Bug 2023229

Summary: CSR with 'BEGIN NEW CERTIFICATE REQUEST' no longer accepted
Product: [Fedora] Fedora Reporter: Florence Blanc-Renaud <frenaud>
Component: python-cryptographyAssignee: Jeremy Cline <jeremy>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: rawhideCC: cheimes, jeremy, nick, npmccallum, terrycwk1994
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: python-cryptography-36.0.0-1.fc36 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-23 10:06:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2025347    
Bug Blocks:    

Description Florence Blanc-Renaud 2021-11-15 09:27:32 UTC 
Description of problem:
With the update to python-cryptography 35, CSRs containing the header 'BEGIN NEW CERTIFICATE REQUEST' are no longer accepted.
As a consequence, the tests for IPA server installation with an externally-signed CA fail.

The issue already has an upstream fix (https://github.com/pyca/cryptography/pull/6356) but rawhide doesn't ship the fix yet.

Version-Release number of selected component (if applicable):
python3-cryptography-35.0.0-2.fc36.x86_64

How reproducible:
Always

Steps to Reproduce:
Run IPA upstream test "fedora-rawhide/external_ca_TestMultipleExternalCA". The test scenario is equivalent to the following:
1. dnf install -y freeipa-server
2. ipa-server-install --domain ipa.test --realm IPA.TEST -a Secret123 -p Secret123 --external-ca -U
This command produces /root/ipa.csr which contains a header "-----BEGIN NEW CERTIFICATE REQUEST-----"
3. Use a python script loading the CSR:

from cryptography import x509
from cryptography.hazmat.backends import default_backend
ipa_csr = open("/root/ipa.csr", "rb")
csr_tbs = x509.load_pem_x509_csr(ipa_csr.read(), default_backend())

Actual results:

The script fails with
ValueError: Valid PEM but no BEGIN CERTIFICATE REQUEST/END CERTIFICATE REQUEST delimiters. Are you sure this is a CSR?

Expected results:
The CSR should be loaded without any issue.

Additional info:
Upstream patch in https://github.com/pyca/cryptography/pull/6356
Upstream issue https://github.com/pyca/cryptography/issues/6340
Comment 1 Christian Heimes 2021-11-15 09:54:49 UTC 
Do you need a new build urgently? python-cryptography 36.0.0 will be released soonish.

I also recommend that you fix FreeIPA's toolchain. "BEGIN CERTIFICATE REQUEST" is a non-standard legacy label that should not be used, https://datatracker.ietf.org/doc/html/rfc7468#appendix-A
Comment 2 Florence Blanc-Renaud 2021-11-15 14:39:17 UTC 
No need for an urgent build, I mainly opened this BZ to make sure this issue doesn't fall through the cracks.

certmonger is tracking the issue in https://pagure.io/certmonger/issue/228
pki is tracking the issue in https://github.com/dogtagpki/pki/issues/3843
Comment 3 Fedora Update System 2021-11-23 10:06:32 UTC 
FEDORA-2021-b27ebacc47 has been pushed to the Fedora 36 stable repository.
If problem still persists, please make note of it in this bug report.