Günther J. Niederwimmer via FreeIPA-users wrote:
Hallo,
Am Donnerstag, 2. Januar 2020, 21:37:31 CET schrieb Rob Crittenden via
FreeIPA-users:
> Günther J. Niederwimmer via FreeIPA-users wrote:
>
>> Am Donnerstag, 2. Januar 2020, 19:46:47 CET schrieb Rob Crittenden via
>> FreeIPA-users:
>>
>>> Günther J. Niederwimmer via FreeIPA-users wrote:
>>>
>>>
>>>
>>>> Hello,
>>>>
>>>>
>>>>
>>>> this is a new installed Server CentOS 7.7
>>>>
>>>>
>>>>
>>>> but it is not possible to configure this for IPA replica
>>>> I have this Error
>>>>
>>>>
>>>>
>>>> ipapython.admintool: ERROR [0:0:6]+[128:32:0] not in asn1Spec:
>>>> GeneralName(componentType=NamedTypes(NamedType('rfc822Name',
>>>> IA5String(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0, tagId=1)))),
>>>>
>>>> NamedType('dNSName', IA5String(tagSet=TagSet((),
Tag(tagClass=128,
>>>> tagFormat=0, tagId=2)))), NamedType('directoryName',
>>>> Name(componentType=NamedTypes(NamedType('', RDNSequence())),
>>>> tagSet=TagSet((),
>>
>> Tag(tagClass=128, tagFormat=0, tagId=4)))),
>>
>>>> NamedType('uniformResourceIdentifier',
IA5String(tagSet=TagSet((),
>>>> Tag(tagClass=128, tagFormat=0, tagId=6)))),
NamedType('iPAddress',
>>>> OctetString(tagSet=TagSet((), Tag(tagClass=128, tagFormat=0,
>>>> tagId=7)))),
>>>>
>>>>
>>>>
>>>> NamedType('registeredID', ObjectIdentifier('<no
value>'))))
>>>> ipapython.admintool: ERROR The ipa-replica-install command failed.
>>>> See
>>>> /
>>
>> var/log/ipareplica-install.log for more information
>>
>>>>
>>>>
>>>> I install before ipa-client-install, this is working but afterward for
>>>> the
>>>>
>>>>
>>>>
>> replica i Have this Problem?
>>
>>>>
>>>>
>>>> firewall Ports are open.
>>>>
>>>>
>>>
>>>
>>>
>>>
>>> More context from the log would help.
>>
>> I send it to you Rob
>>
>>
>>> And can you confirm what version of python-pyasn1 is installed, and that
>>> you don't have a pip-version installed.
>>
>> this version is installed
>> Paket python2-pyasn1-0.1.9-7.el7.noarch
>>
>> normal installation
>
>
> It is blowing up trying to fetch the subject-alt names out of the Apache
> cert on the original master (ipa.xxx.xxx). You didn't happen to replace
> the Apache cert on ipa.xxx.xxx did you?
NO, this is a "normal" Installation without changing anything ?
I make no experiments with certificates?
the only thing I remember
I have set in host
xxx.xxx.xxx.xxx
ipa.example.com
2000:yy:yy:yy:yy
ipa.example.com
xxx.xxx.xxx.xxx ipa.example.com.lan
> Can you provide the PEM for that cert?
> On ipa.xxx.xxx:
> # certutil -L -d /etc/httpd/alias -n Server-Cert -a
I have a normal certificate
-----BEGIN CERTIFICATE-----
................................
................
.........
-----END CERTIFICATE-----
It could be useful for us to see the contents of the cert to see if we
can duplicate the failure.
rob