Jochen Hein <joc...@jochen.org> writes:
> I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That
> server has been updated from earlier Fedoras and runs DNS and CA.
> I've updated domainlevel to 1 manually.
> Now I'd like to switch to a CentOS install, so I installed CentOS 7.2
> on a new VM and updated to the CR repo, so I'll get IPA 4.4.
> When installing a replica with "ipa-replica-install --setup-ca" I get:
> [3/5]: Importing RA Key
> /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning:
> Certificate has no `subjectAltName`, falling back to check for a `commonName`
> for now. This feature is being removed by major browsers and deprecated by
> RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> [error] HTTPError: 406 Client Error: Failed to validate message: No recipient
> matched the provided key["Failed: [ValueError('Multibackend cannot be
> initialized with no backends. If you are seeing this error when trying to use
> default_backend() please try uninstalling and reinstalling cryptography.',)]"]
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
> ipa.ipapython.install.cli.install_tool(Replica): ERROR 406 Client Error:
> Failed to validate message: No recipient matched the provided key["Failed:
> [ValueError('Multibackend cannot be initialized with no backends. If you are
> seeing this error when trying to use default_backend() please try
> uninstalling and reinstalling cryptography.',)]"]
> ipa.ipapython.install.cli.install_tool(Replica): ERROR The
> ipa-replica-install command failed. See /var/log/ipareplica-install.log for
> more information
In CentOS 7.2/7.3 we have python-jwcrypto-0.2.1-1.el7, in Fedora 23 we
https://github.com/latchset/jwcrypto/issues/47 talks about problems with
FreeIPA and custodia, and that downgrading python-jwcrypto helped. Since
I consider the way forward a better choice I upgraded python-jwcrypto on
CentOS to 0.3.2, and now I have new replicas with FreeIPA 4.4 attached
to my 4.3 master. Yeah! It might be a good idea to get the package in
The only problem with troubleshooting is that the trouble shoots back.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project