On Tue, Apr 30, 2024 at 02:13:56PM -0400, Rob Crittenden via FreeIPA-users wrote: > I used the cert you provided us out-of-band and was able to load it in > Fedora rawhide with cryptography-42.0.5, same (I think) as tumbleweed > unless tumbleweed includes some additional change. > > Let's try excluding LDAP from the picture. > > Can you copy /etc/ipa/ca.crt from a working install to /tmp/ca.crt. Then > pass --ca-cert-file=/tmp/ca.crt to ipa-client-install. > > It may well still fail but it may give us additional data points. If it > works we've also narrowed things down. > > Our LDAP code automatically translates attributes into their expected > data types. In this case a certificate into a python-cryptography > Certificate class. This is where it is blowing up now. > > rob
I would also double-check the LDAP attribute value, in case it is corrupted somehow. IIRC, 389DS doesn't do much validation on the userCertificate value and mostly treats it as an opaque blob. I'm happy to take a look if you send me the cert and/or LDIF output. Cheers, Fraser -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
