python-cryptography 35 rejects legacy PEM headers: https://github.com/pyca/cryptography/issues/6340
allowed again in: https://github.com/pyca/cryptography/commit/51221b2c48cd04fa6e31099d949f5d7bd564984d
pkispawn on IPA installation with external CA generates CSR with legacy headers: BEGIN NEW CERTIFICATE REQUEST/END NEW CERTIFICATE REQUEST. create_request: https://github.com/dogtagpki/pki/blob/292ec6037cec3259f81d2a4cb4aeb7c41d7106d9/base/common/python/pki/nssdb.py#L811-L815
pkispawn
BEGIN NEW CERTIFICATE REQUEST/END NEW CERTIFICATE REQUEST
create_request
# add header and footer with open(request_file, 'w') as f: f.write('-----BEGIN NEW CERTIFICATE REQUEST-----\n') f.write(b64_request) f.write('-----END NEW CERTIFICATE REQUEST-----\n')
So, IPA + external CA is broken against python-cryptography 35.
Metadata Update from @frenaud: - Issue tagged with: test-failure
Metadata Update from @frenaud: - Issue tagged with: tracker
BZ opened against fedora rawhide: https://bugzilla.redhat.com/show_bug.cgi?id=2023229
certmonger is tracking the issue in https://pagure.io/certmonger/issue/228 pki is tracking the issue in https://github.com/dogtagpki/pki/issues/3843
The issue should be fixed in rawhide with the update of python-cryptography to python-cryptography-36.0.0-1.fc36. Let's wait for next week-end nightly run...
Closing, the update to python-cryptography-36.0.0-1.fc36 fixes the issue as can be seen in PR #1336
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.