← Back to team overview

freeipa team mailing list archive

  1. freeipa team
  2. Mailing list archive
  3. Message #01373

[Bug 2084607] [NEW] CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11 or newer

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Certmonger on Ubuntu 20.04 needs an uplift from v0.79.9 to v0.79.15,
without it Ubuntu 20.04 machines cannot obtain or renew certificates
from current versions of FreeIPA.

Further details can be found here:
https://lists.fedorahosted.org/archives/list/freeipa-
users@xxxxxxxxxxxxxxxxxxxxxx/thread/RU3M5QFDDHDYYONT372JXQT4PFCJF7Z6/

Note the last post in the thread by Christian Heimes, who asked me to
open a bug report here for this issue:

"I'm the downstream maintainer of python-cryptography in RHEL and Fedora. 
I found the problem in October 2021 and reported it to upstream. The 
PyCA cryptography ticket 
https://github.com/pyca/cryptography/issues/6368 has more information 
and links to FreeIPA and Certmonger tickets.

Timeline: cryptography 35.0 was release on 2021-09-29. The problem was 
detected by our tests and reported by me on 2021-10-04. I also wrote a 
fix the same day. Certmonger release 0.79.15 fixed CSR generation and 
was released 24h later. Cryptography added a temporary workaround 
shortly after and removed the workaround in April 2022.

If Ubuntu hasn't fixed the problem as of today, then they probably have 
missed the bug. We don't have control about the Debian/Ubuntu downstream 
channel. The Debian maintainer Timo Aaltonen is responsive and addresses 
problems fast. Could you please open an Ubuntu bug on Launchpad and ping 
him?"

** Affects: certmonger (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of FreeIPA,
which is subscribed to certmonger in Ubuntu.
https://bugs.launchpad.net/bugs/2084607

Title:
  CA_UNREACHABLE when requesting from Ubuntu 20.04 to FreeIPA v4.11 or
  newer

Status in certmonger package in Ubuntu:
  New

Bug description:
  Certmonger on Ubuntu 20.04 needs an uplift from v0.79.9 to v0.79.15,
  without it Ubuntu 20.04 machines cannot obtain or renew certificates
  from current versions of FreeIPA.

  Further details can be found here:
  https://lists.fedorahosted.org/archives/list/freeipa-
  users@xxxxxxxxxxxxxxxxxxxxxx/thread/RU3M5QFDDHDYYONT372JXQT4PFCJF7Z6/

  Note the last post in the thread by Christian Heimes, who asked me to
  open a bug report here for this issue:

  "I'm the downstream maintainer of python-cryptography in RHEL and Fedora. 
  I found the problem in October 2021 and reported it to upstream. The 
  PyCA cryptography ticket 
  https://github.com/pyca/cryptography/issues/6368 has more information 
  and links to FreeIPA and Certmonger tickets.

  Timeline: cryptography 35.0 was release on 2021-09-29. The problem was 
  detected by our tests and reported by me on 2021-10-04. I also wrote a 
  fix the same day. Certmonger release 0.79.15 fixed CSR generation and 
  was released 24h later. Cryptography added a temporary workaround 
  shortly after and removed the workaround in April 2022.

  If Ubuntu hasn't fixed the problem as of today, then they probably have 
  missed the bug. We don't have control about the Debian/Ubuntu downstream 
  channel. The Debian maintainer Timo Aaltonen is responsive and addresses 
  problems fast. Could you please open an Ubuntu bug on Launchpad and ping 
  him?"

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/certmonger/+bug/2084607/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next