Help for the Moment ;-)
Hello,
OK now the replica Installation is working :-) Thanks to Rob Crittenden for help.
bur the question is now is certbot not compatible with IPA ?
or can I install afterward certbot with no problems?
Then this is a Problem with the time, the Browser's don't like private Certificates less ..............
Thanks again Rob,
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
OK now the replica Installation is working :-) Thanks to Rob Crittenden for help.
bur the question is now is certbot not compatible with IPA ?
or can I install afterward certbot with no problems?
Then this is a Problem with the time, the Browser's don't like private Certificates less ..............
The ndg-httpsclient package breaks python-requests cert validation (of IPA-issued certs) so it could cause problems with IPA communication with the CA, for example. It isn't something we test with. So if you re-install it there could be other issues.
But if you're using LE then I'm not sure why you need the IPA CA at all.
Trusting the IPA CA should be automatic for clients that are IPA clients. CA distribution and trust is a challenge in any private PKI environment.
rob
Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via FreeIPA- users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via FreeIPA-users:
Günther J. Niederwimmer via FreeIPA-users wrote:
Hello,
this is a new installed Server CentOS 7.7
but it is not possible to configure this for IPA replica I have this Error
ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec: GeneralName(componentType=NamedTypes(NamedType('rfc822Name', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
NamedType('dNSName', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=2)))), NamedType('directoryName', Name(componentType=NamedTypes(NamedType('', RDNSequence())), tagSet=TagSet((),
Tag(tagClass=128, tagFormat=0, tagId=4)))),
NamedType('uniformResourceIdentifier', IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=6)))), NamedType('iPAddress', OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=7)))),
NamedType('registeredID', ObjectIdentifier('<no value>')))) ipapython.admintool: ERROR The ipa-replica-install command failed. See /
var/log/ipareplica-install.log for more information
I install before ipa-client-install, this is working but afterward for the
replica i Have this Problem?
firewall Ports are open.
More context from the log would help.
I send it to you Rob
And can you confirm what version of python-pyasn1 is installed, and that you don't have a pip-version installed.
this version is installed Paket python2-pyasn1-0.1.9-7.el7.noarch
normal installation
It is blowing up trying to fetch the subject-alt names out of the Apache cert on the original master (ipa.xxx.xxx). You didn't happen to replace the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember I have set in host
xxx.xxx.xxx.xxx ipa.example.com 2000:yy:yy:yy:yy ipa.example.com xxx.xxx.xxx.xxx ipa.example.com.lan
Can you provide the PEM for that cert?
On ipa.xxx.xxx: # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate -----BEGIN CERTIFICATE----- ................................ ................ ......... -----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we can duplicate the failure.
Can it be helpful the install log from the master ?
before I must reinstall the master ?
I have setup before I do this, for test on my site the same? this was working!
New Install centos 7.7 master and new install centos 7.7 replica all is working :-(
freeipa-users@lists.fedorahosted.org
-
Günther J. Niederwimmer -
Rob Crittenden