Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted #6340

Closed
felixfontein opened this issue Sep 30, 2021 · 2 comments
Closed

CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted #6340

felixfontein opened this issue Sep 30, 2021 · 2 comments
Labels
bugs

Comments

@felixfontein
Copy link
Contributor

Since cryptography 35.0.0, CSRs with BEGIN NEW CERTIFICATE REQUEST instead of BEGIN CERTIFICATE REQUEST are no longer accepted.

Example CSR:

-----BEGIN NEW CERTIFICATE REQUEST-----
MIIBJTCBzQIBADAWMRQwEgYDVQQDEwthbnNpYmxlLmNvbTBZMBMGByqGSM49AgEG
CCqGSM49AwEHA0IABACc9MgAFwMBJjoU0ZI18cIHnW1juoKG2DN5VrM60uvBvEEs
4V0egJkNyM2Q4pp001zu14VcpQ0/Ei8xOOPxKZugVTBTBgkqhkiG9w0BCQ4xRjBE
MCMGA1UdEQQcMBqCC2V4YW1wbGUuY29tggtleGFtcGxlLm9yZzAMBgNVHRMBAf8E
AjAAMA8GA1UdDwEB/wQFAwMHgAAwCgYIKoZIzj0EAwIDRwAwRAIgcDyoRmwFVBDl
FvbFZtiSd5wmJU1ltM6JtcfnLWnjY54CICruOByrropFUkOKKb4xXOYsgaDT93Wr
URnCJfTLr2T3
-----END NEW CERTIFICATE REQUEST-----
@felixfontein felixfontein mentioned this issue Sep 30, 2021
Merged
@tiran
Copy link
Contributor

tiran commented Sep 30, 2021
edited

OpenSSL supports two old PEM headers:

# define PEM_STRING_X509_OLD     "X509 CERTIFICATE"
# define PEM_STRING_X509         "CERTIFICATE"
# define PEM_STRING_X509_TRUSTED "TRUSTED CERTIFICATE"
# define PEM_STRING_X509_REQ_OLD "NEW CERTIFICATE REQUEST"
# define PEM_STRING_X509_REQ     "CERTIFICATE REQUEST"

@alex
Copy link
Member

alex commented Oct 2, 2021

fixed in #6356

@alex alex closed this as completed Oct 2, 2021
@flo-renaud flo-renaud mentioned this issue Oct 18, 2021
Closed
martinpitt added a commit to martinpitt/bots that referenced this issue Oct 19, 2021
@martinpitt
images: Move to FreeIPA centos-8-stream container
17c4c43 
FreeIPA 4.9.7 in Rawhide removed support for XML-RPC in PKI. This breaks
compatibility with various client-side packages like certmonger [1] or
python-cryptography [2], which makes ipa-getcert fail[3].

These issues won't be fixed in all our stable OSes anytime soon. Until
then, move to the more conservative centos-8-stream variant, so that we
can continue testing FreeIPA on all OSes.

[1] https://pagure.io/certmonger/issue/223
[2] pyca/cryptography#6340
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2015102
martinpitt added a commit to martinpitt/bots that referenced this issue Oct 19, 2021
@martinpitt
images: Move to FreeIPA centos-8-stream container
b9c69f9 
FreeIPA 4.9.7 in Rawhide removed support for XML-RPC in PKI. This breaks
compatibility with various client-side packages like certmonger [1] or
python-cryptography [2], which makes ipa-getcert fail[3].

These issues won't be fixed in all our stable OSes anytime soon. Until
then, move to the more conservative centos-8-stream variant, so that we
can continue testing FreeIPA on all OSes.

[1] https://pagure.io/certmonger/issue/223
[2] pyca/cryptography#6340
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2015102
martinpitt added a commit to cockpit-project/bots that referenced this issue Oct 19, 2021
@martinpitt
images: Move to FreeIPA centos-8-stream container
c85f84e 
FreeIPA 4.9.7 in Rawhide removed support for XML-RPC in PKI. This breaks
compatibility with various client-side packages like certmonger [1] or
python-cryptography [2], which makes ipa-getcert fail[3].

These issues won't be fixed in all our stable OSes anytime soon. Until
then, move to the more conservative centos-8-stream variant, so that we
can continue testing FreeIPA on all OSes.

[1] https://pagure.io/certmonger/issue/223
[2] pyca/cryptography#6340
[3] https://bugzilla.redhat.com/show_bug.cgi?id=2015102
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jan 1, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bugs
Milestone
No milestone
Development

No branches or pull requests
4 participants
@alex @reaperhulk @tiran @felixfontein