FreeIPA 4.4.0-14 fails to install on CentOS 7 if pyasn1 0.3.2 is installed.
Steps to reproduce: 1. Spin up a CentOS 7 machine 2. yum install epel-release python-pip 3. pip install awscli 4. ipa-server-install --no_hbac_allow --mkhomedir --ssh-trust-dns --setup-dns
Here's the error I get:
... Configuring directory server (dirsrv). Estimated time: 10 seconds [1/3]: configuring ssl for ds instance [2/3]: restarting directory server [3/3]: adding CA certificate entry [error] ValueError: failed to decode certificate: [0:32:16] not in asn1Spec: TagMap() ipa.ipapython.install.cli.install_tool(Server): ERROR failed to decode certificate: [0:32:16] not in asn1Spec: TagMap() ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
Pretty sure this is related to https://pagure.io/freeipa/issue/7082
What version of python-pyasn1 is installed? IPA is known to not work with versions > 0.2.3.
That's not an easy question to answer.
[centos@ipa1 site-packages]$ pwd /usr/lib/python2.7/site-packages [centos@ipa1 site-packages]$ ls -lasd pyasn1* 4 drwxr-xr-x. 5 root root 4096 Aug 15 00:22 pyasn1 4 drwxr-xr-x. 2 root root 4096 Aug 15 00:22 pyasn1-0.3.2.dist-info [centos@ipa1 site-packages]$ rpm -qa | grep -i pyasn python2-pyasn1-0.1.9-7.el7.noarch [centos@ipa1 site-packages]$
The issue seems to be trying to install IPA on a machine that already has the awscli tools installed from pip.
I do not think this issue is anyhow relevant to the one you've linked.
Would you be able to provide a minimal reproducer and submit an issue? It can be as simple as a certificate that fails to decode.
IPA is known to not work with versions > 0.2.3.
I have an impression that 0.3.2+ should work just fine. Do you think otherwise? Does this decoder error happen with 0.2.3 as well?
@etingof I believe you are right. My initial testing of 0.3.2 against freeIPA in rawhide looks very good. It was 0.3.1 that raised a similar asn1Spec errors.
I just had similar asn1Spec errors with ipa-client-install (again, CentOS 7, ipa-client 4.4.0-14).
pip list indicated pyasn1 0.3.2 was installed. When I reverted to pyasn1 0.2.3 the problems went away and ipa-client-install started working again.
Is it 'failed to decode certificate: [X:X:X] not in asn1Spec' error which only shows up with 0.3.2? Then I think:
If it's a bug in pyasn1, I will come up with a fix in 0.3.3.
Thanks!
I can't reproduce this with pyasn1 0.3.2.
Feel free to re-open if you can provide a reproducer.
Metadata Update from @rcritten: - Issue close_status updated to: worksforme - Issue status updated to: Closed (was: Open)
Apparently, it is likely to be a bug in pyasn1 which is fixed in the latest released version (0.3.3).
Better reference.
Log in to comment on this ticket.