[Pkg-freeipa-devel] Bug#1070680: freeipa-client: unable to convert the attribute 'cacertificate; binary' value

Martin Pitt mpitt at debian.org
Tue May 7 05:26:57 BST 2024 

Package: python3-ipaclient
Severity: important
Version: 4.11.1-2
Tags: upstream, fixed-upstream
Forwarded: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/PLR7R2FIZXNOQFMT3XWMBK3UYI7FWVMY/

Hello,

A few days ago, python-cryptography 42.0 entered Debian testing. This
unfortunately breaks FreeIPA. When joining an existing IPA server (running on
CentOS 8, but doesn't matter much), joining the domain fails with

| unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]' to type <class 'cryptography.x509.base.Certificate'>
| Cannot obtain CA certificate
| 'ldap://f0.cockpit.lan' doesn't have a certificate.

/var/log/ipaclient-install.log has a very long traceback, excerpts:

| 2024-05-07T04:16:52Z DEBUG Traceback (most recent call last):
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
|     return x509.load_der_x509_certificate(val)
|            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
|     return IPACertificate(
|            ^^^^^^^^^^^^^^^
| TypeError: Can't instantiate abstract class IPACertificate with abstract methods not_valid_after_utc, not_valid_before_utc
|
| During handling of the above exception, another exception occurred:
|
| Traceback (most recent call last):
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 374, in _sync_attr
|     value = self._conn.decode(value, name)
|             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1037, in decode
|     raise ValueError(msg)
| ValueError: unable to convert the attribute 'cacertificate;binary' value b'[...]' to type <class 'cryptograph y.x509.base.Certificate'>
|
| During handling of the above exception, another exception occurred:
|
| Traceback (most recent call last):
|   File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", line 1739, in get_certs_from_ldap
|     certs = certstore.get_ca_certs(conn, base_dn, realm, ca_enabled)
|             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   File "/usr/lib/python3/dist-packages/ipalib/install/certstore.py", line 310, in get_ca_certs
|     for cert in entry.get('cACertificate;binary', []):
|                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
|   File "<frozen _collections_abc>", line 774, in get
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 510, in __getitem__
|     return self._get_nice(name)
|            ^^^^^^^^^^^^^^^^^^^^
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 485, in _get_nice
|     self._sync_attr(name)
|   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 376, in _sync_attr
|     raise ValueError("{error} in LDAP entry '{dn}'".format(
| ValueError: unable to convert the attribute 'cacertificate;binary' value [...]

This was already reported upstream (see "Forwarded:" above), and fixed in
upstream git 4 months ago:

   https://pagure.io/freeipa/c/a45a7a20d96af51d463a285cb9318582720be708?branch=master

Unfortunately there hasn't been a new release since then. But I applied the
patch straight to /usr/lib/python3/dist-packages/ , it applies with some fuzz,
and joining the domain works fine afterwards.

Thanks,

Martin

More information about the Pkg-freeipa-devel mailing list