[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
None via FreeIPA-users wrote:
> Further update: I'm pretty sure I found out the problem.
>
> Basically, my old server is running pyasn1==0.2.3 and the new one has
> pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
> to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
> isn't compatible with these changes.
>
> I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this.
Nice catch.
0.3.1 was just released a few days ago and I haven't had a chance to try
packaging it for Fedora yet much less do any compatibility testing.
Given the API changes I'll need to coordinate the update with the other
module users, including freeIPA.
In the meantime it might be a good idea for packagers to specifically
require 0.2.3 for now.
rob
>
> - greg
>
> On 2017-08-01 08:15, g...@greg-gilbert.com wrote:
>
>> Slight update: I tried precreating /etc/ipa/ca.crt, and when running
>> the install, I get the same Python error I did before:
>>
>> File "/usr/sbin/ipa-client-install", line 3099, in
>> sys.exit(main())
>> File "/usr/sbin/ipa-client-install", line 3080, in main
>> rval = install(options, env, fstore, statestore)
>> File "/usr/sbin/ipa-client-install", line 2727, in install
>> api.finalize()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
>> 656, in finalize
>> self.__do_if_not_done('load_plugins')
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
>> 370, in __do_if_not_done
>> getattr(self, name)()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
>> 534, in load_plugins
>> self.import_plugins(module)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line
>> 572, in import_plugins
>> module = importlib.import_module(name)
>> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
>> import_module
>> __import__(name)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
>> 29, in
>> from ipalib import pkcs10
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79,
>> in
>> class _PrincipalName(univ.Sequence):
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84,
>> in _PrincipalName
>> namedtype.NamedType('name-string',
>> univ.SequenceOf(char.GeneralString()).subtype(
>> TypeError: __init__() takes exactly 1 argument (2 given)
>>
>>
>> On 2017-08-01 07:07, g...@greg-gilbert.com wrote:
>>
>> Hey,
>>
>> I checked the logs and found this:
>>
>> conn=3295 op=3 SRCH
>> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
>> scope=2
>> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
>> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
>> cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
>> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
>>
>> So that looks like it's finding an entry, I guess.
>>
>> All of the lines have err=0 except these:
>>
>> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
>> in progress
>> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
>> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind
>> in progress
>> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>>
>> The server is running FreeIPA 4.4:
>>
>> $ ipa --version
>> VERSION: 4.4.0, API_VERSION: 2.213
>> $ ipa-client-install --version
>> 4.4.0
>>
>> - greg
>>
>> On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
>>
>> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
>>
>> I'm really at a loss on this one.
>>
>> I have a bunch of old server images (from 2 months ago)
>> that can run ipa-client-install just fine. When I created
>> a new image, though, I get this error (from the install logs):
>>
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache
>> url=ldap://ipa.services.example:389
>> conn=> 0x7ff6a4e67560>
>> DEBUG get_ca_certs_from_ldap() error:
>> 'ipa.services.example' doesn't have a certificate.
>> DEBUG 'ipa.services.example' doesn't have a certificate.
>> ERROR In unattended mode without a One Time Password (OTP)
>> or without --ca-cert-file
>> You must specify --force to retrieve the CA cert using HTTP
>> ERROR Cannot obtain CA certificate
>> HTTP certificate download requires --force
>> ERROR Installation failed. Rolling back changes.
>> ERROR IPA client is not configured on this system.
>>
>> For comparison, the old images work as expected:
>>
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache
>>
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has
pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change
to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1
isn't compatible with these changes.
I've got a ticket open at https://pagure.io/freeipa/issue/7079 about
this.
- greg
On 2017-08-01 08:15, g...@greg-gilbert.com wrote:
> Slight update: I tried precreating /etc/ipa/ca.crt, and when running the
> install, I get the same Python error I did before:
>
> File "/usr/sbin/ipa-client-install", line 3099, in
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
> load_plugins
> self.import_plugins(module)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
> import_plugins
> module = importlib.import_module(name)
> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
> __import__(name)
> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
>
> from ipalib import pkcs10
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
> class _PrincipalName(univ.Sequence):
> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
> _PrincipalName
> namedtype.NamedType('name-string',
> univ.SequenceOf(char.GeneralString()).subtype(
> TypeError: __init__() takes exactly 1 argument (2 given)
>
> On 2017-08-01 07:07, g...@greg-gilbert.com wrote:
>
> Hey,
>
> I checked the logs and found this:
>
> conn=3295 op=3 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary
> ipaKeyTrust ipaCertIssuerSerial"
> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
>
> So that looks like it's finding an entry, I guess.
