ipa-4.12.2-22
- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
c07b72dc4a
commit
fe5c3c292a
@ -0,0 +1,81 @@
|
||||
From 8cfafeffd1ad5266b35a7eb796976e873278f500 Mon Sep 17 00:00:00 2001
|
||||
From: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Date: Wed, 14 May 2025 10:44:26 +0200
|
||||
Subject: [PATCH] ipatests: add extensions to server certificates for CAless
|
||||
mode
|
||||
|
||||
When installing the server in CA less mode, the tests generate
|
||||
server certificates but some extensions were missing.
|
||||
|
||||
Generate server cert with an Authority Key Identifier extension
|
||||
using the CA's subject key identifier.
|
||||
|
||||
Without this extension, replica installation fails with
|
||||
certificate verify failed: Missing Authority Key Identifier
|
||||
in the step fetching the DM password from the server.
|
||||
|
||||
Add KeyUsage and Extended Key Usage.
|
||||
|
||||
Fixes: https://pagure.io/freeipa/issue/9787
|
||||
Related: https://github.com/dogtagpki/pki/issues/5051
|
||||
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
||||
Reviewed-By: Rob Crittenden <rcritten@redhat.com>
|
||||
---
|
||||
.../integration/create_caless_pki.py | 34 +++++++++++++++++++
|
||||
1 file changed, 34 insertions(+)
|
||||
|
||||
diff --git a/ipatests/pytest_ipa/integration/create_caless_pki.py b/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||
index 71d804c339cc71bc14e1f819639852e32b54c098..d06f1dd8c328628bd692c2abf3acfc88ba6a7408 100644
|
||||
--- a/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||
+++ b/ipatests/pytest_ipa/integration/create_caless_pki.py
|
||||
@@ -199,6 +199,20 @@ def profile_server(builder, ca_nick, ca,
|
||||
critical=False,
|
||||
)
|
||||
|
||||
+ if ca:
|
||||
+ try:
|
||||
+ ski_ext = ca.cert.extensions.get_extension_for_class(
|
||||
+ x509.SubjectKeyIdentifier)
|
||||
+ builder = builder.add_extension(
|
||||
+ x509.AuthorityKeyIdentifier.from_issuer_subject_key_identifier(
|
||||
+ ski_ext.value
|
||||
+ ),
|
||||
+ critical=False,
|
||||
+ )
|
||||
+ except x509.ExtensionNotFound:
|
||||
+ # if the CA doesn't have a SKI, just ignore
|
||||
+ pass
|
||||
+
|
||||
if badusage:
|
||||
builder = builder.add_extension(
|
||||
x509.KeyUsage(
|
||||
@@ -214,6 +228,26 @@ def profile_server(builder, ca_nick, ca,
|
||||
),
|
||||
critical=False
|
||||
)
|
||||
+ else:
|
||||
+ builder = builder.add_extension(
|
||||
+ x509.KeyUsage(
|
||||
+ digital_signature=True,
|
||||
+ content_commitment=False,
|
||||
+ key_encipherment=True,
|
||||
+ data_encipherment=True,
|
||||
+ key_agreement=False,
|
||||
+ key_cert_sign=False,
|
||||
+ crl_sign=False,
|
||||
+ encipher_only=False,
|
||||
+ decipher_only=False
|
||||
+ ),
|
||||
+ critical=False
|
||||
+ )
|
||||
+
|
||||
+ builder = builder.add_extension(
|
||||
+ x509.ExtendedKeyUsage([x509.ObjectIdentifier('1.3.6.1.5.5.7.3.1')]),
|
||||
+ critical=False,
|
||||
+ )
|
||||
|
||||
if wildcard:
|
||||
names = [x509.DNSName(u'*.' + domain)]
|
||||
--
|
||||
2.50.1
|
||||
|
@ -231,7 +231,7 @@
|
||||
|
||||
Name: %{package_name}
|
||||
Version: %{IPA_VERSION}
|
||||
Release: 21%{?rc_version:.%rc_version}%{?dist}
|
||||
Release: 22%{?rc_version:.%rc_version}%{?dist}
|
||||
Summary: The Identity, Policy and Audit system
|
||||
|
||||
License: GPL-3.0-or-later
|
||||
@ -362,6 +362,7 @@ Patch0104: 0104-Use-correct-capitalization-for-GitHub-and-GitLab.patch
|
||||
Patch0105: 0105-kdb-prevent-double-crash-in-RBCD-ACL-free.patch
|
||||
Patch0106: 0106-ipatests-Tests-for-ipa-migrate-tool-with-ldif-file.patch
|
||||
Patch0107: 0107-dns-disable-all-previous-Unbound-configuration-befor.patch
|
||||
Patch0108: 0108-ipatests-add-extensions-to-server-certificates-for-C.patch
|
||||
Patch1001: 1001-Change-branding-to-IPA-and-Identity-Management.patch
|
||||
%endif
|
||||
%endif
|
||||
@ -2015,6 +2016,9 @@ fi
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Aug 25 2025 Florence Blanc-Renaud <flo@redhat.com> - 4.12.2-22
|
||||
- Resolves: RHEL-107483 ipa-ca-install fails on CA-less replica due to inadequate key usage in master certificate
|
||||
|
||||
* Mon Aug 18 2025 Rafael Jeffman <rjeffman@redhat.com> - 4.12.2-21
|
||||
- Resolves: RHEL-109768 Revert allow update of Kerberos master key
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user