ipa-client-install failed "unable to convert the attribute cacertificate;binary'" with python3-cryptography

Solution Verified - Updated -

Environment

  • Red Hat Enterprise Linux 9
  • IPA-Client
  • IPA-Server

Issue

  • not able to install ipa client system.
  • unable to convert the attribute ca certificate.
2024-07-03T14:03:29Z* ERROR unable to convert the attribute 'cacertificate;binary' value b'0\x82\x03\x910\x82\x02y\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t\x86H\x86\xf7\r\x01\x01\x0b\x05\x00081\x160\x14\x06\x03U\x04\n\x0c\rIS.CL.SSA.GOV1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate =Oz\x06\xf8\xe5\xa7\xd1sy\xf7\xa6\\z\xb8f\xfc\xccyi%\xc3\x1f\x1e\xb8,\x9e\xe1\xbd\x06j]\xd6\xea\xfd\xe7\x10a\xbb\x086C\xaa\xc6\xff\xc0\x00\x12\x85M-n7Q\x8f\xb1k\xe8b\xf0\x16\\dh\\a\xfc\x7f\xdb\t\xce\xe9/\xf3=\x9f\xc9\x0bC\xeaI\x07\xfbO\xb5\xe6\xfb\xeb2v\xdb\x93`%\xee\x96^y\x11$z\x8a(\xbc\xdf\x0cw\x06ZO\xdd\x9c&\xa6\x00\x9f\x94{\\\xaa<\x1bf\xb7\xfc\xd6\xa9\xf3g\xc0\x83v\xc0Jh\xf6\xd27\x0f\x0c\xa2W\xde\x0c,#\xf6*\x99#\x0cS^7\xc2\xc1\xa2\xa7|\x93*\xa4\xca?V\xf4\x84{\xc7!\x0e\xc1r\xcaQZ\xc4\x1b\xf7\xb3\x84s\xf6\x10\x93s\xfcAH\xe2\x82\xac\xa9\x0bVd:N\x8c\xa7D\xb9\xbf+\x18\xbe\xf2NF\xa1Y\xdb\x88\xddSc\xb9b\x85\x02\x03\x01\x00\x01\xa3\x81\xa50\x81\xa20\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14%;\xd4\xb7\x99\x1d\x90\xe5\xbb\xd8\x90\xdc \x82\x8fL\xdb72\xaa0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14%;\xd4\xb7\x99\x1d\x90\xe5\xbb\xd8\x90\xdc \x82\x8fL\xdb72\xaa0?\x06\x08+\x06\x01\x05\x05\x07\x01\x01\x043010/\x06\x08+\x06\x01\x05\x05\x070\x01\x86#http://ipa-ca.is.cl.xxx.gov/ca/ocsp0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x1d\xe5\xa1n7er\xb3Zu\xea\x16Y\x9e\xb33\x97\xc6\x11C\xd05\xf8\xcaU\x1d\x9e\xef%H\xb7W\x9d\x99_\xcb\xd2\xf9\x89\x03s\xe6\xe9F\x929\xddQ\x93\xe84w\xc7j\xa5\xff$\'c\xa2\x11\xd9\xb5\rf\xca#\xaf\xf8\xdf\x8b\x0f\xf1\xaf\x88\x93\xd0M\x92\xde\x87J|1\xc9oQ\xbb\xa4\x8aR\xc4\x1b\xb7p2\xdfD\x8a\'\xcdJ\xf9\xaf6\xaf\x13\xe1\xe5 \x10h\xee\r\xc4y=*\xa4\\\x87\x14?\xc6\xcc\xa1\xb3\xc4\x0c\x99\xeatM\x8c(\xd3\x10w`\x9e\xcb\x03\x9f\x8d\x19\xa4\x83\xcd\x92\xcb\xc0\xfe\xa0\xcf\xce6. \x87\x9a4jW(F\x8c\xb8&\x96\x13\xa88d\xce|\xc6`I\x8dvoS\xa2oU\xd5\xe6\xa5w\xe8\xdd\xdb[\x98\x11\xe7\xbc\'Bk*\xecfN\xfer\x87\x1f\xc9+\xa1=\x12\x91\x8bO\xd7\xf2\xfc|\x86z\xf1)\xb9sH\xbd\xcb\xdfX\x81\xf7M\x10]du!\x14\xcd{\x13\x94\x06P\xc8\xbeON\xe6\x89\xf6a\xc1' to type <class 'cryptography.x509.base.Certificate'>

Resolution

  • This issue is being tracked in Jira ticket RHEL-53854 and fixed in Errata.

  • Downgrade the package python3-cryptography to any version < 42.0.5 1.el9 as a workaround.

Root Cause

  • ipa client is not able to make connection with ipa server due to ca cert.

Diagnostic Steps

  • It looks like the problem comes from the python3-cryptography package provided by Ansible Automation Platform (AAP) repository.
  • In RHEL this package is in V36, whereas V42 in AAP repo.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments