ipa-4.12.2-22

- Resolves: RHEL-107483
  ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate

Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Florence Blanc-Renaud 2025-08-25 16:22:38 +02:00
parent c07b72dc4a
commit fe5c3c292a
2 changed files with 86 additions and 1 deletions

View File

@ -0,0 +1,81 @@
From 8cfafeffd1ad5266b35a7eb796976e873278f500 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <flo@redhat.com>
Date: Wed, 14 May 2025 10:44:26 +0200
Subject: [PATCH] ipatests: add extensions to server certificates for CAless
mode
When installing the server in CA less mode, the tests generate
server certificates but some extensions were missing.
Generate server cert with an Authority Key Identifier extension
using the CA's subject key identifier.
Without this extension, replica installation fails with
certificate verify failed: Missing Authority Key Identifier
in the step fetching the DM password from the server.
Add KeyUsage and Extended Key Usage.
Fixes: https://pagure.io/freeipa/issue/9787
Related: https://github.com/dogtagpki/pki/issues/5051
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
---
.../integration/create_caless_pki.py | 34 +++++++++++++++++++
1 file changed, 34 insertions(+)
diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
index 71d804c339cc71bc14e1f819639852e32b54c098..d06f1dd8c328628bd692c2abf3acfc88ba6a7408 100644
--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
+++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
@@ -199,6 +199,20 @@ def profile_server(builder, ca_nick, ca,
critical=False,
)
+ if ca:
+ try:
+ ski_ext = ca.cert.extensions.get_extension_for_class(
+ x509.SubjectKeyIdentifier)
+ builder = builder.add_extension(
+ x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
+ ski_ext.value
+ ),
+ critical=False,
+ )
+ except x509.ExtensionNotFound:
+ # if the CA doesn't have a SKI, just ignore
+ pass
+
if badusage:
builder = builder.add_extension(
x509.KeyUsage(
@@ -214,6 +228,26 @@ def profile_server(builder, ca_nick, ca,
),
critical=False
)
+ else:
+ builder = builder.add_extension(
+ x509.KeyUsage(
+ digital_signature=True,
+ content_commitment=False,
+ key_encipherment=True,
+ data_encipherment=True,
+ key_agreement=False,
+ key_cert_sign=False,
+ crl_sign=False,
+ encipher_only=False,
+ decipher_only=False
+ ),
+ critical=False
+ )
+
+ builder = builder.add_extension(
+ x509.ExtendedKeyUsage([x509.ObjectIdentifier('1.3.6.1.5.5.7.3.1')]),
+ critical=False,
+ )
if wildcard:
names = [x509.DNSName(u'*.' + domain)]
--
2.50.1

View File

@ -231,7 +231,7 @@
Name: %{package_name}
Version: %{IPA_VERSION}
Release: 21%{?rc_version:.%rc_version}%{?dist}
Release: 22%{?rc_version:.%rc_version}%{?dist}
Summary: The Identity, Policy and Audit system
License: GPL-3.0-or-later
@ -362,6 +362,7 @@ Patch0104: 0104-Use-correct-capitalization-for-GitHub-and-GitLab.patch
Patch0105: 0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
Patch0106: 0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
Patch0107: 0107-dns-disable-all-previous-Unbound-configuration-befor.patch
Patch0108: 0108-ipatests-add-extensions-to-server-certificates-for-C.patch
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
%endif
%endif
@ -2015,6 +2016,9 @@ fi
%endif
%changelog
* Mon Aug 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate
* Mon Aug 18 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-21
- Resolves: RHEL-109768 Revert allow update of Kerberos master key