[Pkg-freeipa-devel] Bug#1118599: ipa-client-install fails after python3-cryptography upgrade

Jelle van der Waa jvanderw at redhat.com
Wed Oct 22 19:29:11 BST 2025 

Package: freeipa-client
Version: 4.12.4-1

Our Cockpit CI tests fail on debian-testing after upgrading 
python3-cryptography.

   python3-cryptography (43.0.0-3 -> 44.0.2-1)

Now ipa-client-install fails with:

root at x0:~# LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan 
--realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended 
--force-join --principal admin -W --force-ntpd
/usr/lib/python3/dist-packages/ipalib/constants.py:392: 
CryptographyDeprecationWarning: TripleDES has been moved to 
cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be 
removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
   if getattr(algorithms, 'TripleDES', None):
/usr/lib/python3/dist-packages/ipalib/constants.py:393: 
CryptographyDeprecationWarning: TripleDES has been moved to 
cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be 
removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.
   if backend.cipher_supported(algorithms.TripleDES(
Traceback (most recent call last):
   File "/usr/sbin/ipa-client-install", line 22, in <module>
     from ipaclient.install import ipa_client_install
   File 
"/usr/lib/python3/dist-packages/ipaclient/install/ipa_client_install.py", 
line 7, in <module>
     from ipaclient.install import client
   File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", 
line 37, in <module>
     from ipalib import api, errors, x509
   File "/usr/lib/python3/dist-packages/ipalib/__init__.py", line 921, 
in <module>
     from ipalib.frontend import Command, LocalOrRemote, Updater
   File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 31, in 
<module>
     from ipalib.parameters import create_param, Param, Str, Flag
   File "/usr/lib/python3/dist-packages/ipalib/parameters.py", line 125, 
in <module>
     from ipalib.x509 import (
         load_der_x509_certificate, IPACertificate, default_backend)
   File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 91, in 
<module>
     class IPACertificate(crypto_x509.Certificate):
     ...<358 lines>...
                 return self._cert.verify_directly_issued_by(issuer)
TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is 
not an acceptable base type

This was fixed in freeipa a while back after a bug report from Fedora. 
[1] [2]

[1] 
https://github.com/freeipa/freeipa/commit/d4d56a6705c870901bc73882e4804367f7c9c91a
[2] https://pagure.io/freeipa/issue/9708

More information about the Pkg-freeipa-devel mailing list