certutil: bad certificate request
: SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure.
certutil: unable to create cert (The certificate was signed using a signature algorithm that is disabled because it is not secure.)
So I tried again and specified the signing algorithm using -Z SHA512 and it succeeded.
This issue was migrated from Pagure Issue #3049.Originally filed by rcritten on 2018-08-16
The FUTURE crypto policy in F29 requires RSA keys >= 3072 and signature alg >= 384.
During spawn a temporary certificate is issued for the SSL server cert using certutil which fails:
ERROR ....... subprocess.CalledProcessError: Command '['certutil', '-S', '-d', '/etc/pki/pki-tomcat/alias', '-h', 'internal', '-n', 'Server-Cert cert-pki-ca', '-s', 'cn=ipa.example.test,o=2018-08-16 08:23:54', '-k', 'rsa', '-g', '4096', '-m', '0', '-v', '12', '-c', 'cn=ipa.example.test,o=2018-08-16 08:23:54', '-t', 'CTu,CTu,CTu', '-z', '/etc/pki/pki-tomcat/ca/noise', '-f', '/etc/pki/pki-tomcat/pfile', '-x']' returned non-zero exit status 255.!
I ran this manually and got:
certutil -S -d /etc/pki/pki-tomcat/alias -h internal -n 'Server-Cert cert-pki-ca' -s cn=ipa.example.test,o=2018-08-16 08:23:54 -k rsa -g 4096 -m 0 -v 12 -c cn=ipa.example.test,o=2018-08-16 08:23:54 -t CTu,CTu,CTu -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x
Generating key. This may take a few moments...
certutil: bad certificate request : SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure. certutil: unable to create cert (The certificate was signed using a signature algorithm that is disabled because it is not secure.)
So I tried again and specified the signing algorithm using -Z SHA512 and it succeeded.