You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
IPA server installation with an external CA is done in a 2-step process, the first step produces a CSR that needs to be signed by the external CA.
The CSR produced by PKI is unrecognized by python-cryptography 35 (shipped in fedora rawhide) because it contains a header BEGIN NEW CERTIFICATE REQUEST instead of BEGIN CERTIFICATE REQUEST. pkispawn should produce a CSR with the most recent format (the NEW is still acceptable but generators should not be doing it per https://datatracker.ietf.org/doc/html/rfc7468#section-7):
The label "NEW CERTIFICATE REQUEST" is also in wide use. Generators
conforming to this document MUST generate "CERTIFICATE REQUEST"
labels. Parsers MAY treat "NEW CERTIFICATE REQUEST" as equivalent to
"CERTIFICATE REQUEST".
IPA server installation with an external CA is done in a 2-step process, the first step produces a CSR that needs to be signed by the external CA.
The CSR produced by PKI is unrecognized by python-cryptography 35 (shipped in fedora rawhide) because it contains a header
BEGIN NEW CERTIFICATE REQUEST
instead ofBEGIN CERTIFICATE REQUEST
. pkispawn should produce a CSR with the most recent format (the NEW is still acceptable but generators should not be doing it per https://datatracker.ietf.org/doc/html/rfc7468#section-7):See the code in
pki/base/common/python/pki/nssdb.py
Lines 811 to 815 in 292ec60
The text was updated successfully, but these errors were encountered: