freeipa team mailing list archive

Thread
Date
[Bug 2078034] [NEW] ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <2078034@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Aug 2024 07:15:44 -0000
Reply-to: Bug 2078034 <2078034@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Public bug reported:

I am currently enabling our Cockpit tests on oracular [1] (now after
feature freeze and well before release is a good time). The main
regression is with joining a FreeIPA domain.

The server runs a standard quay.io/freeipa/freeipa-
server:centos-9-stream container with a couple of standard options
(ports, passwords, etc.) [2], but nothing spectacular. In particular, no
customizations of the certificate.

On the client (Ubuntu oracular) the test runs:

    echo foobarfoo | realm join -vU admin cockpit.lan

This fails with

unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'>
Cannot obtain CA certificate
'ldap://f0.cockpit.lan' doesn't have a certificate.
Installation failed. Rolling back changes.

/var/log/ipaclient-install.log gives further details (I'm attaching
that). It has a series of exceptions, but the important one seems to be

  File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
    return x509.load_der_x509_certificate(val)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
    return IPACertificate(
           ^^^^^^^^^^^^^^^
TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'

As the package is in sync with Debian unstable, this *probably* affects
Debian as well. However, we run our  CI on Debian testing, and freeipa
has fallen out of testing 4 months ago[3], so we've skipped tests there.

[1] https://github.com/cockpit-project/bots/pull/6799
[2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24
[3] https://tracker.debian.org/pkg/freeipa

DistroRelease: Ubuntu 24.10
PackageVersion: freeipa-client 4.11.1-2.1

** Affects: freeipa (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: oracular regression-release

** Attachment added: "/var/log/ipaclient-install.log"
   https://bugs.launchpad.net/bugs/2078034/+attachment/5809990/+files/ipaclient-install.log

** Description changed:

  I am currently enabling our Cockpit tests on oracular [1] (now after
  feature freeze and well before release is a good time). The main
  regression is with joining a FreeIPA domain.
  
  The server runs a standard quay.io/freeipa/freeipa-
  server:centos-9-stream container with a couple of standard options
  (ports, passwords, etc.) [2], but nothing spectacular. In particular, no
  customizations of the certificate.
  
  On the client (Ubuntu oracular) the test runs:
  
-     echo foobarfoo | realm join -vU admin cockpit.lan
+     echo foobarfoo | realm join -vU admin cockpit.lan
  
  This fails with
  
  unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'>
  Cannot obtain CA certificate
  'ldap://f0.cockpit.lan' doesn't have a certificate.
  Installation failed. Rolling back changes.
  
  /var/log/ipaclient-install.log gives further details (I'm attaching
  that). It has a series of exceptions, but the important one seems to be
  
-   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
-     return x509.load_der_x509_certificate(val)
-            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-   File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
-     return IPACertificate(
-            ^^^^^^^^^^^^^^^
+   File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
+     return x509.load_der_x509_certificate(val)
+            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+   File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
+     return IPACertificate(
+            ^^^^^^^^^^^^^^^
  TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'
  
  As the package is in sync with Debian unstable, this *probably* affects
  Debian as well. However, we run our  CI on Debian testing, and freeipa
  has fallen out of testing 4 months ago[3], so we've skipped tests there.
  
- 
  [1] https://github.com/cockpit-project/bots/pull/6799
  [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24
  [3] https://tracker.debian.org/pkg/freeipa
+ 
+ DistroRelease: Ubuntu 24.10
+ PackageVersion: freeipa-client 4.11.1-2.1

** Tags added: oracular regression-release

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2078034

Title:
  ipa-client-install fails with TypeError: Can't instantiate abstract
  class IPACertificate without an implementation for abstract methods
  'not_valid_after_utc', 'not_valid_before_utc'

Status in freeipa package in Ubuntu:
  New

Bug description:
  I am currently enabling our Cockpit tests on oracular [1] (now after
  feature freeze and well before release is a good time). The main
  regression is with joining a FreeIPA domain.

  The server runs a standard quay.io/freeipa/freeipa-
  server:centos-9-stream container with a couple of standard options
  (ports, passwords, etc.) [2], but nothing spectacular. In particular,
  no customizations of the certificate.

  On the client (Ubuntu oracular) the test runs:

      echo foobarfoo | realm join -vU admin cockpit.lan

  This fails with

  unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'>
  Cannot obtain CA certificate
  'ldap://f0.cockpit.lan' doesn't have a certificate.
  Installation failed. Rolling back changes.

  /var/log/ipaclient-install.log gives further details (I'm attaching
  that). It has a series of exceptions, but the important one seems to
  be

    File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
      return x509.load_der_x509_certificate(val)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
      return IPACertificate(
             ^^^^^^^^^^^^^^^
  TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'

  As the package is in sync with Debian unstable, this *probably*
  affects Debian as well. However, we run our  CI on Debian testing, and
  freeipa has fallen out of testing 4 months ago[3], so we've skipped
  tests there.

  [1] https://github.com/cockpit-project/bots/pull/6799
  [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24
  [3] https://tracker.debian.org/pkg/freeipa

  DistroRelease: Ubuntu 24.10
  PackageVersion: freeipa-client 4.11.1-2.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2078034/+subscriptions
Follow ups

[Bug 2078034] Re: ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'
From: Martin Pitt, 2024-08-28