I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this? Thanks!
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in
<module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this? Thanks!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate: - either from the provider --ca-cert-file - or from an existing /etc/ipa/ca.crt - or (when principal and password are supplied) via ldap - or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using?
Flo.
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 $ ipa-client-install --version 4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote:
On 08/01/2017 03:26 AM, None via FreeIPA-users wrote:
I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this? Thanks!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using?
Flo.
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, greg@greg-gilbert.com wrote:
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 $ ipa-client-install --version 4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote: On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this? Thanks!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using?
Flo.
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1 isn't compatible with these changes.
I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this.
- greg
On 2017-08-01 08:15, greg@greg-gilbert.com wrote:
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, greg@greg-gilbert.com wrote:
Hey,
I checked the logs and found this:
conn=3295 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0
So that looks like it's finding an entry, I guess.
All of the lines have err=0 except these:
conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI
The server is running FreeIPA 4.4:
$ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 $ ipa-client-install --version 4.4.0
- greg
On 2017-08-01 05:13, Florence Blanc-Renaud wrote: On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this one.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here; does anyone have advice on how to fix this? Thanks!
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi,
during client installation, the installer tries to retrieve the CA certificate:
- either from the provider --ca-cert-file
- or from an existing /etc/ipa/ca.crt
- or (when principal and password are supplied) via ldap
- or (when the above failed) via http only if --force is supplied
The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN.
You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following:
[27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1
If yes, check the return code (err=x) and the number of found entries (nentries=x).
When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using?
Flo.
None via FreeIPA-users wrote:
Further update: I'm pretty sure I found out the problem.
Basically, my old server is running pyasn1==0.2.3 and the new one has pyasn1==0.3.1. Per the pyasn1 documentation, they made a breaking change to __init__ and a few other functions in 0.3.1, so I guess FreeIPA 4.3.1 isn't compatible with these changes.
I've got a ticket open at https://pagure.io/freeipa/issue/7079 about this.
Nice catch.
0.3.1 was just released a few days ago and I haven't had a chance to try packaging it for Fedora yet much less do any compatibility testing. Given the API changes I'll need to coordinate the update with the other module users, including freeIPA.
In the meantime it might be a good idea for packagers to specifically require 0.2.3 for now.
rob
- greg
On 2017-08-01 08:15, greg@greg-gilbert.com wrote:
Slight update: I tried precreating /etc/ipa/ca.crt, and when running the install, I get the same Python error I did before:
File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
On 2017-08-01 07:07, greg@greg-gilbert.com wrote:
Hey, I checked the logs and found this: conn=3295 op=3 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=ipa,dc=services,dc=example" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" conn=3295 op=3 RESULT err=0 tag=101 nentries=1 etime=0 So that looks like it's finding an entry, I guess. All of the lines have err=0 except these: conn=3295 op=0 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=1 BIND dn="" method=sasl version=3 mech=GSSAPI conn=3295 op=1 RESULT err=14 tag=97 nentries=0 etime=0, SASL bind in progress conn=3295 op=2 BIND dn="" method=sasl version=3 mech=GSSAPI The server is running FreeIPA 4.4: $ ipa --version VERSION: 4.4.0, API_VERSION: 2.213 $ ipa-client-install --version 4.4.0 - greg On 2017-08-01 05:13, Florence Blanc-Renaud wrote: On 08/01/2017 03:26 AM, None via FreeIPA-users wrote: I'm really at a loss on this one. I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs): DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system. For comparison, the old images work as expected: DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed. If I try --forceing the install, this happens: Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given) Really not sure what's going on here; does anyone have advice on how to fix this? Thanks! _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> Hi, during client installation, the installer tries to retrieve the CA certificate: - either from the provider --ca-cert-file - or from an existing /etc/ipa/ca.crt - or (when principal and password are supplied) via ldap - or (when the above failed) via http only if --force is supplied The ldap method looks for a certificate in cn=certificates,cn=ipa,cn=etc,$BASEDN or cn=CAcert,cn=ipa,cn=etc,$BASEDN. You can check if the CA certificate can be found by the installer. Do you see matching logs in the directory server access log (/var/log/dirsrv/slapd-xx/access), like the following: [27/Jul/2017:09:48:14.923015575 +0200] conn=2 op=16 SRCH base="cn=certificates,cn=ipa,cn=etc,dc=dom-ipa,dc=com" scope=2 filter="(&(objectClass=ipaCertificate)(objectClass=pkiCA))" attrs="ipaKeyExtUsage cn ipaCertSubject ipaPublicKey cacertificate;binary ipaKeyTrust ipaCertIssuerSerial" [27/Jul/2017:09:48:14.923834321 +0200] conn=2 op=16 RESULT err=0 tag=101 nentries=1 etime=1 If yes, check the return code (err=x) and the number of found entries (nentries=x). When you run the installer with --force, the tool manages to retrieve the cert using http but fails later. Which version of IPA are you using? Flo.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hello,
i have setup an IPA server, NFS server with Samba and of course many clients. The server are running Scientific Linix 7.3, the clients Fedora 25, CentOS 7.3 and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to mount the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also configure the NFS server and the clients for the new IPA server. (Important: On the NFS server i do only a new ipa-client-install - not a reinstall of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And this works!
