[Freeipa-users] ipa-replica-install fails with python import error for module ssl_match_hostname

Rob Crittenden rcritten at redhat.com
Thu Aug 11 15:51:01 UTC 2016 

White Hat wrote:
> When attempting to run ipa-replica-install I get a python error, No
> module named ssl_match_hostname
>
>
> This is on a CentOS 7.2 x86_64 testing box.
>
> All available updates including kernel installed, and system rebooted
> same day. Same error before and after patching and reboot.
>
> Let me know if you want to see the yum history log info.
>
> - Operating system version
> [root at lcars site-packages]# cat /etc/redhat-release
> CentOS Linux release 7.2.1511 (Core)
>
> [root at lcars site-packages]# uname -a
> Linux lcars.internal.madisonrentals.biz 3.10.0-327.28.2.el7.x86_64 #1
> SMP Wed Aug 3 11:11:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>
> - Here are the installed packages.  All were installed using yum.
> [root at lcars site-packages]# yum list installed | awk '/backports|ipa-/'
> ipa-admintools.x86_64                  4.2.0-15.0.1.el7.centos.18      @updates
> ipa-client.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
> ipa-python.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
> ipa-server.x86_64                      4.2.0-15.0.1.el7.centos.18      @updates
> ipa-server-dns.x86_64                  4.2.0-15.0.1.el7.centos.18      @updates
> python-backports.noarch                1.0-6.el7                       @anaconda
> python-backports.x86_64                1.0-8.el7                       installed
> python-backports-ssl_match_hostname.noarch
>
> I have the following repositories enabled:
> base/7/x86_64
> epel/x86_64
> extras/7/x86_64
> updates/7/x86_64
>
> - Other threads on this issue suggest using pip to install
> backports.ssl_match_hostname.  I still get the same error after doing
> that.
>
> [root at lcars site-packages]# pip install backports.ssl_match_hostname
> Requirement already satisfied (use --upgrade to upgrade):
> backports.ssl_match_hostname in /usr/lib/python2.7/site-packages
>
> [root at lcars site-packages]# pip install --upgrade backports.ssl_match_hostname
> Requirement already up-to-date: backports.ssl_match_hostname in
> /usr/lib/python2.7/site-packages
>
> - Here's the actual attempt
> [root at lcars site-packages]# ipa-replica-install --setup-ca --setup-dns
> --forwarder=4.2.2.1
> /root/replica-info-lcars.internal.madisonrentals.biz.gpg
> WARNING: conflicting time&date synchronization service 'chronyd' will
> be disabled in favor of ntpd
>
> Directory Manager (existing master) password:
>
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    No module
> named ssl_match_hostname
>
> Even when running the suggested ipa-server-install --uninstall, I
> still receive the error about the missing module.
>
> Here's what I have in /usr/lib/python2.7/site-packages
>
> [root at lcars site-packages]# pwd
> /usr/lib/python2.7/site-packages
> [root at lcars site-packages]# ls | awk '/backports.ssl/'
> backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info
> backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info
>
> - And here are the contents of each directory.
> [root at lcars site-packages]# cd
> backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info/
>
> [root at lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# ls
> dependency_links.txt  PKG-INFO  SOURCES.txt  top_level.txt
>
> [root at lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# cd ..
> [root at lcars site-packages]# ls
> backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info
> dependency_links.txt  installed-files.txt  PKG-INFO  SOURCES.txt  top_level.txt
>
> Another thread suggested that this can be caused by a missing
> __init__.py file, however, creating this file in both directories
> doesn't help.
>
> A commit by Heimes may shed some light on this.
> The commit is in regards to otptoken and states that:
>
> "The otptoken plugin is the only module in FreeIPA that uses Python's ssl
> module instead of NSS. The patch replaces ssl with NSSConnection. It
> uses the default NSS database to lookup trust anchors. NSSConnection
> uses NSS for hostname matching. The package
> python-backports-ssl_match_hostname is no longer required."
>
> The master IPA server is up and running with no issues.
>
> An ipa connection between replica server and master reports that the
> connection is working.
>
> What else could I be missing?

Is there a more complete traceback in /var/log/ipareplica-install? I'm 
curious where the import is originating? If not instrumenting 
ipa-replica-install with pdb would be a way to find it.

rob

More information about the Freeipa-users mailing list