[Freeipa-users] ipa-replica-install fails with python import error for module ssl_match_hostname

White Hat whitehat237 at gmail.com
Tue Aug 30 02:45:24 UTC 2016 

The exact same error is in the /var/log/ipareplica-install log

Here are the last few relevant lines.

  File "/usr/lib/python2.7/site-packages/ipalib/plugins/otptoken.py",
line 28, in <module>
    from backports.ssl_match_hostname import match_hostname

2016-08-11T03:53:02Z DEBUG The ipa-replica-install command failed,
exception: ImportError: No module named ssl_match_hostname
2016-08-11T03:53:02Z ERROR No module named ssl_match_hostname
[root at lcars log]#



On Thu, Aug 11, 2016 at 10:51 AM, Rob Crittenden <rcritten at redhat.com> wrote:
> White Hat wrote:
>>
>> When attempting to run ipa-replica-install I get a python error, No
>> module named ssl_match_hostname
>>
>>
>> This is on a CentOS 7.2 x86_64 testing box.
>>
>> All available updates including kernel installed, and system rebooted
>> same day. Same error before and after patching and reboot.
>>
>> Let me know if you want to see the yum history log info.
>>
>> - Operating system version
>> [root at lcars site-packages]# cat /etc/redhat-release
>> CentOS Linux release 7.2.1511 (Core)
>>
>> [root at lcars site-packages]# uname -a
>> Linux lcars.internal.madisonrentals.biz 3.10.0-327.28.2.el7.x86_64 #1
>> SMP Wed Aug 3 11:11:39 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
>>
>> - Here are the installed packages.  All were installed using yum.
>> [root at lcars site-packages]# yum list installed | awk '/backports|ipa-/'
>> ipa-admintools.x86_64                  4.2.0-15.0.1.el7.centos.18
>> @updates
>> ipa-client.x86_64                      4.2.0-15.0.1.el7.centos.18
>> @updates
>> ipa-python.x86_64                      4.2.0-15.0.1.el7.centos.18
>> @updates
>> ipa-server.x86_64                      4.2.0-15.0.1.el7.centos.18
>> @updates
>> ipa-server-dns.x86_64                  4.2.0-15.0.1.el7.centos.18
>> @updates
>> python-backports.noarch                1.0-6.el7
>> @anaconda
>> python-backports.x86_64                1.0-8.el7
>> installed
>> python-backports-ssl_match_hostname.noarch
>>
>> I have the following repositories enabled:
>> base/7/x86_64
>> epel/x86_64
>> extras/7/x86_64
>> updates/7/x86_64
>>
>> - Other threads on this issue suggest using pip to install
>> backports.ssl_match_hostname.  I still get the same error after doing
>> that.
>>
>> [root at lcars site-packages]# pip install backports.ssl_match_hostname
>> Requirement already satisfied (use --upgrade to upgrade):
>> backports.ssl_match_hostname in /usr/lib/python2.7/site-packages
>>
>> [root at lcars site-packages]# pip install --upgrade
>> backports.ssl_match_hostname
>> Requirement already up-to-date: backports.ssl_match_hostname in
>> /usr/lib/python2.7/site-packages
>>
>> - Here's the actual attempt
>> [root at lcars site-packages]# ipa-replica-install --setup-ca --setup-dns
>> --forwarder=4.2.2.1
>> /root/replica-info-lcars.internal.madisonrentals.biz.gpg
>> WARNING: conflicting time&date synchronization service 'chronyd' will
>> be disabled in favor of ntpd
>>
>> Directory Manager (existing master) password:
>>
>> Your system may be partly configured.
>> Run /usr/sbin/ipa-server-install --uninstall to clean up.
>>
>> ipa.ipapython.install.cli.install_tool(Replica): ERROR    No module
>> named ssl_match_hostname
>>
>> Even when running the suggested ipa-server-install --uninstall, I
>> still receive the error about the missing module.
>>
>> Here's what I have in /usr/lib/python2.7/site-packages
>>
>> [root at lcars site-packages]# pwd
>> /usr/lib/python2.7/site-packages
>> [root at lcars site-packages]# ls | awk '/backports.ssl/'
>> backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info
>> backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info
>>
>> - And here are the contents of each directory.
>> [root at lcars site-packages]# cd
>> backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info/
>>
>> [root at lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# ls
>> dependency_links.txt  PKG-INFO  SOURCES.txt  top_level.txt
>>
>> [root at lcars backports.ssl_match_hostname-3.4.0.2-py2.7.egg-info]# cd ..
>> [root at lcars site-packages]# ls
>> backports.ssl_match_hostname-3.5.0.1-py2.7.egg-info
>> dependency_links.txt  installed-files.txt  PKG-INFO  SOURCES.txt
>> top_level.txt
>>
>> Another thread suggested that this can be caused by a missing
>> __init__.py file, however, creating this file in both directories
>> doesn't help.
>>
>> A commit by Heimes may shed some light on this.
>> The commit is in regards to otptoken and states that:
>>
>> "The otptoken plugin is the only module in FreeIPA that uses Python's ssl
>> module instead of NSS. The patch replaces ssl with NSSConnection. It
>> uses the default NSS database to lookup trust anchors. NSSConnection
>> uses NSS for hostname matching. The package
>> python-backports-ssl_match_hostname is no longer required."
>>
>> The master IPA server is up and running with no issues.
>>
>> An ipa connection between replica server and master reports that the
>> connection is working.
>>
>> What else could I be missing?
>
>
> Is there a more complete traceback in /var/log/ipareplica-install? I'm
> curious where the import is originating? If not instrumenting
> ipa-replica-install with pdb would be a way to find it.
>
> rob
>

More information about the Freeipa-users mailing list