Can you give me any help, why a NFS server suddenly stopped working exporting the shares with sec=krb5i (and also krb5 …)? What could be broken? Where i have to search?
Thanx for any help!
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Detlev Habicht via FreeIPA-users wrote:
Hello,
i have setup an IPA server, NFS server with Samba and of course many clients. The server are running Scientific Linix 7.3, the clients Fedora 25, CentOS 7.3 and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to mount the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also configure the NFS server and the clients for the new IPA server. (Important: On the NFS server i do only a new ipa-client-install - not a reinstall of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And this works!
Can you give me any help, why a NFS server suddenly stopped working exporting the shares with sec=krb5i (and also krb5 …)? What could be broken? Where i have to search?
Thanx for any help!
I don't know what the issue is but it is highly unlikely to be related to the IPA packages, especially for a pre-configured system.
I'd look to see what else was pulled in with the update.
Note too that mixing packages between releases (7.3 and 7.4 in this case) is not well-tested so you should avoid it when possible.
rob
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 17:20 schrieb Rob Crittenden via FreeIPA-users freeipa-users@lists.fedorahosted.org:
Detlev Habicht via FreeIPA-users wrote:
Hello,
i have setup an IPA server, NFS server with Samba and of course many clients. The server are running Scientific Linix 7.3, the clients Fedora 25, CentOS 7.3 and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to mount the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also configure the NFS server and the clients for the new IPA server. (Important: On the NFS server i do only a new ipa-client-install - not a reinstall of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And this works!
Can you give me any help, why a NFS server suddenly stopped working exporting the shares with sec=krb5i (and also krb5 …)? What could be broken? Where i have to search?
Thanx for any help!
I don't know what the issue is but it is highly unlikely to be related to the IPA packages, especially for a pre-configured system.
I'd look to see what else was pulled in with the update.
Note too that mixing packages between releases (7.3 and 7.4 in this case) is not well-tested so you should avoid it when possible.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Detlev Habicht via FreeIPA-users wrote:
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
I know nothing of SL but there may be separate repositories for each release that you could use. Otherwise I don't know. The way that RHEL operates is that each dot release contains package updates as well as potential security updates so staying at a specific release carries risk which increases over time.
The thing about NFS is there are a lot of moving parts including NFS itself, gssproxy, potentially autofs, rpcbind, etc. You should be able to add a whole slew of -vvvv to get additional debug information out of the various daemons that may point you in the right direction.
rob
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de mailto:habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 17:20 schrieb Rob Crittenden via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>:
Detlev Habicht via FreeIPA-users wrote:
Hello,
i have setup an IPA server, NFS server with Samba and of course many clients. The server are running Scientific Linix 7.3, the clients Fedora 25, CentOS 7.3 and also SL 7.3.
This was running well for one year.
Last week - i think when new IPA patches arrived - we where not able to mount the NFS shares. I see messages like this:
Could not chdir to home directory /home/habicht: No such file or directory
When i make a "ls /home“ i see the directories, but i can’t mount.
Authentication is working.
First i thought, my IPA server is broken, so i setup a new one and i also configure the NFS server and the clients for the new IPA server. (Important: On the NFS server i do only a new ipa-client-install - not a reinstall of the whole server!)
But i then have the same problem again …
For the shares i am using sec=krb5i. At the end i tested sec=sys. And this works!
Can you give me any help, why a NFS server suddenly stopped working exporting the shares with sec=krb5i (and also krb5 …)? What could be broken? Where i have to search?
Thanx for any help!
I don't know what the issue is but it is highly unlikely to be related to the IPA packages, especially for a pre-configured system.
I'd look to see what else was pulled in with the update.
Note too that mixing packages between releases (7.3 and 7.4 in this case) is not well-tested so you should avoid it when possible.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org mailto:freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote:
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
I don't know about Scientific Linux, but at least CentOS specifically disallows that: https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11930...
Quote: The CentOS Project provides updates or other changes ONLY for the latest version of each major branch. ... We are trying to make sure people understand they can NOT use older minor versions and still be secure. Therefore, a date in the minor version allows users to know with a glance when this minor version was created. If it is older than many months, there is likely a new version you should look for.
Thank you all for your answers!
Well, it seemed, i make a great mistake here (mixing minor versions …).
But now i have to setup everything new and the real answer i will know in a few weeks …
But thank you again!
Detlev
-- Detlev | Institut fuer Mikroelektronische Systeme Habicht | D-30167 Hannover +49 511 76219662 habicht@ims.uni-hannover.de --------+-------- Handy +49 172 5415752 ---------------------------
Am 29.08.2017 um 21:46 schrieb Jakub Hrozek via FreeIPA-users freeipa-users@lists.fedorahosted.org:
On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote:
Thank you, for your answer.
How can i avoid this mixing of packages?
Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-(
What can i do to only install 7.2 and the patches for 7.2 (for example)?
I don't know about Scientific Linux, but at least CentOS specifically disallows that: https://wiki.centos.org/FAQ/General#head-dcca41e9a3d5ac4c6d900a991990fd11930...
Quote: The CentOS Project provides updates or other changes ONLY for the latest version of each major branch. ... We are trying to make sure people understand they can NOT use older minor versions and still be secure. Therefore, a date in the minor version allows users to know with a glance when this minor version was created. If it is older than many months, there is likely a new version you should look for. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org