freeipa

Clone
Source Code
GIT

#5744 ValueError: Only PEM encoding is supported by this backend
Closed: Fixed None Opened 8 years ago by adelton.

Closed: Fixed
Reopen Issue

When installed FreeIPA server from https://copr-be.cloud.fedoraproject.org/results/@freeipa/freeipa-4-3-centos7/epel-7-$basearch/ on RHEL 7.2, running ipa-server-install fails with

  [2/2]: configuring ipa-otpd to start on boot
Done configuring ipa-otpd.
Configuring ipa-custodia
  [1/5]: Generating ipa-custodia config file
  [2/5]: Making sure custodia container exists
  [3/5]: Generating ipa-custodia keys
  [error] ValueError: Only PEM encoding is supported by this backend
ipa.ipapython.install.cli.install_tool(Server): ERROR    Only PEM encoding is supported by this backend
ipa.ipapython.install.cli.install_tool(Server): ERROR    The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The log ends with 

2016-03-17T13:31:31Z DEBUG Updating existing entry: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com
2016-03-17T13:31:31Z DEBUG ---------------------------------------------
2016-03-17T13:31:31Z DEBUG Initial value
2016-03-17T13:31:31Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com
2016-03-17T13:31:31Z DEBUG objectClass:
2016-03-17T13:31:31Z DEBUG  nsContainer
2016-03-17T13:31:31Z DEBUG  top
2016-03-17T13:31:31Z DEBUG cn:
2016-03-17T13:31:31Z DEBUG  custodia
2016-03-17T13:31:31Z DEBUG ---------------------------------------------
2016-03-17T13:31:31Z DEBUG Final value after applying updates
2016-03-17T13:31:31Z DEBUG dn: cn=custodia,cn=ipa,cn=etc,dc=example,dc=com
2016-03-17T13:31:31Z DEBUG objectClass:
2016-03-17T13:31:31Z DEBUG  nsContainer
2016-03-17T13:31:31Z DEBUG  top
2016-03-17T13:31:31Z DEBUG cn:
2016-03-17T13:31:31Z DEBUG  custodia
2016-03-17T13:31:31Z DEBUG []
2016-03-17T13:31:31Z DEBUG Updated 0
2016-03-17T13:31:31Z DEBUG Done
2016-03-17T13:31:31Z DEBUG Destroyed connection context.ldap2_197636560
2016-03-17T13:31:31Z DEBUG   duration: 1 seconds
2016-03-17T13:31:31Z DEBUG   [3/5]: Generating ipa-custodia keys
2016-03-17T13:31:33Z DEBUG Traceback (most recent call last):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 58, in __gen_keys
    KeyStore.generate_server_keys()
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 180, in generate_server_keys
    ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 109, in set_key
    public_key = self._format_public_key(key)
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 106, in _format_public_key
    format=serialization.PublicFormat.SubjectPublicKeyInfo)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 614, in public_bytes
    self._rsa_cdata
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1199, in _public_key_bytes
    raise ValueError("Only PEM encoding is supported by this backend")
ValueError: Only PEM encoding is supported by this backend

2016-03-17T13:31:33Z DEBUG   [error] ValueError: Only PEM encoding is supported by this backend
2016-03-17T13:31:33Z DEBUG   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/cli.py", line 318, in run
    cfgr.run()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 310, in run
    self.execute()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 332, in execute
    for nothing in self._executor():
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 571, in _configure
    next(executor)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 372, in __runner
    self._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 449, in _handle_exception
    self.__parent._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 446, in _handle_exception
    super(ComponentBase, self)._handle_exception(exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 394, in _handle_exception
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 362, in __runner
    step()
  File "/usr/lib/python2.7/site-packages/ipapython/install/core.py", line 359, in <lambda>
    step = lambda: next(self.__gen)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 81, in run_generator_with_yield_from
    six.reraise(*exc_info)
  File "/usr/lib/python2.7/site-packages/ipapython/install/util.py", line 59, in run_generator_with_yield_from
    value = gen.send(prev_value)
  File "/usr/lib/python2.7/site-packages/ipapython/install/common.py", line 63, in _install
    for nothing in self._installer(self.parent):
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 1469, in main
    install(self)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 265, in decorated
    func(installer)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/server/install.py", line 920, in install
    custodia.create_instance(dm_password)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 52, in create_instance
    realm=self.realm)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 578, in create_instance
    self.start_creation("Configuring %s" % self.service_name)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 447, in start_creation
    run_step(full_msg, method)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/service.py", line 437, in run_step
    method()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/custodiainstance.py", line 58, in __gen_keys
    KeyStore.generate_server_keys()
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 180, in generate_server_keys
    ldapconn.set_key(KEY_USAGE_SIG, self.host, principal, pubkeys[0])
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 109, in set_key
    public_key = self._format_public_key(key)
  File "/usr/lib/python2.7/site-packages/ipapython/secrets/kem.py", line 106, in _format_public_key
    format=serialization.PublicFormat.SubjectPublicKeyInfo)
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/rsa.py", line 614, in public_bytes
    self._rsa_cdata
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/backends/openssl/backend.py", line 1199, in _public_key_bytes
    raise ValueError("Only PEM encoding is supported by this backend")

2016-03-17T13:31:33Z DEBUG The ipa-server-install command failed, exception: ValueError: Only PEM encoding is supported by this backend
2016-03-17T13:31:33Z ERROR Only PEM encoding is supported by this backend
2016-03-17T13:31:33Z ERROR The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information

The versions are

python-cryptography-0.8.2-1.el7.x86_64
ipa-python-4.3.0-1.el7.centos.x86_64
ipa-server-4.3.0-1.el7.centos.x86_64

looks like: https://github.com/pyca/cryptography/issues/1875 which was fixed in python-cryptography 0.9

You are using 0.8.2, the COPR repo contains 1.1.

Please try to update python-cryptography and run it again.

Looks as issue in spec.

My machine had python-cryptography already installed (I don't see it in the yum install log). Both packages that require it seem to have version-less Requires:

# rpm -q --requires python-jwcrypto-0.2.1-3.el7.centos.noarch ipa-python-4.3.0-1.el7.centos.x86_64 | grep python-crypto
python-cryptography
python-cryptography

Right, IPA doesn't require version >= 0.9 which should be fixed.

So updating the package fixes the issue?

master:

  • aa74995 spec: require python-cryptography newer than 0.9

ipa-4-3:

  • 85d2cc0 spec: require python-cryptography newer than 0.9

Metadata Update from @adelton:
- Issue assigned to mbabinsk
- Issue set to the milestone: FreeIPA 4.3.1
7 years ago

Login to comment on this ticket.

Metadata
None
None
None
important
None
None
None
None
defect
None
None
Installation
None
0
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.