Further update: I'm pretty sure I found out the problem. 

Basically, my old server is running pyasn1==0.2.3 and the new one has
pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
isn't compatible with these changes. 

I've got a ticket open at https://pagure.io/freeipa/issue/7079 about
this. 

- greg 

On 2017-08-01 08:15, g...@greg-gilbert.com wrote:

> Slight update: I tried precreating /etc/ipa/ca.crt, and when running the 
> install, I get the same Python error I did before: 
> 
> File "/usr/sbin/ipa-client-install", line 3099, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in 
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in 
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in 
> load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in 
> import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in 
> <module>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module>
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in 
> _PrincipalName
> namedtype.NamedType('name-string', 
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given) 
> 
> On 2017-08-01 07:07, g...@greg-gilbert.com wrote: 
> 
> Hey, 
> 
> I checked the logs and found this: 
> 
> conn=3295 op=3 SRCH 
> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" 
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary 
> ipaKeyTrust ipaCertIssuerSerial"
> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 
> 
> So that looks like it's finding an entry, I guess. 
> 
> All of the lines have err=0 except these: 
> 
> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI 
> 
> The server is running FreeIPA 4.4: 
> 
> $ ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> $ ipa-client-install --version
> 4.4.0 
> 
> - greg 
> 
> On 2017-08-01 05:13, Florence Blanc-Renaud wrote: 
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on 
> this one.
> 
> I have a bunch of old server images (from 2 months ago) that can run 
> ipa-client-install just fine. When I created a new image, though, I get this 
> error (from the install logs):
> 
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a 
> certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP) or without 
> --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
> 
> For comparison, the old images work as expected:
> 
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 
> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
> INFO Successfully retrieved CA cert
> Subject:     CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer:      CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From:  Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
> 
> It's literally the same build script, so nothing there has changed. The old 
> images still work even now, so I don't think it's a DNS issue. I tried 
> running update-ca-certificates, but that did nothing. I tried restarting the 
> FreeIPA server, nothing changed.
> 
> If I try --forceing the install, this happens:
> 
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in <module>
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in 
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in 
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in 
> load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in 
> import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in 
> <module>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module>
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in 
> _PrincipalName
> namedtype.NamedType('name-string', 
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
> 
> Really not sure what's going on here; does anyone have advice on how to fix 
> this? Thanks!
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
> Hi,
> 
> during client installation, the installer tries to retrieve the CA 
> certificate:
> - either from the provider --ca-cert-file
> - or from an existing /etc/ipa/ca.crt
> - or (when principal and password are supplied) via ldap
> - or (when the above failed) via http only if --force is supplied
> 
> The ldap method looks for a certificate in 
> cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
> 
> You can check if the CA certificate can be found by the installer. Do you see 
> matching logs in the directory server access log 
> (/var/log/dirsrv/slapd-xx/access), like the following:
> 
> [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH 
> base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" 
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary 
> ipaKeyTrust ipaCertIssuerSerial"
> [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 
> nentries=1 etime=1
> 
> If yes, check the return code (err=x) and the number of found entries 
> (nentries=x).
> 
> When you run the installer with --force, the tool manages to retrieve the 
> cert using http but fails later. Which version of IPA are you using?
> 
> Flo.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to