(this issue appears different from https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/PLR7R2FIZXNOQFMT3XWMBK3UYI7FWVMY/)
Hello, I was enrolling a FreeIPA client (v 4.12.2) on Ubuntu 24.10 and was presented with the following error [...] 2025-04-08T13:32:19Z DEBUG Loading Index file from '/var/lib/ipa-client/sysrestore/sysrestore.index' 2025-04-08T13:32:19Z DEBUG Initializing principal admin@TEST.LOCAL using password 2025-04-08T13:32:19Z DEBUG Starting external process 2025-04-08T13:32:19Z DEBUG args=['/usr/bin/kinit', 'admin@TEST.LOCAL', '-c', '/tmp/krbcco79q5wlq/ccache'] 2025-04-08T13:32:19Z DEBUG Process finished, return code=0 2025-04-08T13:32:19Z DEBUG stdout=Password for admin@TEST.LOCAL: 2025-04-08T13:32:19Z DEBUG stderr= 2025-04-08T13:32:19Z DEBUG trying to retrieve CA cert via LDAP from ipaserver.test.local 2025-04-08T13:32:19Z DEBUG retrieving schema for SchemaCache url=ldap://ipaserver.test.local:389 conn=<ldap.ldapobject.SimpleLDAPObject object at 0xfaa54c0b93d0> 2025-04-08T13:32:20Z ERROR unable to convert the attribute 'cacertificate;binary' value b'0\x82\x04H0\x82\x02\xb0\xa0\x03\x02\x01\x02\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00051\x130\x11\x06\x03U\x04\n\x0c\nTEST.LOCAL1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x1e\x17\r250408131758Z\x17\r450408131758Z051\x130\x11\x06\x03U\x04\n\x0c\nTEST.LOCAL1\x1e0\x1c\x06\x03U\x04\x03\x0c\x15Certificate Authority0\x82\x01\xa20\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x8f\x000\x82\x01\x8a\x02\x82\x01\x81\x00\xa5\xa0\x8d\xaan8\xcb\x15\xe9\x8a\xbd\xa3\xea\xbb4A`\x93\xackX\xa5\xaa\xc5\xff\x83\x85\xf1\xfdz\xa9\xc9\x10jT\x16\xa2\\\xf9\xaf\xf4:)\xb2\xab\x03\xcf\xb1\xf44%\xfb\xf0\xb0\xafL\x05\xd7+0\xda\xff\xa6M\xf1u\xce\x07<\x16\xbax\x88\x1f\x87h\xa3\xec\x85\xadw\xf6N\xdbJ\x03\xc0\x0f\xa6\xef\xb42*sB\xc5W,\xc2t\\:\xaf\xc0Iz\xd2$o\xae\xa3t\xcb\xea}3gO\x99\xa3k\x11?\xeady\xc6\xb8P\x10L\xd0>Q\x7f\xc8}\xc9`\xf9\xa4\x01\r\x0450\x0c\x81\x89g\x84*t\xc7\xa2\x91\xab\xbd\x83l\xdf\xab\x0c\xdc\x9d\x8f<\xf0\x02 +~\xd8\x1a\xd6:P\n\xb0y`\xa2\x91\xab\x9c\xf8!\x84\np%\xb6\xdb\x8e\x18\xf8~r\x11T6\xc3\x8d\xca\nj{\xb2\x81\xa3\xbfE\xd2P\xe6U\xee_\xf4!t\x99l\x7f\x1f\xcfgN\xc0\xc7\x06\xd8T\xec\xf5\x16=\x85\xeag\x98\x1c\t{>-2\xe9\xfe\xa05\x9cx\xae\xa1\x03\xec\xc4n\xf8K\x1e\x16\xd9\x05\x14\xf2\xcb\x12k\x1d6\x1b\x7f\xe7\xab::\xd7\xd4p\xd1\xbc\xb3VRl(\xe0\xed\xef=\xb9V\x07\x90\x95\xedf\xb4&rg\xac\x01d`\xd6-\xbe\x17\x06F\xe2\x9f\xd2\x12\x0bi\x1c\xbb\xba]\xb6\xf4\xe6\x1b\x19\xb4\x8b\x98z\x11\xc2\x86\xd8\x91\'\xffbh\xc0?