Package: python3-ipaclient Severity: important Version: 4.11.1-2 Tags: upstream, fixed-upstream Forwarded: https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedorahosted.org/thread/PLR7R2FIZXNOQFMT3XWMBK3UYI7FWVMY/
Hello, A few days ago, python-cryptography 42.0 entered Debian testing. This unfortunately breaks FreeIPA. When joining an existing IPA server (running on CentOS 8, but doesn't matter much), joining the domain fails with | unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]' to type <class 'cryptography.x509.base.Certificate'> | Cannot obtain CA certificate | 'ldap://f0.cockpit.lan' doesn't have a certificate. /var/log/ipaclient-install.log has a very long traceback, excerpts: | 2024-05-07T04:16:52Z DEBUG Traceback (most recent call last): | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode | return x509.load_der_x509_certificate(val) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate | return IPACertificate( | ^^^^^^^^^^^^^^^ | TypeError: Can't instantiate abstract class IPACertificate with abstract methods not_valid_after_utc, not_valid_before_utc | | During handling of the above exception, another exception occurred: | | Traceback (most recent call last): | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 374, in _sync_attr | value = self._conn.decode(value, name) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1037, in decode | raise ValueError(msg) | ValueError: unable to convert the attribute 'cacertificate;binary' value b'[...]' to type <class 'cryptograph y.x509.base.Certificate'> | | During handling of the above exception, another exception occurred: | | Traceback (most recent call last): | File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 1739, in get_certs_from_ldap | certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled) | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | File "/usr/lib/python3/dist-packages/ipalib/install/certstore.py", line 310, in get_ca_certs | for cert in entry.get('cACertificate;binary', []): | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | File "<frozen _collections_abc>", line 774, in get | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 510, in __getitem__ | return self._get_nice(name) | ^^^^^^^^^^^^^^^^^^^^ | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 485, in _get_nice | self._sync_attr(name) | File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 376, in _sync_attr | raise ValueError("{error} in LDAP entry '{dn}'".format( | ValueError: unable to convert the attribute 'cacertificate;binary' value [...] This was already reported upstream (see "Forwarded:" above), and fixed in upstream git 4 months ago: https://pagure.io/freeipa/c/a45a7a20d96af51d463a285cb9318582720be708?branch=master Unfortunately there hasn't been a new release since then. But I applied the patch straight to /usr/lib/python3/dist-packages/ , it applies with some fuzz, and joining the domain works fine afterwards. Thanks, Martin
