Hey, 

I checked the logs and found this: 

conn=3295 op=3 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 

So that looks like it's finding an entry, I guess. 

All of the lines have err=0 except these: 

conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI 

The server is running FreeIPA 4.4: 

$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
$ ipa-client-install --version
4.4.0 

- greg 

On 2017-08-01 05:13, Florence Blanc-Renaud wrote:

> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: 
> 
>> I'm really at a loss on this one.
>> 
>> I have a bunch of old server images (from 2 months ago) that can run 
>> ipa-client-install just fine. When I created a new image, though, I get this 
>> error (from the install logs):
>> 
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
>> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a 
>> certificate.
>> DEBUG 'ipa.services.example' doesn't have a certificate.
>> ERROR In unattended mode without a One Time Password (OTP) or without 
>> --ca-cert-file
>> You must specify --force to retrieve the CA cert using HTTP
>> ERROR Cannot obtain CA certificate
>> HTTP certificate download requires --force
>> ERROR Installation failed. Rolling back changes.
>> ERROR IPA client is not configured on this system.
>> 
>> For comparison, the old images work as expected:
>> 
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 
>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
>> INFO Successfully retrieved CA cert
>> Subject:     CN=Certificate Authority,O=IPA.SERVICES.example
>> Issuer:      CN=Certificate Authority,O=IPA.SERVICES.example
>> Valid From:  Wed Apr 05 21:11:13 2017 UTC
>> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>> 
>> It's literally the same build script, so nothing there has changed. The old 
>> images still work even now, so I don't think it's a DNS issue. I tried 
>> running update-ca-certificates, but that did nothing. I tried restarting the 
>> FreeIPA server, nothing changed.
>> 
>> If I try --forceing the install, this happens:
>> 
>> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
>> Created /etc/ipa/default.conf
>> Traceback (most recent call last):
>> File "/usr/sbin/ipa-client-install", line 3099, in <module>
>> sys.exit(main())
>> File "/usr/sbin/ipa-client-install", line 3080, in main
>> rval = install(options, env, fstore, statestore)
>> File "/usr/sbin/ipa-client-install", line 2727, in install
>> api.finalize()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in 
>> finalize
>> self.__do_if_not_done('load_plugins')
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in 
>> __do_if_not_done
>> getattr(self, name)()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in 
>> load_plugins
>> self.import_plugins(module)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in 
>> import_plugins
>> module = importlib.import_module(name)
>> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
>> __import__(name)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in 
>> <module>
>> from ipalib import pkcs10
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in 
>> <module>
>> class _PrincipalName(univ.Sequence):
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in 
>> _PrincipalName
>> namedtype.NamedType('name-string', 
>> univ.SequenceOf(char.GeneralString()).subtype(
>> TypeError: __init__() takes exactly 1 argument (2 given)
>> 
>> Really not sure what's going on here; does anyone have advice on how to fix 
>> this? Thanks!
>> 
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Hi,
> 
> during client installation, the installer tries to retrieve the CA 
> certificate:
> - either from the provider --ca-cert-file
> - or from an existing /etc/ipa/ca.crt
> - or (when principal and password are supplied) via ldap
> - or (when the above failed) via http only if --force is supplied
> 
> The ldap method looks for a certificate in 
> cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
> 
> You can check if the CA certificate can be found by the installer. Do you see 
> matching logs in the directory server access log 
> (/var/log/dirsrv/slapd-xx/access), like the following:
> 
> [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH 
> base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" 
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary 
> ipaKeyTrust ipaCertIssuerSerial"
> [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 
> nentries=1 etime=1
> 
> If yes, check the return code (err=x) and the number of found entries 
> (nentries=x).
> 
> When you run the installer with --force, the tool manages to retrieve the 
> cert using http but fails later. Which version of IPA are you using?
> 
> Flo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to