\xc0\xf3\xe0\x89Q\x93I8\xe3%\x14\xb4\xaa"\x87\xf7\xbe\xd5{\xb0#\xaa\xee\xd8S\x87Z\r\x80\xbf\xd7>i=\x15\x9a\xf8\xc6\xab{_\x02\x03\x01\x00\x01\xa3c0a0\x1d\x06\x03U\x1d\x0e\x04\x16\x04\x14xO\xc3\xdb\x80ji\x12fSv_nm*\xb5\xf6\xf2v\xec0\x1f\x06\x03U\x1d#\x04\x180\x16\x80\x14xO\xc3\xdb\x80ji\x12fSv_nm*\xb5\xf6\xf2v\xec0\x0f\x06\x03U\x1d\x13\x01\x01\xff\x04\x050\x03\x01\x01\xff0\x0e\x06\x03U\x1d\x0f\x01\x01\xff\x04\x04\x03\x02\x01\xc60\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x81\x00X\xbaO\r\xdfV}W\xf0\xc4\xaf\xa1\x85\xfdm\xa5\xfa~\\\xc3\x12\x90\x16\x1fTX\x92\x8dH\xf6R\xd7\x95\xc9\xdb\x04t?\x93\x9b\xcf\x89\x88\'>[\x15$R\x15\xf0\x1eTy\x98a\xe8\x1a\x00mp\xfaL\xd0\x00\xea\x82W,\xdc\x02AD)u\xaaGW\xbc\xa1\x15?*^\x8e\x0b\x04\xed5\xf0<\xc0\xd6mce\xb0$\x82\xcd\x8f\x94ho\xf4\xca\xe6\x95\x90\x89\x1c\x89\x04\xa1A\xbf\xdc\x9f\xa5\xa2\x7f\xb2\x88\x83\x9aE&\x9e X\xbfl$\x8a\xce\xfc\x96\x83%\xc3U\xa1\x06\xd3\xd1E\xb1\x05\xd5\x1f\xa6079\xf0\xc4\x93\x04"\x80\x8aS\x9dn\x03n\x7fx?\x0c\x13y\x8d\xe8?x\xffm\xa1Y\xd0d\xfd\x15-\xf2L\xdd">\xc5\xbc\x1b=\x91\xde\xe7!*\xf8\xf6\xb1i\x9e\xad\x8b\xee&v\xeb_\xc3\xfa\xb2\xf79\xc93\x98\xed$\xed\x896V>\xb3L\xbc\x8d\x03\xc3\x02;\x8d^\xab\xf5Nv6z\x00\xfb\x08\xbc\x02\xbf\xd8\x03\xe35y7\x10\xa3\xe7\xfa\x83~\xec\xb4]u\x1dU\x16\x94H\xb5\x7f\x08\xa6\x16\xf2\n\x19\xb1N\x82\x83-Z\x9c\xc0Aa\x8d\x1f\xe4\xf5R\xd0N#\x06\xea\xc9\x85\xd3/\x178wT\xc8\xfe\xdd\x8c\x16C\x9dA \xe25\x1e+\x16\x07\xf9P\x19t\x04@_\xec\xcbM\xe9\xc8<\xff\xd5\x8dc%`\xca\x18\xff\xfft-\xa9\x8e[\xf5\xbfV\xd9M\x07v\xd9\x19\x00[\x9cG\x95\xa3\x1bdPY\xd4\xe5@(5\xd9\xed\xd5n\xb3hB\xd4J*\xa3\x10' to type <class 'cryptography.x509.base.Certificate'> 2025-04-08T13:32:20Z DEBUG get_ca_certs_from_ldap() error: unsupported format character '\' (0x5c) at index 675 2025-04-08T13:32:20Z DEBUG unsupported format character '\' (0x5c) at index 675 The pyca/cryptography version on Ubuntu is 42.0.5, and parsing the binary string manually with pyca/cryptography v42.0.5 works without issues. The same install/enrolment process worked on AlmaLinux 9.5, although there the pyca/cryptography version is 36.0.1. The certificate contents and ASN.1 appear valid. I am therefore puzzled what could have cause the issue. The issue persists even with different IPA servers. Could you please suggest what else is there for me to check and hopefully get to the root of this issue? Thank you in advance. -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