>
> All of the lines have err=0 except these:
>
> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>
> The server is running FreeIPA 4.4:
>
> $ ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> $ ipa-client-install --version
> 4.4.0
>
> - greg
>
> On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on
> this one.
>
> I have a bunch of old server images (from 2 months ago) that can run
> ipa-client-install just fine. When I created a new image, though, I get this
> error (from the install logs):
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
> conn=
> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a
> certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP) or without
> --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> For comparison, the old images work as expected:
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
> conn=
> INFO Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From: Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>
> It's literally the same build script, so nothing there has changed. The old
> images still work even now, so I don't think it's a DNS issue. I tried
> running update-ca-certificates, but that did nothing. I tried restarting the
> FreeIPA server, nothing changed.
>
> If I try --forceing the install, this happens:
>
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install",
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the
install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, g...@greg-gilbert.com wrote:
> Hey,
>
> I checked the logs and found this:
>
> conn=3295 op=3 SRCH
> base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2
> filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
> attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary
> ipaKeyTrust ipaCertIssuerSerial"
> conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
>
> So that looks like it's finding an entry, I guess.
>
> All of the lines have err=0 except these:
>
> conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
> conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress
> conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
>
> The server is running FreeIPA 4.4:
>
> $ ipa --version
> VERSION: 4.4.0, API_VERSION: 2.213
> $ ipa-client-install --version
> 4.4.0
>
> - greg
>
> On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on
> this one.
>
> I have a bunch of old server images (from 2 months ago) that can run
> ipa-client-install just fine. When I created a new image, though, I get this
> error (from the install logs):
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
> conn=
> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a
> certificate.
> DEBUG 'ipa.services.example' doesn't have a certificate.
> ERROR In unattended mode without a One Time Password (OTP) or without
> --ca-cert-file
> You must specify --force to retrieve the CA cert using HTTP
> ERROR Cannot obtain CA certificate
> HTTP certificate download requires --force
> ERROR Installation failed. Rolling back changes.
> ERROR IPA client is not configured on this system.
>
> For comparison, the old images work as expected:
>
> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
> conn=
> INFO Successfully retrieved CA cert
> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
> Valid From: Wed Apr 05 21:11:13 2017 UTC
> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>
> It's literally the same build script, so nothing there has changed. The old
> images still work even now, so I don't think it's a DNS issue. I tried
> running update-ca-certificates, but that did nothing. I tried restarting the
> FreeIPA server, nothing changed.
>
> If I try --forceing the install, this happens:
>
> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
> Created /etc/ipa/default.conf
> Traceback (most recent call last):
> File "/usr/sbin/ipa-client-install", line 3099, in
> sys.exit(main())
> File "/usr/sbin/ipa-client-install", line 3080, in main
> rval = install(options, env, fstore, statestore)
> File "/usr/sbin/ipa-client-install", line 2727, in install
> api.finalize()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
> finalize
> self.__do_if_not_done('load_plugins')
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
> __do_if_not_done
> getattr(self, name)()
> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
> load_plugins
> self.import_plugins(module)
> File
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example"
scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI
conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in
progress
conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
$ ipa-client-install --version
4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
> On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
>
>> I'm really at a loss on this one.
>>
>> I have a bunch of old server images (from 2 months ago) that can run
>> ipa-client-install just fine. When I created a new image, though, I get this
>> error (from the install logs):
>>
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
>> conn=
>> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a
>> certificate.
>> DEBUG 'ipa.services.example' doesn't have a certificate.
>> ERROR In unattended mode without a One Time Password (OTP) or without
>> --ca-cert-file
>> You must specify --force to retrieve the CA cert using HTTP
>> ERROR Cannot obtain CA certificate
>> HTTP certificate download requires --force
>> ERROR Installation failed. Rolling back changes.
