When installed FreeIPA server from https://copr-be.cloud.fedoraproject.org/results/@freeipa/freeipa-4-3-centos7/epel-7-$basearch/ on RHEL 7.2, running ipa-server-install fails with
[2/2]: configuring ipa-otpd to start on boot Done configuring ipa-otpd. Configuring ipa-custodia [1/5]: Generating ipa-custodia config file [2/5]: Making sure custodia container exists [3/5]: Generating ipa-custodia keys [error] ValueError: Only PEM encoding is supported by this backend ipa.ipapython.install.cli.install_tool(Server): ERROR Only PEM encoding is supported by this backend ipa.ipapython.install.cli.install_tool(Server): ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The log ends with
2016-03-17T13:31:31Z DEBUG Updating existing entry: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com 2016-03-17T13:31:31Z DEBUG --------------------------------------------- 2016-03-17T13:31:31Z DEBUG Initial value 2016-03-17T13:31:31Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com 2016-03-17T13:31:31Z DEBUG objectClass: 2016-03-17T13:31:31Z DEBUG nsContainer 2016-03-17T13:31:31Z DEBUG top 2016-03-17T13:31:31Z DEBUG cn: 2016-03-17T13:31:31Z DEBUG custodia 2016-03-17T13:31:31Z DEBUG --------------------------------------------- 2016-03-17T13:31:31Z DEBUG Final value after applying updates 2016-03-17T13:31:31Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com 2016-03-17T13:31:31Z DEBUG objectClass: 2016-03-17T13:31:31Z DEBUG nsContainer 2016-03-17T13:31:31Z DEBUG top 2016-03-17T13:31:31Z DEBUG cn: 2016-03-17T13:31:31Z DEBUG custodia 2016-03-17T13:31:31Z DEBUG [] 2016-03-17T13:31:31Z DEBUG Updated 0 2016-03-17T13:31:31Z DEBUG Done 2016-03-17T13:31:31Z DEBUG Destroyed connection context.ldap2_197636560 2016-03-17T13:31:31Z DEBUG duration: 1 seconds 2016-03-17T13:31:31Z DEBUG [3/5]: Generating ipa-custodia keys 2016-03-17T13:31:33Z DEBUG Traceback (most recent call last): File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 58, in __gen_keys KeyStore.generate_server_keys() File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 180, in generate_server_keys ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0]) File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 109, in set_key public_key = self._format_public_key(key) File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 106, in _format_public_key format=serialization.PublicFormat.SubjectPublicKeyInfo) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 614, in public_bytes self._rsa_cdata File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1199, in _public_key_bytes raise ValueError("Only PEM encoding is supported by this backend") ValueError: Only PEM encoding is supported by this backend 2016-03-17T13:31:33Z DEBUG [error] ValueError: Only PEM encoding is supported by this backend 2016-03-17T13:31:33Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run cfgr.run() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run self.execute() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute for nothing in self._executor(): File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 571, in _configure next(executor) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner self._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception self.__parent._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception super(ComponentBase, self)._handle_exception(exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner step() File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda> step = lambda: next(self.__gen) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from six.reraise(*exc_info) File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from value = gen.send(prev_value) File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install for nothing in self._installer(self.parent): File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1469, in main install(self) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated func(installer) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 920, in install custodia.create_instance(dm_password) File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 52, in create_instance realm=self.realm) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 578, in create_instance self.start_creation("Configuring %s" % self.service_name) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation run_step(full_msg, method) File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step method() File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 58, in __gen_keys KeyStore.generate_server_keys() File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 180, in generate_server_keys ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0]) File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 109, in set_key public_key = self._format_public_key(key) File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 106, in _format_public_key format=serialization.PublicFormat.SubjectPublicKeyInfo) File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 614, in public_bytes self._rsa_cdata File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1199, in _public_key_bytes raise ValueError("Only PEM encoding is supported by this backend") 2016-03-17T13:31:33Z DEBUG The ipa-server-install command failed, exception: ValueError: Only PEM encoding is supported by this backend 2016-03-17T13:31:33Z ERROR Only PEM encoding is supported by this backend 2016-03-17T13:31:33Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
The versions are
python-cryptography-0.8.2-1.el7.x86_64 ipa-python-4.3.0-1.el7.centos.x86_64 ipa-server-4.3.0-1.el7.centos.x86_64
looks like: https://github.com/pyca/cryptography/issues/1875 which was fixed in python-cryptography 0.9
You are using 0.8.2, the COPR repo contains 1.1.
Please try to update python-cryptography and run it again.
Looks as issue in spec.
My machine had python-cryptography already installed (I don't see it in the yum install log). Both packages that require it seem to have version-less Requires:
# rpm -q --requires python-jwcrypto-0.2.1-3.el7.centos.noarch ipa-python-4.3.0-1.el7.centos.x86_64 | grep python-crypto python-cryptography python-cryptography
Right, IPA doesn't require version >= 0.9 which should be fixed.
So updating the package fixes the issue?
master:
ipa-4-3:
Metadata Update from @adelton: - Issue assigned to mbabinsk - Issue set to the milestone: FreeIPA 4.3.1
Login to comment on this ticket.