pki_setup on OpenSSL 0.9.x aborts

Bug #1209249 reported by Dirk Mueller on 2013-08-07
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Dirk Mueller

Bug Description

when running keystone-manage pki_setup on an older openssl installation, it aborts with the error message:

subprocess.CalledProcessError: Command '['openssl', 'ca', '-batch',
'-out', '/etc/keystone/ssl/certs/signing_cert.pem', '-config',
'/etc/keystone/ssl/certs/openssl.conf', '-days', '3650d', '-cert',
'/etc/keystone/ssl/certs/ca.pem', '-keyfile',
'/etc/keystone/ssl/certs/cakey.pem', '-infiles',
'/etc/keystone/ssl/certs/req.pem']' returned non-zero exit status 1
default is an unsupported message digest type

The reason is that support for a "default" message digest type was only added in recent openssl versions. it seems to be good enough to check for OpenSSL 1.0 to differentiate between old and new OpenSSL versions.

Changed in keystone:
assignee: nobody → Dirk Mueller (dmllr)
status: New → In Progress

Submitter: Jenkins
Branch: master

commit 837b26084dfbf87ac394fc34fad2cb7c8bfbc117
Author: Dirk Mueller <email address hidden>
Date: Tue Jul 9 21:20:27 2013 +0200

    Make pki_setup work with OpenSSL 0.9.x

    Support for "default" in default_md was only added
    in "recent" OpenSSL versions. Use sha1 (which is what
    "default" maps to anyway) for older openssl versions.

    Also sync the generated openssl config file with
    the defaults from OpenSSL 1.0 and newer.

    Fixes: LP Bug #1209249
    Change-Id: I4ba79dbfdfc2df81cfb0f1edde23d3fbc1384637

Changed in keystone:
status: In Progress → Fix Committed
Dolph Mathews (dolph) on 2013-08-20
Changed in keystone:
importance: Undecided → Low
Thierry Carrez (ttx) on 2013-09-05
Changed in keystone:
milestone: none → havana-3
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2013-10-17
Changed in keystone:
milestone: havana-3 → 2013.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers