None via FreeIPA-users wrote:
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has
pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
isn't compatible with these changes.
I've got a ticket open at
https://pagure.io/freeipa/issue/7079 about this.
Nice catch.
0.3.1 was just released a few days ago and I haven't had a chance to try
packaging it for Fedora yet much less do any compatibility testing.
Given the API changes I'll need to coordinate the update with the other
module users, including freeIPA.
In the meantime it might be a good idea for packagers to specifically
require 0.2.3 for now.
rob
- greg
On 2017-08-01 08:15, greg(a)greg-gilbert.com wrote:
> Slight update: I tried precreating /etc/ipa/ca.crt, and when running
> the install, I get the same Python error I did before:
>
> File "/usr/sbin/ipa-client-install", line 3099, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 656, in finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 370, in __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 534, in load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
> 572, in import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
> import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
> 29, in <module>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79,
> in <module>
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84,
> in _PrincipalName
> namedtype.NamedType('name-string',
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
>
> On 2017-08-01 07:07, greg(a)greg-gilbert.com wrote:
>
> Hey,
>
> I checked the logs and found this:
>
> conn=3295 op=3 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
> scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
>
> So that looks like it's finding an entry, I guess.
>
> All of the lines have err=0 except these:
>
> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
> in progress
> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
> in progress
> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>
> The server is running FreeIPA 4.4:
>
> $ ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> $ ipa-client-install --version
> 4.4.0
>
> - greg
>
> On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
>
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
>
> I'm really at a loss on this one.
>
> I have a bunch of old server images (from 2 months ago)
> that can run ipa-client-install just fine. When I created
> a new image, though, I get this error (from the install logs):
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://ipa.services.example:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at
> 0x7ff6a4e67560>
> DEBUG get_ca_certs_from_ldap() error:
> 'ipa.services.example' doesn't have a certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP)
> or without --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> For comparison, the old images work as expected:
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache
> url=ldap://ipa.services.example:389
> conn=<ldap.ldapobject.SimpleLDAPObject instance at
> 0x7f2a0cb6e128>
> INFO Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From: Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>
> It's literally the same build script, so nothing there has
> changed. The old images still work even now, so I don't
> think it's a DNS issue. I tried running
> update-ca-certificates, but that did nothing. I tried
> restarting the FreeIPA server, nothing changed.
>
> If I try --forceing the install, this happens:
>
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in
<module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 656, in finalize
> self.__do_if_not_done('load_plugins')
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 370, in __do_if_not_done
> getattr(self, name)()
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 534, in load_plugins
> self.import_plugins(module)
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugable.py",
> line 572, in import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line
> 37, in import_module
> __import__(name)
> File
> "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py",
> line 29, in <module>
> from ipalib import pkcs10
> File
> "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line
> 79, in <module>
> class _PrincipalName(univ.Sequence):
> File
> "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line
> 84, in _PrincipalName
> namedtype.NamedType('name-string',
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
> Really not sure what's going on here; does anyone have
> advice on how to fix this? Thanks!
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
> Hi,
>
> during client installation, the installer tries to retrieve
> the CA certificate:
> - either from the provider --ca-cert-file
> - or from an existing /etc/ipa/ca.crt
> - or (when principal and password are supplied) via ldap
> - or (when the above failed) via http only if --force is supplied
>
> The ldap method looks for a certificate in
> cn=certificates,cn=ipa,cn=etc,$BASEDN or
> cn=CAcert,cn=ipa,cn=etc,$BASEDN.
>
> You can check if the CA certificate can be found by the
> installer. Do you see matching logs in the directory server
> access log (/var/log/dirsrv/slapd-xx/access), like the following:
>
> [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
> [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT
> err=0 tag=101 nentries=1 etime=1
>
> If yes, check the return code (err=x) and the number of found
> entries (nentries=x).
>
> When you run the installer with --force, the tool manages to
> retrieve the cert using http but fails later. Which version of
> IPA are you using?
>
> Flo.
>
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org