Public bug reported: I am currently enabling our Cockpit tests on oracular [1] (now after feature freeze and well before release is a good time). The main regression is with joining a FreeIPA domain.
The server runs a standard quay.io/freeipa/freeipa- server:centos-9-stream container with a couple of standard options (ports, passwords, etc.) [2], but nothing spectacular. In particular, no customizations of the certificate. On the client (Ubuntu oracular) the test runs: echo foobarfoo | realm join -vU admin cockpit.lan This fails with unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'> Cannot obtain CA certificate 'ldap://f0.cockpit.lan' doesn't have a certificate. Installation failed. Rolling back changes. /var/log/ipaclient-install.log gives further details (I'm attaching that). It has a series of exceptions, but the important one seems to be File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode return x509.load_der_x509_certificate(val) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate return IPACertificate( ^^^^^^^^^^^^^^^ TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc' As the package is in sync with Debian unstable, this *probably* affects Debian as well. However, we run our CI on Debian testing, and freeipa has fallen out of testing 4 months ago[3], so we've skipped tests there. [1] https://github.com/cockpit-project/bots/pull/6799 [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24 [3] https://tracker.debian.org/pkg/freeipa DistroRelease: Ubuntu 24.10 PackageVersion: freeipa-client 4.11.1-2.1 ** Affects: freeipa (Ubuntu) Importance: Undecided Status: New ** Tags: oracular regression-release ** Attachment added: "/var/log/ipaclient-install.log" https://bugs.launchpad.net/bugs/2078034/+attachment/5809990/+files/ipaclient-install.log ** Description changed: I am currently enabling our Cockpit tests on oracular [1] (now after feature freeze and well before release is a good time). The main regression is with joining a FreeIPA domain. The server runs a standard quay.io/freeipa/freeipa- server:centos-9-stream container with a couple of standard options (ports, passwords, etc.) [2], but nothing spectacular. In particular, no customizations of the certificate. On the client (Ubuntu oracular) the test runs: - echo foobarfoo | realm join -vU admin cockpit.lan + echo foobarfoo | realm join -vU admin cockpit.lan This fails with unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'> Cannot obtain CA certificate 'ldap://f0.cockpit.lan' doesn't have a certificate. Installation failed. Rolling back changes. /var/log/ipaclient-install.log gives further details (I'm attaching that). It has a series of exceptions, but the important one seems to be - File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode - return x509.load_der_x509_certificate(val) - ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ - File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate - return IPACertificate( - ^^^^^^^^^^^^^^^ + File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode + return x509.load_der_x509_certificate(val) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate + return IPACertificate( + ^^^^^^^^^^^^^^^ TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc' As the package is in sync with Debian unstable, this *probably* affects Debian as well. However, we run our CI on Debian testing, and freeipa has fallen out of testing 4 months ago[3], so we've skipped tests there. - [1] https://github.com/cockpit-project/bots/pull/6799 [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24 [3] https://tracker.debian.org/pkg/freeipa + + DistroRelease: Ubuntu 24.10 + PackageVersion: freeipa-client 4.11.1-2.1 ** Tags added: oracular regression-release -- You received this bug notification because you are a member of FreeIPA, which is subscribed to freeipa in Ubuntu. https://bugs.launchpad.net/bugs/2078034 Title: ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc' Status in freeipa package in Ubuntu: New Bug description: I am currently enabling our Cockpit tests on oracular [1] (now after feature freeze and well before release is a good time). The main regression is with joining a FreeIPA domain. The server runs a standard quay.io/freeipa/freeipa- server:centos-9-stream container with a couple of standard options (ports, passwords, etc.) [2], but nothing spectacular. In particular, no customizations of the certificate. On the client (Ubuntu oracular) the test runs: echo foobarfoo | realm join -vU admin cockpit.lan This fails with unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'> Cannot obtain CA certificate 'ldap://f0.cockpit.lan' doesn't have a certificate. Installation failed. Rolling back changes. /var/log/ipaclient-install.log gives further details (I'm attaching that). It has a series of exceptions, but the important one seems to be File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode return x509.load_der_x509_certificate(val) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate return IPACertificate( ^^^^^^^^^^^^^^^ TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc' As the package is in sync with Debian unstable, this *probably* affects Debian as well. However, we run our CI on Debian testing, and freeipa has fallen out of testing 4 months ago[3], so we've skipped tests there. [1] https://github.com/cockpit-project/bots/pull/6799 [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24 [3] https://tracker.debian.org/pkg/freeipa DistroRelease: Ubuntu 24.10 PackageVersion: freeipa-client 4.11.1-2.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2078034/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~freeipa Post to : freeipa@lists.launchpad.net Unsubscribe : https://launchpad.net/~freeipa More help : https://help.launchpad.net/ListHelp
