On 4/30/24 15:34, Rob Crittenden wrote:
Antoine Gatineau via FreeIPA-users wrote:
> Hello,
>
> When enrolling a opensuse tumbleweed client, ipa-client-install fails to
> get the cacertificate from ldap with error:
>
> 2024-04-30T11:23:16Z DEBUG Initializing principal adminprincipal using
> password
> 2024-04-30T11:23:16Z DEBUG Starting external process
> 2024-04-30T11:23:16Z DEBUG args=['/usr/bin/kinit', 'adminuser',
'-c',
> '/tmp/krbcc2swf0edk/ccache']
> 2024-04-30T11:23:16Z DEBUG Process finished, return code=0
> 2024-04-30T11:23:16Z DEBUG stdout=Password for adminuser:
>
> 2024-04-30T11:23:16Z DEBUG stderr=
> 2024-04-30T11:23:16Z DEBUG trying to retrieve CA cert via LDAP from
> ipa-server-01.empire.lan
> 2024-04-30T11:23:16Z DEBUG retrieving schema for SchemaCache
> url=ldap://ipa-server-01.empire.lan:389
> conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f020cb3f490>
> 2024-04-30T11:23:17Z ERROR unable to convert the attribute
> 'cacertificate;binary' value
> b'0\x82\x04\x.........ETC........................................' to
> type <class 'cryptography.x509.base.Certificate'>
> 2024-04-30T11:23:17Z DEBUG get_ca_certs_from_ldap() error: %i format: a
> real number is required, not dict
> 2024-04-30T11:23:17Z DEBUG %i format: a real number is required, not dict
> 2024-04-30T11:23:17Z ERROR Cannot obtain CA certificate
> 'ldap://ipa-server-01.empire.lan' doesn't have a certificate.
> 2024-04-30T11:23:17Z ERROR Installation failed. Rolling back changes.
>
> ipa server is 4.11.0 (centos stream 9 latest)
>
> ipa client is 4.11.1 (opensuse tumbleweed) from this source:
>
https://build.opensuse.org/package/show/security%3Aidm/freeipa
>
>
> With debian 12 and ipa-client 4.9.11 the enrollment succeeds.
>
> With centos stream 9 and ipa-client 4.11.0 the enrollment succeeds.
>
> Is there a limitation with clients newer than the server?
Not usually.
> What can I check to fix this issue?
I'd start with comparing what version of python-cryptography is on the
working vs non-working systems.
debian: 38.0.4-3 (python 3.11)
centos stream: 36.0.1-4.el9 (python 3.9)
tumbleweed: python311-cryptography 42.0.5-1.1
Indeed, it is quite newer on tumbleweed.
https://cryptography.io/en/latest/changelog/
There are some deprecations in 39.0 that might be in play but I don't
know exactly what is used by ipa.
*
*BACKWARDS INCOMPATIBLE:* Removed the |encode_point| and
|from_encoded_point| methods on |EllipticCurvePublicNumbers|
<
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#crypto...;,
which had been deprecated for several years. |public_bytes()|
<
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#crypto...
and |from_encoded_point()|
<
https://cryptography.io/en/latest/hazmat/primitives/asymmetric/ec/#crypto...
should be used instead.
*
*BACKWARDS INCOMPATIBLE:* Support for using MD5 or SHA1 in
|CertificateBuilder|
<
https://cryptography.io/en/latest/x509/reference/#cryptography.x509.Certi...;,
other X.509 builders, and PKCS7 has been removed.
rob