>> ERROR IPA client is not configured on this system.
>>
>> For comparison, the old images work as expected:
>>
>> DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
>> DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389
>> conn=
>> INFO Successfully retrieved CA cert
>> Subject: CN=Certificate Authority,O=IPA.SERVICES.example
>> Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
>> Valid From: Wed Apr 05 21:11:13 2017 UTC
>> Valid Until: Sun Apr 05 21:11:13 2037 UTC
>>
>> It's literally the same build script, so nothing there has changed. The old
>> images still work even now, so I don't think it's a DNS issue. I tried
>> running update-ca-certificates, but that did nothing. I tried restarting the
>> FreeIPA server, nothing changed.
>>
>> If I try --forceing the install, this happens:
>>
>> Enrolled in IPA realm IPA.SERVICES.EXAMPLE
>> Created /etc/ipa/default.conf
>> Traceback (most recent call last):
>> File "/usr/sbin/ipa-client-install", line 3099, in
>> sys.exit(main())
>> File "/usr/sbin/ipa-client-install", line 3080, in main
>> rval = install(options, env, fstore, statestore)
>> File "/usr/sbin/ipa-client-install", line 2727, in install
>> api.finalize()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in
>> finalize
>> self.__do_if_not_done('load_plugins')
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in
>> __do_if_not_done
>> getattr(self, name)()
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in
>> load_plugins
>> self.import_plugins(module)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in
>> import_plugins
>> module = importlib.import_module(name)
>> File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
>> __import__(name)
>> File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in
>>
>> from ipalib import pkcs10
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
>>
>> class _PrincipalName(univ.Sequence):
>> File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
>> _PrincipalName
>> namedtype.NamedType('name-string',
>> univ.SequenceOf(char.GeneralString()).subtype(
>> TypeError: __init__() takes exactly 1 argument (2 given)
>>
>> Really not sure what's going on here; does anyone have advice on how to fix
>> this? Thanks!
>>
>> ___
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Hi,
>
> during client installation, the installer tries to retrieve the CA
> certificate:
> - either from the provider --ca-cert-file
> - or from an existing /etc/ipa/ca.crt
> - or (when principal and password are supplied) via ldap
> - or (when the above failed) via http only if --force is supplied
>
> The ldap method looks for a certificate in
> cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
>
> You can check if the CA certificate can be found by the installer. Do you see
> matching logs in the directory
[Freeipa-users] Re: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run
ipa-client-install just fine. When I created a new image, though, I get
this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't
have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without
--ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache
url=ldap://ipa.services.example:389
conn=
INFO Successfully retrieved CA cert
Subject: CN=Certificate Authority,O=IPA.SERVICES.example
Issuer: CN=Certificate Authority,O=IPA.SERVICES.example
Valid From: Wed Apr 05 21:11:13 2017 UTC
Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The
old images still work even now, so I don't think it's a DNS issue. I
tried running update-ca-certificates, but that did nothing. I tried
restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
File "/usr/sbin/ipa-client-install", line 3099, in
sys.exit(main())
File "/usr/sbin/ipa-client-install", line 3080, in main
rval = install(options, env, fstore, statestore)
File "/usr/sbin/ipa-client-install", line 2727, in install
api.finalize()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656,
in finalize
self.__do_if_not_done('load_plugins')
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370,
in __do_if_not_done
getattr(self, name)()
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534,
in load_plugins
self.import_plugins(module)
File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572,
in import_plugins
module = importlib.import_module(name)
File "/usr/lib/python2.7/importlib/__init__.py", line 37, in
import_module
__import__(name)
File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line
29, in
from ipalib import pkcs10
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
class _PrincipalName(univ.Sequence):
File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in
_PrincipalName
namedtype.NamedType('name-string',
univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to
fix this? Thanks!
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA
certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in
cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do
you see matching logs in the directory server access log
(/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH
base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2
filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))"
attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey
cacertificate;binary ipaKeyTrust ipaCertIssuerSerial"
[27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101
nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries
(nentries=x).
When you run the installer with --force, the tool manages to retrieve
the cert using http but fails later. Which version of IPA are you using?
Flo.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
