[Freeipa-users] Add 4.4 replica to 4.3 server fails

[Martin Babinsky]

On 11/27/2016 11:38 PM, Jochen Hein wrote:
> Jochen Hein <jochen at jochen.org> writes:
>
>> 2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
>> 2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"]
>> 2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information
>>
>> Any idea what's wrong?
>
> Around that time the pki on the old master has this:
>
> 0.Thread-17 - [27/Nov/2016:22:06:47 MEZ] [8] [3] Publishing: Could not
> publish certificate serial number 0x1a. Error Failed to publish using
> rule: No rules enabled
>
> Debug has:
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners:: Queue: 1 noSingleRequest
> [27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=1 mSearchForRequests=false
> [27/Nov/2016:22:06:47][Thread-17]: getRequest  getting request: 29
> [27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
> [27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
> [27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
> [27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
> [27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
> [27/Nov/2016:22:06:47][Thread-17]: getRequest  request 29 found
> [27/Nov/2016:22:06:47][Thread-17]: getRequest  mRequests=0 mSearchForRequests=false done
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateIssuedListener
> [27/Nov/2016:22:06:47][Thread-17]: CertificateIssuedListener: accept 29
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = com.netscape.ca.CRLIssuingPoint$RevocationRequestListener
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = com.netscape.cmscore.ldap.LdapRequestListener
> [27/Nov/2016:22:06:47][Thread-17]: LdapRequestListener handling publishing for enrollment request id 29
> [27/Nov/2016:22:06:47][Thread-17]: Checking publishing for request 29
> [27/Nov/2016:22:06:47][Thread-17]: In  PublisherProcessor::publishCert
> [27/Nov/2016:22:06:47][Thread-17]: Publishing: can't find publishing rule,exiting routine.
> [27/Nov/2016:22:06:47][Thread-17]: PublishProcessor::publishCert : Failed to publish using rule: No rules enabled
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners: IRequestListener = com.netscape.cms.listeners.CertificateRevokedListener
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners: mRequest = 29
> [27/Nov/2016:22:06:47][Thread-17]: updatePublishingStatus mSavePublishingCounter: 3 mSavePublishingStatus: 200
> [27/Nov/2016:22:06:47][Thread-17]: RunListeners:  noQueue  SingleRequest
> [27/Nov/2016:22:06:47][Thread-17]: RequestRepository: setPublishingStatus  mBaseDN: ou=ca,ou=requests,o=ipaca  status: -1
> [27/Nov/2016:22:06:47][Thread-17]: In LdapBoundConnFactory::getConn()
> [27/Nov/2016:22:06:47][Thread-17]: masterConn is connected: true
> [27/Nov/2016:22:06:47][Thread-17]: getConn: conn is connected true
> [27/Nov/2016:22:06:47][Thread-17]: getConn: mNumConns now 4
> [27/Nov/2016:22:06:47][Thread-17]: returnConn: mNumConns now 5
> [27/Nov/2016:22:06:47][Thread-17]: Number of publishing threads: 0
>
> Maybe something in dogtag is missing?
>
> Jochen
>

Hi Jochen,

can you please check the version of python-cryptography on master and 
replica? I remember there used to be problem with pre-0.9 versions 
breaking Custodia.

-- 
Martin^3 Babinsky