[Freeipa-users] Add 4.4 replica to 4.3 server fails

Jochen Hein jochen at jochen.org
Thu Dec 1 22:32:06 UTC 2016 

Jochen Hein <jochen at jochen.org> writes:

> I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That
> server has been updated from earlier Fedoras and runs DNS and CA.
> I've updated domainlevel to 1 manually.
>
> Now I'd like to switch to a CentOS install, so I installed CentOS 7.2
> on a new VM and updated to the CR repo, so I'll get IPA 4.4.
> When installing a replica with "ipa-replica-install --setup-ca" I get:
...
>   [3/5]: Importing RA Key
> /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
> SecurityWarning
> [error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
> Your system may be partly configured.
> Run /usr/sbin/ipa-server-install --uninstall to clean up.

> ipa.ipapython.install.cli.install_tool(Replica): ERROR    406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
> ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
>

In CentOS 7.2/7.3 we have python-jwcrypto-0.2.1-1.el7, in Fedora 23 we
have 0.3.2-1.
https://github.com/latchset/jwcrypto/issues/47 talks about problems with
FreeIPA and custodia, and that downgrading python-jwcrypto helped. Since
I consider the way forward a better choice I upgraded python-jwcrypto on
CentOS to 0.3.2, and now I have new replicas with FreeIPA 4.4 attached
to my 4.3 master.  Yeah!  It might be a good idea to get the package in
CentOS/RHEL upgraded...

Jochen

-- 
The only problem with troubleshooting is that the trouble shoots back.

More information about the Freeipa-users mailing list