[Pkg-freeipa-devel] Bug#970880: Bug#970880: Bug#970880: Bug#970880: Bug#970880: freeipa-server: FreeIPA server installation fails with Certificate issuance failed (CA_REJECTED)

[Timo Aaltonen]

On 10.10.2021 20.04, Spencer Olson wrote:
> 
> 
> On Sun, Oct 10, 2021, 10:38 Timo Aaltonen <tjaalton at debian.org 
> <mailto:tjaalton at debian.org>> wrote:
> 
>     On 10.10.2021 18.41, Spencer Olson wrote:
>      > Did some more investigation.  I downloaded the packages that are
>     being
>      > used on centos stream 8.  First I tried my test code with their
>     version
>      > of libssl3.so preloaded:  it failed in the same way as all the
>     others
>      > failed--not surprisingly since its version is much later than the
>     3.39
>      > version where this changed.
>      >
>      > Then, I downloaded and took a look at "dogtag-submit" from the
>     CentOS
>      > Stream 8 (RedHat) certmonger package.  As far as I can tell, their
>      > version of "dogtag-submit" is *not* linked against libcurl-nss.so
>     at all
>      > like the version on debian sid.  Instead, all their certmonger
>     helper
>      > programs are linked against the OpenSSL version (libcurl.so.4).
>      >
>      > So, I think that we should just link these against the openssl
>     version,
>      > as the RedHat packages do and get things to work again.
> 
>     Hmm, thanks.. indeed certmonger is still built against
>     libcurl4-nss-dev,
>     I've changed it to openssl now and see how it goes against gitlab CI..
> 
> 
> Maybe the CI will finish before I can get back to my testing.

And it did, this error is fixed now :)

But it fails later on, so there's some work still to catch up with the 
current distro, but at least this particular annoyance is resolved, so 
many thanks for figuring it out! I was sure the reason was something 
silly and related to the SSL stack (or maybe ciphers) but was blind to 
see it.


-- 
t