I used the cert you provided us out-of-band and was able to load it in Fedora rawhide with cryptography-42.0.5, same (I think) as tumbleweed unless tumbleweed includes some additional change.
Let's try excluding LDAP from the picture. Can you copy /etc/ipa/ca.crt from a working install to /tmp/ca.crt. Then pass --ca-cert-file=/tmp/ca.crt to ipa-client-install. It may well still fail but it may give us additional data points. If it works we've also narrowed things down. Our LDAP code automatically translates attributes into their expected data types. In this case a certificate into a python-cryptography Certificate class. This is where it is blowing up now. rob Antoine Gatineau wrote: > > On 4/30/24 15:34, Rob Crittenden wrote: >> Antoine Gatineau via FreeIPA-users wrote: >>> Hello, >>> >>> When enrolling a opensuse tumbleweed client, ipa-client-install fails to >>> get the cacertificate from ldap with error: >>> >>> 2024-04-30T11:23:16Z DEBUG Initializing principal adminprincipal using >>> password >>> 2024-04-30T11:23:16Z DEBUG Starting external process >>> 2024-04-30T11:23:16Z DEBUG args=['/usr/bin/kinit', 'adminuser', '-c', >>> '/tmp/krbcc2swf0edk/ccache'] >>> 2024-04-30T11:23:16Z DEBUG Process finished, return code=0 >>> 2024-04-30T11:23:16Z DEBUG stdout=Password for adminuser: >>> >>> 2024-04-30T11:23:16Z DEBUG stderr= >>> 2024-04-30T11:23:16Z DEBUG trying to retrieve CA cert via LDAP from >>> ipa-server-01.empire.lan >>> 2024-04-30T11:23:16Z DEBUG retrieving schema for SchemaCache >>> url=ldap://ipa-server-01.empire.lan:389 >>> conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f020cb3f490> >>> 2024-04-30T11:23:17Z ERROR unable to convert the attribute >>> 'cacertificate;binary' value >>> b'0\x82\x04\x.........ETC........................................' to >>> type <class 'cryptography.x509.base.Certificate'> >>> 2024-04-30T11:23:17Z DEBUG get_ca_certs_from_ldap() error: %i format: a >>> real number is required, not dict >>> 2024-04-30T11:23:17Z DEBUG %i format: a real number is required, not dict >>> 2024-04-30T11:23:17Z ERROR Cannot obtain CA certificate >>> 'ldap://ipa-server-01.empire.lan' doesn't have a certificate. >>> 2024-04-30T11:23:17Z ERROR Installation failed. Rolling back changes. >>> >>> ipa server is 4.11.0 (centos stream 9 latest) >>> >>> ipa client is 4.11.1 (opensuse tumbleweed) from this source: >>> https://build.opensuse.org/package/show/security%3Aidm/freeipa >>> >>> >>> With debian 12 and ipa-client 4.9.11 the enrollment succeeds. >>> >>> With centos stream 9 and ipa-client 4.11.0 the enrollment succeeds. >>> >>> Is there a limitation with clients newer than the server? >> Not usually. >> >>> What can I check to fix this issue? >> I'd start with comparing what version of python-cryptography is on the >> working vs non-working systems. > > debian: 38.0.4-3 (python 3.11) > > centos stream: 36.0.1-4.el9 (python 3.9) > > tumbleweed: python311-cryptography 42.0.5-1.1 > > Indeed, it is quite newer on tumbleweed. > > https://cryptography.io/en/latest/changelog/ > There are some deprecations in 39.0 that might be in play but I don't > know exactly what is used by ipa. > > * > > *BACKWARDS INCOMPATIBLE:* Removed the |encode_point| and > |from_encoded_point| methods on |EllipticCurvePublicNumbers| > > <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicNumbers>, > which had been deprecated for several years. |public_bytes()| > > <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.public_bytes> > and |from_encoded_point()| > > <https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#cryptography.hazmat.primitives.asymmetric.ec.EllipticCurvePublicKey.from_encoded_point> > should be used instead. > > * > > *BACKWARDS INCOMPATIBLE:* Support for using MD5 or SHA1 in > |CertificateBuilder| > > <https://cryptography.io/en/latest/x509/reference/#cryptography.x509.CertificateBuilder>, > other X.509 builders, and PKCS7 has been removed. > >> rob >> -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
