xmlsec.InternalError

Administrators
1

need to use SAML, and when I include the directives in indico.conf, the error appears:

xmlsec.InternalError: (-1, ‘lxml & xmlsec libxml2 library version mismatch’

I’m trying to resolve this issue using the commands in this issue, but the error persists. To test indico.conf, I use the command indico celery inspect registered.

Do you have any tips on how to resolve this issue?

My configuration:

$ pip freeze | grep xml
defusedxml==0.7.1
lxml==5.3.0
xmlsec==1.3.16

$ pip freeze | grep saml
python3-saml==1.16.0

$ pip freeze | grep I recommend
indicate==3.3.8
indicate-fonts==1.2
indico-plugin-citadel==3.3.3
indicate-plugin-cloud-captchas==3.3.2
indico-plugin-livesync==3.3.3
indicate-plugin-owncloud==3.3.3
indicate-plugin-payment-manual==3.3.2
indicate-plugin-payment-paypal==3.3.2
indico-plugin-payment-sixpay==3.3.4
indi co-plugin-payment-stripe==3.3
indico-plugin-piwik==3.3.3
indico-plugin-previewer-code==3.3
indico-plugin-previewer-jupyter==3.3.1
indico-plugin-prometheus==3.3.2
indico-plugin-storage-s3==3.3.2
indico-plugin-ursh==3.3.2
indico-plugin-vc-zoom==3.3.4
indico-plugins==3.3.5

Could this be a conflict with the Ubuntu 25.04 packages?

Thanks in advance,

2

We have not tested Indico on Ubuntu 25 yet. So it’s certainly a possibility…

3

Would I need to downgrade the packages with apt-get install libxml2-dev libxmlsec1-dev libxmlsec1-openssl?

Is there any way around this issue? This server needs to go into production.

4

No idea, downgrading packages sounds like a bad/risky idea. Like I said, none of us tested Indico on Ubuntu 25 yet, and all this saml stuff is known to be a pain…

This server needs to go into production.

Use Ubuntu 24.04. That’s LTS with 3.5 more years of support. The version you’re using now (25.04) actually reaches End of Life in just 3 months!! (and 25.10 only has 8 more months of support).

5

I believe the best solution at this point is to revert to version 24.04 LTS.

Thank you everyone.

6

Hello,

Hello
I changed the environment to Ubuntu 24.04, and the XML issue still occurs when I try to enable SAML.

((indico) ) indico@indico-hom2:~/etc$ indico celery inspect registered
Traceback (most recent call last):
File “/opt/indico/.venv/bin/indico”, line 7, in
sys.exit(cli())
^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1157, in call
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/decorators.py”, line 33, in new_func
return f(get_current_context(), *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py”, line 397, in decorator
app = ctx.ensure_object(ScriptInfo).load_app()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py”, line 342, in load_app
app = self.create_app()
^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/cli/util.py”, line 26, in _create_app
return make_app()
^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/app.py”, line 424, in make_app
multipass.init_app(app)
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py”, line 82, in init_app
super().init_app(app)
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py”, line 84, in init_app
state.auth_providers = ImmutableDict(self._create_providers(‘AUTH’, AuthProvider))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py”, line 487, in _create_providers
cls = resolve_provider_type(base, settings.pop(‘type’), registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/util.py”, line 158, in resolve_provider_type
cls = entry_point.load()
^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/importlib_metadata/init.py”, line 189, in load
module = import_module(match.group(‘module’))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.pyenv/versions/3.12.12/lib/python3.12/importlib/init.py”, line 90, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “”, line 1387, in _gcd_import
File “”, line 1360, in _find_and_load
File “”, line 1331, in _find_and_load_unlocked
File “”, line 935, in _load_unlocked
File “”, line 999, in exec_module
File “”, line 488, in _call_with_frames_removed
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/providers/saml.py”, line 10, in
from onelogin.saml2.auth import OneLogin_Saml2_Auth
File “/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py”, line 12, in
import xmlsec
xmlsec.InternalError: (-1, ‘lxml & xmlsec libxml2 library version mismatch’)

Any idea what this could be?
Thanks,

Clóvis

7

Can you try this?

pip install --force-reinstall --no-binary lxml 'lxml==5.3.0'
8

Hello,

I tried the command, here’s the screen output, as well as the inspect of the indico.conf file.

Same error.

((indico) ) indico@indico-hom2:~/etc$ pip install --force-reinstall --no-binary lxml ‘lxml==5.3.0’
Collecting lxml==5.3.0
Downloading lxml-5.3.0.tar.gz (3.7 MB)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 3.7/3.7 MB 34.2 MB/s 0:00:00
Installing build dependencies … done
Getting requirements to build wheel … done
Preparing metadata (pyproject.toml) … done
Building wheels for collected packages: lxml
Building wheel for lxml (pyproject.toml) … done
Created wheel for lxml: filename=lxml-5.3.0-cp312-cp312-linux_x86_64.whl size=8750672 sha256=4f8d5b7e17ee63a421361b7c6d115e9da3c57fe9dd25deee88ca8a1379ee89f7
Stored in directory: /opt/indico/.cache/pip/wheels/2a/ec/3d/17ae6ec52fd942e5353ca521d301bf6e552d5910b76bef98d6
Successfully built lxml
Installing collected packages: lxml
Attempting uninstall: lxml
Found existing installation: lxml 5.3.0
Uninstalling lxml-5.3.0:
Successfully uninstalled lxml-5.3.0
Successfully installed lxml-5.3.0)

