Bug#1118599: ipa-client-install fails after python3-cryptography upgrade

Wed, 22 Oct 2025 11:36:16 -0700 

Package: freeipa-client
Version: 4.12.4-1
Our Cockpit CI tests fail on debian-testing after upgrading python3-cryptography. 

  python3-cryptography (43.0.0-3 -> 44.0.2-1)

Now ipa-client-install fails with:


root@x0:~# LANG=C /usr/sbin/ipa-client-install --domain cockpit.lan 
--realm COCKPIT.LAN --mkhomedir --enable-dns-updates --unattended 
--force-join --principal admin -W --force-ntpd
/usr/lib/python3/dist-packages/ipalib/constants.py:392: 
CryptographyDeprecationWarning: TripleDES has been moved to 
cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be 
removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.

  if getattr(algorithms, 'TripleDES', None):

/usr/lib/python3/dist-packages/ipalib/constants.py:393: 
CryptographyDeprecationWarning: TripleDES has been moved to 
cryptography.hazmat.decrepit.ciphers.algorithms.TripleDES and will be 
removed from cryptography.hazmat.primitives.ciphers.algorithms in 48.0.0.

  if backend.cipher_supported(algorithms.TripleDES(
Traceback (most recent call last):
  File "/usr/sbin/ipa-client-install", line 22, in <module>
    from ipaclient.install import ipa_client_install

  File 
"/usr/lib/python3/dist-packages/ipaclient/install/ipa_client_install.py", 
line 7, in <module>

    from ipaclient.install import client

  File "/usr/lib/python3/dist-packages/ipaclient/install/client.py", 
line 37, in <module>

    from ipalib import api, errors, x509

  File "/usr/lib/python3/dist-packages/ipalib/__init__.py", line 921, 
in <module>

    from ipalib.frontend import Command, LocalOrRemote, Updater

  File "/usr/lib/python3/dist-packages/ipalib/frontend.py", line 31, in 
<module>

    from ipalib.parameters import create_param, Param, Str, Flag

  File "/usr/lib/python3/dist-packages/ipalib/parameters.py", line 125, 
in <module>

    from ipalib.x509 import (
        load_der_x509_certificate, IPACertificate, default_backend)

  File "/usr/lib/python3/dist-packages/ipalib/x509.py", line 91, in 
<module>

    class IPACertificate(crypto_x509.Certificate):
    ...<358 lines>...
                return self._cert.verify_directly_issued_by(issuer)

TypeError: type 'cryptography.hazmat.bindings._rust.x509.Certificate' is 
not an acceptable base type



This was fixed in freeipa a while back after a bug report from Fedora. 
[1] [2]



[1] 
https://github.com/freeipa/freeipa/commit/d4d56a6705c870901bc73882e4804367f7c9c91a

[2] https://pagure.io/freeipa/issue/9708















    











					Reply via email to