Cannot import name ipadiscovery

[m1ch69]

Short:

Running the role ipaclient on two identical CentOS 7 servers. When trying to run ipa-client-install manually I get this:

[server1] # ipa-client-install
Traceback (most recent call last):
  File "/sbin/ipa-client-install", line 22, in <module>
    from ipaclient.install import ipa_client_install
  File "/usr/lib/python2.7/site-packages/ipaclient/install/ipa_client_install.py", line 7, in <module>
    from ipaclient.install import client
  File "/usr/lib/python2.7/site-packages/ipaclient/install/client.py", line 35, in <module>
    from ipalib import api, errors, x509
  File "/usr/lib/python2.7/site-packages/ipalib/__init__.py", line 919, in <module>
    from ipalib import plugable
  File "/usr/lib/python2.7/site-packages/ipalib/plugable.py", line 41, in <module>
    from ipalib import errors
  File "/usr/lib/python2.7/site-packages/ipalib/errors.py", line 109, in <module>
    from ipalib.text import ngettext as ungettext
  File "/usr/lib/python2.7/site-packages/ipalib/text.py", line 119, in <module>
    from ipalib.request import context
  File "/usr/lib/python2.7/site-packages/ipalib/request.py", line 28, in <module>
    from ipalib.base import ReadOnly, lock
  File "/usr/lib/python2.7/site-packages/ipalib/base.py", line 28, in <module>
    from ipalib.constants import NAME_REGEX, NAME_ERROR
  File "/usr/lib/python2.7/site-packages/ipalib/constants.py", line 27, in <module>
    from ipapython.dn import DN
  File "/usr/lib/python2.7/site-packages/ipapython/dn.py", line 425, in <module>
    import cryptography.x509
  File "/usr/lib64/python2.7/site-packages/cryptography/x509/__init__.py", line 7, in <module>
    from cryptography.x509.base import (
  File "/usr/lib64/python2.7/site-packages/cryptography/x509/base.py", line 16, in <module>
    from cryptography.x509.extensions import Extension, ExtensionType
  File "/usr/lib64/python2.7/site-packages/cryptography/x509/extensions.py", line 20, in <module>
    from cryptography.hazmat.primitives import constant_time, serialization
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization/__init__.py", line 7, in <module>
    from cryptography.hazmat.primitives.serialization.base import (
  File "/usr/lib64/python2.7/site-packages/cryptography/hazmat/primitives/serialization/base.py", line 13, in <module>
    from cryptography.hazmat.backends import _get_backend
ImportError: cannot import name _get_backend

While on the other server this works great.

[server2] # ipa-client-install
IPA client is already configured on this system.
If you want to reinstall the IPA client, uninstall it first using 'ipa-client-install --uninstall'.
The ipa-client-install command failed. See /var/log/ipaclient-install.log for more information

[rjeffman]

Is the problem with ansible-freeipa or with FreeIPA?

If the problem is (or seems to be) with ansible-freeipa, we need some more information about your setup. Please provide the package versions for:

• ansible
• ansible-freeipa
• ipa-client
• python2-cryptography

[m1ch69]

Version 4.6.8.

Running the ipaclient_join module, I get the following:

fatal: [server1.example]: FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\n'ldap://idm.example' doesn't have a certificate."}

Checks the logs /var/log/ipaclient-install.log

fatal: [server1.example]: FAILED! => {"changed": false, "msg": "Cannot obtain CA certificate\n'ldap://idm.example' doesn't have a certificate."}                   

DEBUG trying to retrieve CA cert via LDAP from idm.example
DEBUG retrieving schema for SchemaCache url=ldap://idm.example:389 conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7fbb854a2950>
ERROR unable to convert the attribute u'cacertificate;binary' value '0. BINARY DATA' to type <class 'cryptography.x509.base.Certificate'>
DEBUG get_ca_certs_from_ldap() error: unsupported format character '\' (0x5c) at index 723
DEBUG unsupported format character '\' (0x5c) at index 723

[tscherf]

To fix it first convert the existing CA certificate into DER format:

$ openssl x509 -in /etc/ipa/ca.crt -out /tmp/ca.der -outform der

Then remove the current value from LDAP and replace it with the correct format (replace the domain to match your own):

$ ldapmodify -x -D 'cn=directory manager' -W
Enter LDAP Password:
dn: cn=CAcert,cn=ipa,cn=etc,dc=example
changetype: modify
delete: cACertificate;binary
-
add: cACertificate;binary
cACertificate;binary:< file:///tmp/ca.der

[m1ch69]

@tscherf This is the first time this has happened, though the server2 does not have this issue, or any other of my clients/servers. I've downgraded pyasn1 and pyasn-modules on server1 to match server2 using python2 (pyasn1: 0.1.9 and pyasn1-modules: 0.0.8.
This works flawless on server2, but not on server1...