((indico) ) indico@indico-hom2:~/etc$ indico celery inspect registered
Traceback (most recent call last):
File “/opt/indico/.venv/bin/indico”, line 7, in
sys.exit(cli())
^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1157, in call
return self.main(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1078, in main
rv = self.invoke(ctx)
^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1688, in invoke
return _process_result(sub_ctx.command.invoke(sub_ctx))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 1434, in invoke
return ctx.invoke(self.callback, **ctx.params)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/core.py”, line 783, in invoke
return __callback(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/click/decorators.py”, line 33, in new_func
return f(get_current_context(), *args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py”, line 397, in decorator
app = ctx.ensure_object(ScriptInfo).load_app()
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask/cli.py”, line 342, in load_app
app = self.create_app()
^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/cli/util.py”, line 26, in _create_app
return make_app()
^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/web/flask/app.py”, line 424, in make_app
multipass.init_app(app)
File “/opt/indico/.venv/lib/python3.12/site-packages/indico/core/auth.py”, line 82, in init_app
super().init_app(app)
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py”, line 84, in init_app
state.auth_providers = ImmutableDict(self._create_providers(‘AUTH’, AuthProvider))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/core.py”, line 487, in _create_providers
cls = resolve_provider_type(base, settings.pop(‘type’), registry)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/util.py”, line 158, in resolve_provider_type
cls = entry_point.load()
^^^^^^^^^^^^^^^^^^
File “/opt/indico/.venv/lib/python3.12/site-packages/importlib_metadata/init.py”, line 189, in load
module = import_module(match.group(‘module’))
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “/opt/indico/.pyenv/versions/3.12.12/lib/python3.12/importlib/init.py”, line 90, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File “”, line 1387, in _gcd_import
File “”, line 1360, in _find_and_load
File “”, line 1331, in _find_and_load_unlocked
File “”, line 935, in _load_unlocked
File “”, line 999, in exec_module
File “”, line 488, in _call_with_frames_removed
File “/opt/indico/.venv/lib/python3.12/site-packages/flask_multipass/providers/saml.py”, line 10, in
from onelogin.saml2.auth import OneLogin_Saml2_Auth
File “/opt/indico/.venv/lib/python3.12/site-packages/onelogin/saml2/auth.py”, line 12, in
import xmlsec
xmlsec.InternalError: (-1, ‘lxml & xmlsec libxml2 library version mismatch’)

Any idea?

9

Can you please post your output as code formatting, it’s hard to read like this.

```
paste your stuff here
```
10

Also can you do the same for xmlsec?

pip install --force-reinstall --no-binary xmlsec xmlsec
11

Hello,
I installed xmlsec 1.3.13 and lxml 6.0.2 and the system worked.

((indico) ) indico@indico-hom2:~/etc$ pip install --force-reinstall --no-binary xmlsec ‘xmlsec==1.3.13’
Collecting xmlsec==1.3.13
Downloading xmlsec-1.3.13.tar.gz (64 kB)
Installing build dependencies … done
Getting requirements to build wheel … done
Preparing metadata (pyproject.toml) … done
Collecting lxml>=3.8 (from xmlsec==1.3.13)
Using cached lxml-6.0.2-cp312-cp312-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl.metadata (3.6 kB)
Using cached lxml-6.0.2-cp312-cp312-manylinux_2_26_x86_64.manylinux_2_28_x86_64.whl (5.3 MB)
Building wheels for collected packages: xmlsec
Building wheel for xmlsec (pyproject.toml) … done
Created wheel for xmlsec: filename=xmlsec-1.3.13-cp312-cp312-linux_x86_64.whl size=166625 sha256=474d8ec31b1183bd8e8a923c89dc8356e26f4a2b378492a88f4abfe0ec7bc0c5
Stored in directory: /opt/indico/.cache/pip/wheels/fc/7a/d2/3b31eeb7c6dfafe6775d66c3bb2665e9d3ea9573b9edf47978
Successfully built xmlsec
Installing collected packages: lxml, xmlsec
Attempting uninstall: lxml
Found existing installation: lxml 5.3.0
Uninstalling lxml-5.3.0:
Successfully uninstalled lxml-5.3.0
Attempting uninstall: xmlsec
Found existing installation: xmlsec 1.3.16
Uninstalling xmlsec-1.3.16:
Successfully uninstalled xmlsec-1.3.16
ERROR: pip’s dependency resolver does not currently take into account all the packages that are installed. This behaviour is the source of the following dependency conflicts.
indico 3.3.8 requires lxml==5.3.0, but you have lxml 6.0.2 which is incompatible.

12

Can you check if it also works with lxml==5.3.0 since this is the version that Indico currently uses (we generally discourage manually updating dependencies)

13

It worked with that configuration.

pip freeze | grep xml
defusedxml==0.7.1
lxml==5.3.0
xmlsec==1.3.13