diff --git a/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch b/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch
new file mode 100644
index 0000000..4a65e09
--- /dev/null
+++ b/0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch
@@ -0,0 +1,82 @@
+From a96dae1a9918cfc1413e199336eece447920ef8e Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Miro=20Hron=C4=8Dok?= <miro@hroncok.cz>
+Date: Wed, 5 Jul 2023 08:52:59 +0200
+Subject: [PATCH] Use ssl.match_hostname from urllib3 as it was removed from
+ Python 3.12
+
+See https://pagure.io/freeipa/issue/9409
+and https://github.com/python/cpython/pull/94224#issuecomment-1621097418
+---
+ ipalib/x509.py                      | 5 +++--
+ ipaserver/install/cainstance.py     | 4 +++-
+ ipaserver/install/server/upgrade.py | 4 +++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/ipalib/x509.py b/ipalib/x509.py
+index 5adb511..faf62d4 100644
+--- a/ipalib/x509.py
++++ b/ipalib/x509.py
+@@ -385,6 +385,8 @@ class IPACertificate(crypto_x509.Certificate):
+         return result
+ 
+     def match_hostname(self, hostname):
++        from urllib3.util import ssl_match_hostname
++
+         match_cert = {}
+ 
+         match_cert['subject'] = match_subject = []
+@@ -401,8 +403,7 @@ class IPACertificate(crypto_x509.Certificate):
+             for value in values:
+                 match_san.append(('DNS', value))
+ 
+-        # deprecated in Python3.7 without replacement
+-        ssl.match_hostname(  # pylint: disable=deprecated-method
++        ssl_match_hostname.match_hostname(
+             match_cert, DNSName(hostname).ToASCII()
+         )
+ 
+diff --git a/ipaserver/install/cainstance.py b/ipaserver/install/cainstance.py
+index fa8942d..e9f3ecb 100644
+--- a/ipaserver/install/cainstance.py
++++ b/ipaserver/install/cainstance.py
+@@ -2373,12 +2373,14 @@ def check_ipa_ca_san(cert):
+ 
+     On success returns None, on failure raises ValidationError
+     """
++    from urllib3.util import ssl_match_hostname
++
+     expect = f'{ipalib.constants.IPA_CA_RECORD}.' \
+              f'{ipautil.format_netloc(api.env.domain)}'
+ 
+     try:
+         cert.match_hostname(expect)
+-    except ssl.CertificateError:
++    except ssl_match_hostname.CertificateError:
+         raise errors.ValidationError(
+             name='certificate',
+             error='Does not have a \'{}\' SAN'.format(expect)
+diff --git a/ipaserver/install/server/upgrade.py b/ipaserver/install/server/upgrade.py
+index f8701c8..9e5f5aa 100644
+--- a/ipaserver/install/server/upgrade.py
++++ b/ipaserver/install/server/upgrade.py
+@@ -710,6 +710,8 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
+     steps.
+ 
+     """
++    from urllib3.util import ssl_match_hostname
++
+     logger.info('[Adding ipa-ca alias to HTTP certificate]')
+ 
+     expect = f'{IPA_CA_RECORD}.{ipautil.format_netloc(api.env.domain)}'
+@@ -717,7 +719,7 @@ def http_certificate_ensure_ipa_ca_dnsname(http):
+ 
+     try:
+         cert.match_hostname(expect)
+-    except ssl.CertificateError:
++    except ssl_match_hostname.CertificateError:
+         if certs.is_ipa_issued_cert(api, cert):
+             request_id = certmonger.get_request_id(
+                 {'cert-file': paths.HTTPD_CERT_FILE})
+-- 
+2.40.1
+
diff --git a/freeipa.spec b/freeipa.spec
index d334e7b..0ac5260 100644
--- a/freeipa.spec
+++ b/freeipa.spec
@@ -213,7 +213,7 @@
 
 Name:           %{package_name}
 Version:        %{IPA_VERSION}
-Release:        1%{?rc_version:.%rc_version}%{?dist}.1
+Release:        1%{?rc_version:.%rc_version}%{?dist}.2
 Summary:        The Identity, Policy and Audit system
 
 License:        GPL-3.0-or-later
@@ -226,6 +226,9 @@ Source1:        https://releases.pagure.org/freeipa/freeipa-%{version}%{?rc_vers
 
 Patch0:         0001-Revert-cert_find-fix-call-with-all.patch
 
+# Downstream hotfix, reported in https://pagure.io/freeipa/issue/9409
+Patch1:         0001-Use-ssl.match_hostname-from-urllib3-as-it-was-remove.patch
+
 # RHEL spec file only: START: Change branding to IPA and Identity Management
 # Moved branding logos and background to redhat-logos-ipa-80.4:
 # header-logo.png, login-screen-background.jpg, login-screen-logo.png,
@@ -864,6 +867,7 @@ Requires: python3-qrcode-core >= 5.0.0
 Requires: python3-requests
 Requires: python3-six
 Requires: python3-sss-murmur
+Requires: python3-urllib3
 Requires: python3-yubico >= 1.3.2-7
 %if 0%{?rhel} && 0%{?rhel} == 8
 Requires: platform-python-setuptools
@@ -1742,6 +1746,9 @@ fi
 %endif
 
 %changelog
+* Wed Jul 05 2023 Miro Hrončok <mhroncok@redhat.com> - 4.10.2-1.2
+- Use ssl.match_hostname from urllib3 as it was removed from Python 3.12
+
 * Tue Jun 27 2023 Python Maint <python-maint@redhat.com> - 4.10.2-1.1
 - Rebuilt for Python 3.12