Issue #7079: "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails - freeipa

freeipa

#7079 "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

Closed: duplicate 6 years ago Opened 6 years ago by greggilbert.

I'm really at a loss on this one. For reference, this is Ubuntu 16.04.2 using FreeIPA 4.3.1 as a client.

I have a bunch of old server images (from 2 months ago) that can run ipa-client-install just fine. When I created a new image, though, I get this error (from the install logs):

DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7ff6a4e67560>
DEBUG get_ca_certs_from_ldap() error: 'ipa.services.example' doesn't have a certificate.
DEBUG 'ipa.services.example' doesn't have a certificate.
ERROR In unattended mode without a One Time Password (OTP) or without --ca-cert-file
You must specify --force to retrieve the CA cert using HTTP
ERROR Cannot obtain CA certificate
HTTP certificate download requires --force
ERROR Installation failed. Rolling back changes.
ERROR IPA client is not configured on this system.

For comparison, the old images work as expected:

DEBUG flushing ldap://ipa.services.example:389 from SchemaCache
DEBUG retrieving schema for SchemaCache url=ldap://ipa.services.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f2a0cb6e128>
INFO Successfully retrieved CA cert
    Subject:     CN=Certificate Authority,O=IPA.SERVICES.example
    Issuer:      CN=Certificate Authority,O=IPA.SERVICES.example
    Valid From:  Wed Apr 05 21:11:13 2017 UTC
    Valid Until: Sun Apr 05 21:11:13 2037 UTC

It's literally the same build script, so nothing there has changed. The old images still work even now, so I don't think it's a DNS issue. I tried running update-ca-certificates, but that did nothing. I tried restarting the FreeIPA server, nothing changed.

If I try --forceing the install, this happens:

Enrolled in IPA realm IPA.SERVICES.EXAMPLE
Created /etc/ipa/default.conf
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 3099, in <module>
    sys.exit(main())
  File "/usr/sbin/ipa-client-install", line 3080, in main
    rval = install(options, env, fstore, statestore)
  File "/usr/sbin/ipa-client-install", line 2727, in install
    api.finalize()
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 656, in finalize
    self.__do_if_not_done('load_plugins')
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 370, in __do_if_not_done
    getattr(self, name)()
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 534, in load_plugins
    self.import_plugins(module)
  File "/usr/lib/python2.7/dist-packages/ipalib/plugable.py", line 572, in import_plugins
    module = importlib.import_module(name)
  File "/usr/lib/python2.7/importlib/__init__.py", line 37, in import_module
    __import__(name)
  File "/usr/lib/python2.7/dist-packages/ipalib/plugins/cert.py", line 29, in <module>
    from ipalib import pkcs10
  File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 79, in <module>
    class _PrincipalName(univ.Sequence):
  File "/usr/lib/python2.7/dist-packages/ipalib/pkcs10.py", line 84, in _PrincipalName
    namedtype.NamedType('name-string', univ.SequenceOf(char.GeneralString()).subtype(
TypeError: __init__() takes exactly 1 argument (2 given)

Really not sure what's going on here, but something's not right. Any ideas?

greggilbert commented 6 years ago

Update: I've tried a number of iterations with this, and the issue between my old and new server is this:

OLD SERVER: pyasn1==0.2.3
NEW SERVER: pyasn1==0.3.1

Per their CHANGES.rst, they made these changes in 0.3.1:

ASN.1 types __init__(), .clone() and .subtype() signatures refactored into keyword arguments to simplify their signatures.

ASN.1 types initialization refactored to minimize the use of relatively expensive isNoValue() call

So I guess their refactor isn't compatible with FreeIPA 4.3.1. For now I'll roll back my local to that version, but it seems like this should be fixed.

rcritten commented 6 years ago

0.3.1 was just released a few days ago, it takes time to react to API-breaking libraries.

greggilbert commented 6 years ago

@rcritten oh, definitely; not asking for it to be immediately updated. And even if it gets updated in the latest version, I'd imagine that older versions are going to still be affected.

pvoborni commented 6 years ago

closing as duplicate fo #7082

Metadata Update from @pvoborni:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

6 years ago

Metadata

Assignee

None

Tags

None

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#7079 "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails Closed: duplicate 6 years ago Opened 6 years ago by greggilbert.

Metadata

#7079 "Cannot obtain CA certificate" error when trying to install, but works on older instances; force fails

Closed: duplicate 6 years ago Opened 6 years ago by greggilbert.