freeipa team mailing list archive

Thread
Date

[Bug 2078034] Re: ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'

To: freeipa@xxxxxxxxxxxxxxxxxxx
From: Martin Pitt <2078034@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Aug 2024 07:22:49 -0000
Reply-to: Bug 2078034 <2078034@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

These methods were introduced in
https://pagure.io/freeipa/c/0f9a8b7a15b911f443042061d795fcaa51f1a3c7 ,
and that triggers a strong déjà vu for me -- I've looked at this failure
in a different context already.

But https://launchpad.net/ubuntu/+source/python-cryptography in oracular
*is* version 42. Hmm..

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to freeipa in Ubuntu.
https://bugs.launchpad.net/bugs/2078034

Title:
  ipa-client-install fails with TypeError: Can't instantiate abstract
  class IPACertificate without an implementation for abstract methods
  'not_valid_after_utc', 'not_valid_before_utc'

Status in freeipa package in Ubuntu:
  New

Bug description:
  I am currently enabling our Cockpit tests on oracular [1] (now after
  feature freeze and well before release is a good time). The main
  regression is with joining a FreeIPA domain.

  The server runs a standard quay.io/freeipa/freeipa-
  server:centos-9-stream container with a couple of standard options
  (ports, passwords, etc.) [2], but nothing spectacular. In particular,
  no customizations of the certificate.

  On the client (Ubuntu oracular) the test runs:

      echo foobarfoo | realm join -vU admin cockpit.lan

  This fails with

  unable to convert the attribute 'cacertificate;binary' value b'0\x82[...]xea9D#' to type <class 'cryptography.x509.base.Certificate'>
  Cannot obtain CA certificate
  'ldap://f0.cockpit.lan' doesn't have a certificate.
  Installation failed. Rolling back changes.

  /var/log/ipaclient-install.log gives further details (I'm attaching
  that). It has a series of exceptions, but the important one seems to
  be

    File "/usr/lib/python3/dist-packages/ipapython/ipaldap.py", line 1031, in decode
      return x509.load_der_x509_certificate(val)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 445, in load_der_x509_certificate
      return IPACertificate(
             ^^^^^^^^^^^^^^^
  TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'

  As the package is in sync with Debian unstable, this *probably*
  affects Debian as well. However, we run our  CI on Debian testing, and
  freeipa has fallen out of testing 4 months ago[3], so we've skipped
  tests there.

  [1] https://github.com/cockpit-project/bots/pull/6799
  [2] https://github.com/cockpit-project/bots/blob/main/images/scripts/services.setup#L24
  [3] https://tracker.debian.org/pkg/freeipa

  DistroRelease: Ubuntu 24.10
  PackageVersion: freeipa-client 4.11.1-2.1

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/freeipa/+bug/2078034/+subscriptions

References

[Bug 2078034] [NEW] ipa-client-install fails with TypeError: Can't instantiate abstract class IPACertificate without an implementation for abstract methods 'not_valid_after_utc', 'not_valid_before_utc'
From: Martin Pitt, 2024-08-28