[Freeipa-users] Add 4.4 replica to 4.3 server fails
Jochen Hein
jochen at jochen.org
Sun Nov 27 21:45:35 UTC 2016
I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That
server has been updated from earlier Fedoras and runs DNS and CA.
I've updated domainlevel to 1 manually.
Installed packages in IPA master:
[root at freeipa ~]# rpm -qa | grep freeipa
freeipa-admintools-4.3.2-2.fc24.noarch
freeipa-server-common-4.3.2-2.fc24.noarch
freeipa-server-4.3.2-2.fc24.x86_64
freeipa-client-common-4.3.2-2.fc24.noarch
freeipa-server-trust-ad-4.3.2-2.fc24.x86_64
freeipa-client-4.3.2-2.fc24.x86_64
freeipa-common-4.3.2-2.fc24.noarch
freeipa-python-compat-4.3.2-2.fc24.noarch
Now I'd like to switch to a CentOS install, so I installed CentOS 7.2
on a new VM and updated to the CR repo, so I'll get IPA 4.4.
Installed packages in new VM:
[root at freeipa1 ~]# rpm -qa | grep ipa
python2-ipaserver-4.4.0-12.el7.centos.noarch
python2-ipalib-4.4.0-12.el7.centos.noarch
ipa-server-4.4.0-12.el7.centos.x86_64
python-iniparse-0.4-9.el7.noarch
ipa-server-dns-4.4.0-12.el7.centos.noarch
ipa-client-common-4.4.0-12.el7.centos.noarch
libipa_hbac-1.14.0-43.el7.x86_64
ipa-common-4.4.0-12.el7.centos.noarch
ipa-admintools-4.4.0-12.el7.centos.noarch
sssd-ipa-1.14.0-43.el7.x86_64
ipa-client-4.4.0-12.el7.centos.x86_64
ipa-python-compat-4.4.0-12.el7.centos.noarch
python-libipa_hbac-1.14.0-43.el7.x86_64
python2-ipaclient-4.4.0-12.el7.centos.noarch
python-ipaddress-1.0.16-2.el7.noarch
ipa-server-common-4.4.0-12.el7.centos.noarch
When installing a replica with "ipa-replica-install --setup-ca" I get:
[root at freeipa1 ~]# ipa-replica-install --setup-ca
Run connection check to master
Connection check OK
Configuring NTP daemon (ntpd)
[1/4]: stopping ntpd
[2/4]: writing configuration
[3/4]: configuring ntpd to start on boot
[4/4]: starting ntpd
Done configuring NTP daemon (ntpd).
Configuring directory server (dirsrv). Estimated time: 1 minute
[1/44]: creating directory server user
[2/44]: creating directory server instance
[3/44]: updating configuration in dse.ldif
[4/44]: restarting directory server
[5/44]: adding default schema
[6/44]: enabling memberof plugin
[7/44]: enabling winsync plugin
[8/44]: configuring replication version plugin
[9/44]: enabling IPA enrollment plugin
[10/44]: enabling ldapi
[11/44]: configuring uniqueness plugin
[12/44]: configuring uuid plugin
[13/44]: configuring modrdn plugin
[14/44]: configuring DNS plugin
[15/44]: enabling entryUSN plugin
[16/44]: configuring lockout plugin
[17/44]: configuring topology plugin
[18/44]: creating indices
[19/44]: enabling referential integrity plugin
[20/44]: configuring certmap.conf
[21/44]: configure autobind for root
[22/44]: configure new location for managed entries
[23/44]: configure dirsrv ccache
[24/44]: enabling SASL mapping fallback
[25/44]: restarting directory server
[26/44]: creating DS keytab
[27/44]: retrieving DS Certificate
[28/44]: restarting directory server
[29/44]: setting up initial replication
Starting replication, please wait until this has completed.
Update in progress, 8 seconds elapsed
Update succeeded
[30/44]: adding sasl mappings to the directory
[31/44]: updating schema
[32/44]: setting Auto Member configuration
[33/44]: enabling S4U2Proxy delegation
[34/44]: importing CA certificates from LDAP
[35/44]: initializing group membership
[36/44]: adding master entry
[37/44]: initializing domain level
[38/44]: configuring Posix uid/gid generation
[39/44]: adding replication acis
[40/44]: enabling compatibility plugin
[41/44]: activating sidgen plugin
[42/44]: activating extdom plugin
[43/44]: tuning directory server
[44/44]: configuring directory to start on boot
Done configuring directory server (dirsrv).
Configuring ipa-custodia
[1/5]: Generating ipa-custodia config file
[2/5]: Generating ipa-custodia keys
[3/5]: Importing RA Key
/usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.)
SecurityWarning
[error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.
ipa.ipapython.install.cli.install_tool(Replica): ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
In ipareplica-install.log we have:
[...]
2016-11-27T21:07:25Z DEBUG Configuring ipa-custodia
2016-11-27T21:07:25Z DEBUG [1/5]: Generating ipa-custodia config file
2016-11-27T21:07:25Z DEBUG duration: 0 seconds
2016-11-27T21:07:25Z DEBUG [2/5]: Generating ipa-custodia keys
2016-11-27T21:07:26Z DEBUG duration: 1 seconds
2016-11-27T21:07:26Z DEBUG [3/5]: Importing RA Key
2016-11-27T21:07:26Z DEBUG Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 98, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z DEBUG [error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
cfgr.run()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
self.execute()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
for nothing in self._executor():
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure
next(executor)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
self._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
self.__parent._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
super(ComponentBase, self)._handle_exception(exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
step()
File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
step = lambda: next(self.__gen)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
six.reraise(*exc_info)
File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
value = gen.send(prev_value)
File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
for nothing in self._installer(self.parent):
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1714, in main
promote(self)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated
func(installer)
File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1470, in promote
custodia.create_replica(config.master_host_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 95, in create_replica
realm=self.realm)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 580, in create_instance
self.start_creation("Configuring %s" % self.service_name)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation
run_step(full_msg, method)
File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step
method()
File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key
cli.fetch_key('ra/ipaCert')
File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 98, in fetch_key
r.raise_for_status()
File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status
raise HTTPError(http_error_msg, response=self)
2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
Any idea what's wrong?
Jochen
--
The only problem with troubleshooting is that the trouble shoots back.
More information about the Freeipa-users
mailing list