When attempting to run ipa-replica-install I get a python error, No
module named ssl_match_hostname


This is on a CentOS 7.2 x86_64 testing box.

All available updates including kernel installed, and system rebooted
same day. Same error before and after patching and reboot.

Let me know if you want to see the yum history log info.

- Operating system version
[root@lcars site-packages]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)

[root@lcars site-packages]# uname -a
Linux lcars.internal.madisonrentals.biz 3.10.0-327.28.2.el7.x86_64 #1
SMP Wed Aug 3 11:11:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

- Here are the installed packages.  All were installed using yum.
[root@lcars site-packages]# yum list installed | awk '/backports|ipa-/'
ipa-admintools.x86_64                  4.2.0-15.0.1.el7.centos.18      @updates
ipa-client.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
ipa-python.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
ipa-server.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
ipa-server-dns.x86_64                  4.2.0-15.0.1.el7.centos.18      @updates
python-backports.noarch                1.0-6.el7                       @anaconda
python-backports.x86_64                1.0-8.el7                       installed
python-backports-ssl_match_hostname.noarch

I have the following repositories enabled:
base/7/x86_64
epel/x86_64
extras/7/x86_64
updates/7/x86_64

- Other threads on this issue suggest using pip to install
backports.ssl_match_hostname.  I still get the same error after doing
that.

[root@lcars site-packages]# pip install backports.ssl_match_hostname
Requirement already satisfied (use --upgrade to upgrade):
backports.ssl_match_hostname in /usr/lib/python2.7/site-packages

[root@lcars site-packages]# pip install --upgrade backports.ssl_match_hostname
Requirement already up-to-date: backports.ssl_match_hostname in
/usr/lib/python2.7/site-packages

- Here's the actual attempt
[root@lcars site-packages]# ipa-replica-install --setup-ca --setup-dns
--forwarder=4.2.2.1
/root/replica-info-lcars.internal.madisonrentals.biz.gpg
WARNING: conflicting time&date synchronization service 'chronyd' will
be disabled in favor of ntpd

Directory Manager (existing master) password:

Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    No module
named ssl_match_hostname

Even when running the suggested ipa-server-install --uninstall, I
still receive the error about the missing module.

Here's what I have in /usr/lib/python2.7/site-packages

[root@lcars site-packages]# pwd
/usr/lib/python2.7/site-packages
[root@lcars site-packages]# ls | awk '/backports.ssl/'
backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info
backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info

- And here are the contents of each directory.
[root@lcars site-packages]# cd
backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info/

[root@lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# ls
dependency_links.txt  PKG-INFO  SOURCES.txt  top_level.txt

[root@lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# cd ..
[root@lcars site-packages]# ls
backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info
dependency_links.txt  installed-files.txt  PKG-INFO  SOURCES.txt  top_level.txt

Another thread suggested that this can be caused by a missing
__init__.py file, however, creating this file in both directories
doesn't help.

A commit by Heimes may shed some light on this.
The commit is in regards to otptoken and states that:

"The otptoken plugin is the only module in FreeIPA that uses Python's ssl
module instead of NSS. The patch replaces ssl with NSSConnection. It
uses the default NSS database to lookup trust anchors. NSSConnection
uses NSS for hostname matching. The package
python-backports-ssl_match_hostname is no longer required."

The master IPA server is up and running with no issues.

An ipa connection between replica server and master reports that the
connection is working.

What else could I be missing?

Thanks,
Chris.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to