Bug 1952930

Summary: certmonger: Port to OpenSSL 3.0
Product: Red Hat Enterprise Linux 9 Reporter: Sahana Prasad <sahana>
Component: certmongerAssignee: Rob Crittenden <rcritten>
Status: CLOSED CURRENTRELEASE QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: high    
Version: CentOS StreamCC: bstinson, cheimes, fweimer, jwboyer, ksiddiqu, mpolovka, pvoborni, rcritten
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: certmonger-0.79.13-6.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-12-07 21:24:13 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1955873, 1961687    
Bug Blocks: 1958021    

Description Sahana Prasad 2021-04-23 15:28:41 UTC 
This bug is used to track the readiness of certmonger with OpenSSL 3.0

currently the build fails with some porting issues:

https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=218931

Kindly fix them to ensure certmonger builds with OpenSSL 3.0, as we will introduce OpenSSL 3.0 in RHEL-9

OpenSSL 3.0 package to test with:
http://download.eng.bos.redhat.com/rhel-9/nightly/RHEL-9-Beta/RHEL-9.0.0-20210414.0/compose/BaseOS/x86_64/os/Packages/openssl-3.0.0-0.alpha13.1.el9.x86_64.rpm
Comment 1 Sahana Prasad 2021-04-29 09:32:51 UTC 
There is no sidetag yet,
kindly use this build
https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1571383
I will notify you where there is a sidetag.
Comment 2 Rob Crittenden 2021-04-29 17:42:46 UTC 
Will start in Fedora with https://copr.fedorainfracloud.org/coprs/saprasad/openssl-3.0/
Comment 3 Rob Crittenden 2021-04-29 18:25:40 UTC 
I believe this failure is caused by libraries that have not been ported yet, including openldap and krb5.
Comment 4 Rob Crittenden 2021-05-14 14:05:27 UTC 
Still waiting for dependent libraries to be rebuilt and added to the side tag: https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/6342/266342/build.log
Comment 5 Florian Weimer 2021-05-14 14:23:33 UTC 
The build failure looks like a toolchain problem, unrelated to OpenSSL 3.0:

/usr/bin/ld: /usr/bin/ld: DWARF error: invalid abstract instance DIE ref
/tmp/cckkh08J.ltrans0.ltrans.o: in function `main':
<artificial>:(.text.startup[.text.startup.group]+0x2ee): undefined reference to `OPENSSL_init_ssl'

I filed binutils bug 1960658 for this. I expect the fact that it appears after your changes is just an accident.
Comment 7 Rob Crittenden 2021-05-17 13:43:55 UTC 
Adding %define _lto_cflags %{nil} to the spec eliminated the DWARF warnings

libcurl, openldap and openssh were built and added to the side tag, thanks.

I attempted a rebuild this morning and it looks like only the krb5 dependency is missing:
https://kojihub.stream.rdu2.redhat.com/koji/taskinfo?taskID=267355
Comment 9 Christian Heimes 2021-05-18 08:00:42 UTC 
I'm adding the krb5 BZ to make the dependency more visible.
Comment 10 Rob Crittenden 2021-05-18 13:08:09 UTC 
I made a hacky local build of krb5. It provides enough that certmonger can compile so I can at least start looking at the API changes needed (just a small component of certmonger requires Kerberos).
Comment 11 Rob Crittenden 2021-05-18 13:45:33 UTC 
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1961687 . openssl spkac fails causing tests/003-csrgen to fail
Comment 12 Rob Crittenden 2021-05-18 23:03:16 UTC 
I have a candidate scratch build done.
Comment 13 Rob Crittenden 2021-05-19 14:35:04 UTC 
Patches merged. This will need to be re-visited in the future once the OpenSSL bug is addressed so I can re-enable the gencsr tests.
Comment 24 Michal Polovka 2021-07-15 12:31:41 UTC 
Verified manually from build log[1] of certmonger-0.79.13-6.el9[2]

Requires: libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.15)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.27)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.33)(64bit) libc.so.6(GLIBC_2.4)(64bit) libcom_err.so.2()(64bit) libcrypto.so.3()(64bit) libcrypto.so.3(OPENSSL_3.0.0)(64bit) libcurl.so.4()(64bit) libdbus-1.so.3()(64bit) libdbus-1.so.3(LIBDBUS_1_3)(64bit) libdl.so.2()(64bit) libidn2.so.0()(64bit) libidn2.so.0(IDN2_0.0.0)(64bit) libjansson.so.4()(64bit) libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit) libldap_r-2.4.so.2()(64bit) libnspr4.so()(64bit) libnss3.so()(64bit) libnss3.so(NSS_3.10)(64bit) libnss3.so(NSS_3.12)(64bit) libnss3.so(NSS_3.12.4)(64bit) libnss3.so(NSS_3.12.5)(64bit) libnss3.so(NSS_3.14)(64bit) libnss3.so(NSS_3.16.2)(64bit) libnss3.so(NSS_3.2)(64bit) libnss3.so(NSS_3.3)(64bit) libnss3.so(NSS_3.4)(64bit) libnss3.so(NSS_3.5)(64bit) libnss3.so(NSS_3.7)(64bit) libnss3.so(NSS_3.8)(64bit) libnss3.so(NSS_3.9)(64bit) libnss3.so(NSS_3.9.3)(64bit) libnssutil3.so()(64bit) libnssutil3.so(NSSUTIL_3.12)(64bit) libplc4.so()(64bit) libplds4.so()(64bit) libpopt.so.0()(64bit) libpopt.so.0(LIBPOPT_0)(64bit) libpthread.so.0()(64bit) libpthread.so.0(GLIBC_2.2.5)(64bit) libresolv.so.2()(64bit) libresolv.so.2(GLIBC_2.2.5)(64bit) libresolv.so.2(GLIBC_2.9)(64bit) libsmime3.so()(64bit) libsmime3.so(NSS_3.4)(64bit) libssl3.so()(64bit) libtalloc.so.2()(64bit) libtalloc.so.2(TALLOC_2.0.2)(64bit) libtevent.so.0()(64bit) libtevent.so.0(TEVENT_0.9.9)(64bit) libuuid.so.1()(64bit) libuuid.so.1(UUID_1.0)(64bit) libxml2.so.2()(64bit) libxml2.so.2(LIBXML2_2.4.30)(64bit) rtld(GNU_HASH)
Processing files: certmonger-debugsource-0.79.13-6.el9.x86_64

[1] http://download.eng.bos.redhat.com/brewroot/vol/rhel-9/packages/certmonger/0.79.13/6.el9/data/logs/x86_64/build.log
[2] https://brewweb.engineering.redhat.com/brew/buildinfo?buildID=1635509