I'm really at a loss on this one. 

I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs): 

DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't
have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without
--ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system. 

For comparison, the old images work as expected:

DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.SERVICES.example
    Issuer:      CN=Certificate Authority,O=IPA.SERVICES.example
    Valid From:  Wed Apr 05 21:11:13 2017 UTC
    Valid Until: Sun Apr 05 21:11:13 2037 UTC 

It's literally the same build script, so nothing there has changed. The
old images still work even now, so I don't think it's a DNS issue. I
tried running update-ca-certificates, but that did nothing. I tried
restarting the FreeIPA server, nothing changed. 

If I try --forceing the install, this happens: 

Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 3099, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 3080, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2727, in install
    api.finalize()
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
    self.import_plugins(module)
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
    module = importlib.import_module(name)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
    __import__(name)
  File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in <module>
    from ipalib import pkcs10
  File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module>
    class _PrincipalName(univ.Sequence):
  File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
    namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given) 

Really not sure what's going on here; does anyone have advice on how to
fix this? Thanks!
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to