pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2018-08-17 11:50:07
Metadata Update from @mharmsen:
- Custom field component adjusted to None
- Custom field feature adjusted to None
- Custom field origin adjusted to None
- Custom field proposedmilestone adjusted to None
- Custom field proposedpriority adjusted to None
- Custom field reviewer adjusted to None
- Custom field type adjusted to None
- Custom field version adjusted to None
- Issue set to the milestone: 0.0 NEEDS_TRIAGE
This issue was migrated from Pagure Issue #3049. Originally filed by rcritten (@rcritten) on 2018-08-16 08:41:37:
The FUTURE crypto policy in F29 requires RSA keys >= 3072 and signature alg >= 384.
During spawn a temporary certificate is issued for the SSL server cert using certutil which fails:
ERROR ....... subprocess.CalledProcessError: Command '['certutil', '-S', '-d', '/etc/pki/pki-tomcat/alias', '-h', 'internal', '-n', 'Server-Cert cert-pki-ca', '-s', 'cn=ipa.example.test,o=2018-08-16 08:23:54', '-k', 'rsa', '-g', '4096', '-m', '0', '-v', '12', '-c', 'cn=ipa.example.test,o=2018-08-16 08:23:54', '-t', 'CTu,CTu,CTu', '-z', '/etc/pki/pki-tomcat/ca/noise', '-f', '/etc/pki/pki-tomcat/pfile', '-x']' returned non-zero exit status 255.!
I ran this manually and got:
certutil -S -d /etc/pki/pki-tomcat/alias -h internal -n 'Server-Cert cert-pki-ca' -s cn=ipa.example.test,o=2018-08-16 08:23:54 -k rsa -g 4096 -m 0 -v 12 -c cn=ipa.example.test,o=2018-08-16 08:23:54 -t CTu,CTu,CTu -z /etc/pki/pki-tomcat/ca/noise -f /etc/pki/pki-tomcat/pfile -x
Generating key. This may take a few moments...
certutil: bad certificate request : SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED: The certificate was signed using a signature algorithm that is disabled because it is not secure. certutil: unable to create cert (The certificate was signed using a signature algorithm that is disabled because it is not secure.)
So I tried again and specified the signing algorithm using -Z SHA512 and it succeeded.