I'm really at a loss on this one. For reference, this is Ubuntu 16.04.2 using FreeIPA 4.3.1 as a client.
I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560> DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate. DEBUG 'ipa.services.example' doesn't have a certificate. ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file You must specify --force to retrieve the CA cert using HTTP ERROR Cannot obtain CA certificate HTTP certificate download requires --force ERROR Installation failed. Rolling back changes. ERROR IPA client is not configured on this system.
For comparison, the old images work as expected:
DEBUG flushing ldap://ipa.services.example:389 from SchemaCache DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128> INFO Successfully retrieved CA cert Subject: CN=Certificate Authority,O=IPA.SERVICES.example Issuer: CN=Certificate Authority,O=IPA.SERVICES.example Valid From: Wed Apr 05 21:11:13 2017 UTC Valid Until: Sun Apr 05 21:11:13 2037 UTC
It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.
If I try --forceing the install, this happens:
Enrolled in IPA realm IPA.SERVICES.EXAMPLE Created /etc/ipa/default.conf Traceback (most recent call last): File "/usr/sbin/ipa-client-install", line 3099, in <module> sys.exit(main()) File "/usr/sbin/ipa-client-install", line 3080, in main rval = install(options, env, fstore, statestore) File "/usr/sbin/ipa-client-install", line 2727, in install api.finalize() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize self.__do_if_not_done('load_plugins') File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done getattr(self, name)() File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins self.import_plugins(module) File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins module = importlib.import_module(name) File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module __import__(name) File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module> from ipalib import pkcs10 File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module> class _PrincipalName(univ.Sequence): File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype( TypeError: __init__() takes exactly 1 argument (2 given)
Really not sure what's going on here, but something's not right. Any ideas?
Update: I've tried a number of iterations with this, and the issue between my old and new server is this:
OLD SERVER: pyasn1==0.2.3 NEW SERVER: pyasn1==0.3.1
Per their CHANGES.rst, they made these changes in 0.3.1:
ASN.1 types __init__(), .clone() and .subtype() signatures refactored into keyword arguments to simplify their signatures. ASN.1 types initialization refactored to minimize the use of relatively expensive isNoValue() call
__init__()
So I guess their refactor isn't compatible with FreeIPA 4.3.1. For now I'll roll back my local to that version, but it seems like this should be fixed.
0.3.1 was just released a few days ago, it takes time to react to API-breaking libraries.
@rcritten oh, definitely; not asking for it to be immediately updated. And even if it gets updated in the latest version, I'd imagine that older versions are going to still be affected.
closing as duplicate fo #7082
Metadata Update from @pvoborni: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.