Comments
frenaud
I tested the following command, which is now working:
sscg -q \
--cert-file /etc/pki/tls/certs/localhost.crt \
--cert-key-file /etc/pki/tls/private/localhost.key \
--ca-file /etc/pki/tls/certs/localhost.crt \
--no-dhparams-file \
--lifetime 365 \
--hostname $FQDN \
--email root@$FQDN
Also tested with FreeIPA and a client using mod_ssl and mod_md, works well. Thanks for the patch!
With this version, IPA fails to obtain an ACME certificate using mod_md and mod_ssl. Mod_ssl is launching the service httpd-init (Unit file stored in /usr/lib/systemd/system/httpd-init.service) which calls /usr/libexec/httpd-ssl-gencerts. This command in turn calls sscg with the following arguments:
sscg -q \
--cert-file /etc/pki/tls/certs/localhost.crt \
--cert-key-file /etc/pki/tls/private/localhost.key \
--ca-file /etc/pki/tls/certs/localhost.crt \
--no-dhparams-file \
--lifetime 365 \
--hostname $FQDN \
--email root@$FQDN
With sscg-4.0.0-1.fc43.x86_64, there is no issue. With sscg-4.0.1-1.fc43, the command fails, likely because we provide the same file for the cert and the CA.
I tested the scenarios from IDM-3799 and they are now fixed, thanks
Tested the installation, works well.
Tested new installation and upgrade, works well
Test in PR https://github.com/freeipa/freeipa/pull/7977, works well
Tested with ipa-server-install
Tested with ipa-server-install
Fixes our issue with subca certificate issuance.
Correctly fixes the CVE
Correctly fixes the CVE
Correctly fixes the CVE
Tested ipa-server-install with --ntp-pool argument (this command uses python-augeas to configure chronyd), works well
Tested with IPA server, works fine
Tested with IPA server, works fine
CVE properly fixed, tested server + replica installation with no issue
CVE properly fixed, tested server + replica installation with no issue
Tested server + replica installation, works well