Antoine Gatineau via FreeIPA-users wrote: > Hello, > > When enrolling a opensuse tumbleweed client, ipa-client-install fails to > get the cacertificate from ldap with error: > > 2024-04-30T11:23:16Z DEBUG Initializing principal adminprincipal using > password > 2024-04-30T11:23:16Z DEBUG Starting external process > 2024-04-30T11:23:16Z DEBUG args=['/usr/bin/kinit', 'adminuser', '-c', > '/tmp/krbcc2swf0edk/ccache'] > 2024-04-30T11:23:16Z DEBUG Process finished, return code=0 > 2024-04-30T11:23:16Z DEBUG stdout=Password for adminuser: > > 2024-04-30T11:23:16Z DEBUG stderr= > 2024-04-30T11:23:16Z DEBUG trying to retrieve CA cert via LDAP from > ipa-server-01.empire.lan > 2024-04-30T11:23:16Z DEBUG retrieving schema for SchemaCache > url=ldap://ipa-server-01.empire.lan:389 > conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f020cb3f490> > 2024-04-30T11:23:17Z ERROR unable to convert the attribute > 'cacertificate;binary' value > b'0\x82\x04\x.........ETC........................................' to > type <class 'cryptography.x509.base.Certificate'> > 2024-04-30T11:23:17Z DEBUG get_ca_certs_from_ldap() error: %i format: a > real number is required, not dict > 2024-04-30T11:23:17Z DEBUG %i format: a real number is required, not dict > 2024-04-30T11:23:17Z ERROR Cannot obtain CA certificate > 'ldap://ipa-server-01.empire.lan' doesn't have a certificate. > 2024-04-30T11:23:17Z ERROR Installation failed. Rolling back changes. > > ipa server is 4.11.0 (centos stream 9 latest) > > ipa client is 4.11.1 (opensuse tumbleweed) from this source: > https://build.opensuse.org/package/show/security%3Aidm/freeipa > > > With debian 12 and ipa-client 4.9.11 the enrollment succeeds. > > With centos stream 9 and ipa-client 4.11.0 the enrollment succeeds. > > Is there a limitation with clients newer than the server?
Not usually. > What can I check to fix this issue? I'd start with comparing what version of python-cryptography is on the working vs non-working systems. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
