I'm running a single IPA master 4.3 on an up-to-date Fedora 24. That server has been updated from earlier Fedoras and runs DNS and CA. I've updated domainlevel to 1 manually.
Installed packages in IPA master: [root@freeipa ~]# rpm -qa | grep freeipa freeipa-admintools-4.3.2-2.fc24.noarch freeipa-server-common-4.3.2-2.fc24.noarch freeipa-server-4.3.2-2.fc24.x86_64 freeipa-client-common-4.3.2-2.fc24.noarch freeipa-server-trust-ad-4.3.2-2.fc24.x86_64 freeipa-client-4.3.2-2.fc24.x86_64 freeipa-common-4.3.2-2.fc24.noarch freeipa-python-compat-4.3.2-2.fc24.noarch Now I'd like to switch to a CentOS install, so I installed CentOS 7.2 on a new VM and updated to the CR repo, so I'll get IPA 4.4. Installed packages in new VM: [root@freeipa1 ~]# rpm -qa | grep ipa python2-ipaserver-4.4.0-12.el7.centos.noarch python2-ipalib-4.4.0-12.el7.centos.noarch ipa-server-4.4.0-12.el7.centos.x86_64 python-iniparse-0.4-9.el7.noarch ipa-server-dns-4.4.0-12.el7.centos.noarch ipa-client-common-4.4.0-12.el7.centos.noarch libipa_hbac-1.14.0-43.el7.x86_64 ipa-common-4.4.0-12.el7.centos.noarch ipa-admintools-4.4.0-12.el7.centos.noarch sssd-ipa-1.14.0-43.el7.x86_64 ipa-client-4.4.0-12.el7.centos.x86_64 ipa-python-compat-4.4.0-12.el7.centos.noarch python-libipa_hbac-1.14.0-43.el7.x86_64 python2-ipaclient-4.4.0-12.el7.centos.noarch python-ipaddress-1.0.16-2.el7.noarch ipa-server-common-4.4.0-12.el7.centos.noarch When installing a replica with "ipa-replica-install --setup-ca" I get: [root@freeipa1 ~]# ipa-replica-install --setup-ca Run connection check to master Connection check OK Configuring NTP daemon (ntpd) [1/4]: stopping ntpd [2/4]: writing configuration [3/4]: configuring ntpd to start on boot [4/4]: starting ntpd Done configuring NTP daemon (ntpd). Configuring directory server (dirsrv). Estimated time: 1 minute [1/44]: creating directory server user [2/44]: creating directory server instance [3/44]: updating configuration in dse.ldif [4/44]: restarting directory server [5/44]: adding default schema [6/44]: enabling memberof plugin [7/44]: enabling winsync plugin [8/44]: configuring replication version plugin [9/44]: enabling IPA enrollment plugin [10/44]: enabling ldapi [11/44]: configuring uniqueness plugin [12/44]: configuring uuid plugin [13/44]: configuring modrdn plugin [14/44]: configuring DNS plugin [15/44]: enabling entryUSN plugin [16/44]: configuring lockout plugin [17/44]: configuring topology plugin [18/44]: creating indices [19/44]: enabling referential integrity plugin [20/44]: configuring certmap.conf [21/44]: configure autobind for root [22/44]: configure new location for managed entries [23/44]: configure dirsrv ccache [24/44]: enabling SASL mapping fallback [25/44]: restarting directory server [26/44]: creating DS keytab [27/44]: retrieving DS Certificate [28/44]: restarting directory server [29/44]: setting up initial replication Starting replication, please wait until this has completed. Update in progress, 8 seconds elapsed Update succeeded [30/44]: adding sasl mappings to the directory [31/44]: updating schema [32/44]: setting Auto Member configuration [33/44]: enabling S4U2Proxy delegation [34/44]: importing CA certificates from LDAP [35/44]: initializing group membership [36/44]: adding master entry [37/44]: initializing domain level [38/44]: configuring Posix uid/gid generation [39/44]: adding replication acis [40/44]: enabling compatibility plugin [41/44]: activating sidgen plugin [42/44]: activating extdom plugin [43/44]: tuning directory server [44/44]: configuring directory to start on boot Done configuring directory server (dirsrv). Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Generating ipa-custodia keys [3/5]: Importing RA Key /usr/lib/python2.7/site-packages/urllib3/connection.py:251: SecurityWarning: Certificate has no `subjectAltName`, falling back to check for a `commonName` for now. This feature is being removed by major browsers and deprecated by RFC 2818. (See https://github.com/shazow/urllib3/issues/497 for details.) SecurityWarning [error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] Your system may be partly configured. Run /usr/sbin/ipa-server-install --uninstall to clean up. ipa.ipapython.install.cli.install_tool(Replica): ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] ipa.ipapython.install.cli.install_tool(Replica): ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information In ipareplica-install.log we have: [...] 2016-11-27T21:07:25Z DEBUG Configuring ipa-custodia 2016-11-27T21:07:25Z DEBUG [1/5]: Generating ipa-custodia config file 2016-11-27T21:07:25Z DEBUG duration: 0 seconds 2016-11-27T21:07:25Z DEBUG [2/5]: Generating ipa-custodia keys 2016-11-27T21:07:26Z DEBUG duration: 1 seconds 2016-11-27T21:07:26Z DEBUG [3/5]: Importing RA Key 2016-11-27T21:07:26Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 98, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] 2016-11-27T21:07:26Z DEBUG [error] HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] 2016-11-27T21:07:26Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 586, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1714, in main promote(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 364, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/replicainstall.py", line 1470, in promote custodia.create_replica(config.master_host_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 95, in create_replica realm=self.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 580, in create_instance self.start_creation("Configuring %s" % self.service_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 448, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 438, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 112, in __import_ra_key cli.fetch_key('ra/ipaCert') File "/usr/lib/python2.7/site-packages/ipapython/secrets/client.py", line 98, in fetch_key r.raise_for_status() File "/usr/lib/python2.7/site-packages/requests/models.py", line 834, in raise_for_status raise HTTPError(http_error_msg, response=self) 2016-11-27T21:07:26Z DEBUG The ipa-replica-install command failed, exception: HTTPError: 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] 2016-11-27T21:07:26Z ERROR 406 Client Error: Failed to validate message: No recipient matched the provided key["Failed: [ValueError('Multibackend cannot be initialized with no backends. If you are seeing this error when trying to use default_backend() please try uninstalling and reinstalling cryptography.',)]"] 2016-11-27T21:07:26Z ERROR The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information Any idea what's wrong? Jochen -- The only problem with troubleshooting is that the trouble shoots back. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
