Am Freitag, 3. Januar 2020, 17:58:00 CET schrieb Rob Crittenden via FreeIPA-
users:
Günther J. Niederwimmer via FreeIPA-users wrote:
> Am Freitag, 3. Januar 2020, 17:23:46 CET schrieb Rob Crittenden via
> FreeIPA-
>
>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>
>>
>>
>>> Am Freitag, 3. Januar 2020, 16:27:38 CET schrieb Rob Crittenden via
>>> FreeIPA-
>
> users:
>
>>>
>>>
>>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>> Hallo,
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden
via
>>>>>
>>>>> FreeIPA-users:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>> Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob
Crittenden
>>>>>>> via
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> FreeIPA-users:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hello,
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> this is a new installed Server CentOS 7.7
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> but it is not possible to configure this for IPA
replica
>>>>>>>>> I have this Error
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not
in asn1Spec:
>>>>>>>>>
>>>>>>>>>
GeneralName(componentType=NamedTypes(NamedType('rfc822Name',
>>>>>>>>> IA5String(tagSet=TagSet((), Tag(tagClass=128,
tagFormat=0,
>>>>>>>>> tagId=1)))),
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NamedType('dNSName',
IA5String(tagSet=TagSet((), Tag(tagClass=128,
>>>>>>>>>
>>>>>>>>> tagFormat=0, tagId=2)))),
NamedType('directoryName',
>>>>>>>>> Name(componentType=NamedTypes(NamedType('',
RDNSequence())),
>>>>>>>>> tagSet=TagSet((),
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Tag(tagClass=128, tagFormat=0, tagId=4)))),
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>> NamedType('uniformResourceIdentifier',
IA5String(tagSet=TagSet((),
>>>>>>>>>
>>>>>>>>> Tag(tagClass=128, tagFormat=0, tagId=6)))),
NamedType('iPAddress',
>>>>>>>>>
>>>>>>>>> OctetString(tagSet=TagSet((), Tag(tagClass=128,
tagFormat=0,
>>>>>>>>> tagId=7)))),
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> NamedType('registeredID',
ObjectIdentifier('<no value>'))))
>>>>>>>>> ipapython.admintool: ERROR The
ipa-replica-install command
>>>>>>>>> failed.
>>>>>>>>> See
>>>>>>>>> /
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> var/log/ipareplica-install.log for more information
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I install before ipa-client-install, this is working
but
>>>>>>>>> afterward
>>>>>>>>> for
>>>>>>>>> the
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>> replica i Have this Problem?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> firewall Ports are open.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> More context from the log would help.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I send it to you Rob
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> And can you confirm what version of python-pyasn1 is
installed,
>>>>>>>> and
>>>>>>>> that
>>>>>>>> you don't have a pip-version installed.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> this version is installed
>>>>>>> Paket python2-pyasn1-0.1.9-7.el7.noarch
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> normal installation
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> It is blowing up trying to fetch the subject-alt names out of
the
>>>>>> Apache
>>>>>> cert on the original master (ipa.xxx.xxx). You didn't happen
to
>>>>>> replace
>>>>>> the Apache cert on ipa.xxx.xxx did you?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> NO, this is a "normal" Installation without changing
anything ?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I make no experiments with certificates?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> the only thing I remember
>>>>> I have set in host
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> xxx.xxx.xxx.xxx
ipa.example.com
>>>>> 2000:yy:yy:yy:yy
ipa.example.com
>>>>> xxx.xxx.xxx.xxx ipa.example.com.lan
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> Can you provide the PEM for that cert?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>> On ipa.xxx.xxx:
>>>>>> # certutil -L -d /etc/httpd/alias -n Server-Cert -a
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> I have a normal certificate
>>>>> -----BEGIN CERTIFICATE-----
>>>>> ................................
>>>>> ................
>>>>> .........
>>>>> -----END CERTIFICATE-----
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> It could be useful for us to see the contents of the cert to see if we
>>>> can duplicate the failure.
>>>
>>>
>>>
>>>
>>> OK is on the way ;)
>>>
>>>
>>
>>
>>
>>
>> Can you provide the output of:
>>
>>
>>
>> python -c 'from urllib3.contrib import pyopenssl'
>
>
> there is NO output on master or replica
>
> Thanks for the Help.
>
So that's the problem.
See if you have python[2]-ndg[-_]httpsclient installed.
I don't believe that RHEL ships this package, maybe it is available in
CentOS. You could try removing the package and trying the install again.
Yes I found a package from epel ??
python-ndg_httpsclient.noarch 0.3.2-1.el7
@epel
why this installed I cant say I install only fail2ban from epel ?
NEW information by erase this package, it is from the certbot installation ?
now I test the installation again!
thanks for the Help for the Moment ;-)
--
mit freundlichen Grüßen / best regards
Günther J. Niederwimmer