make_ssl_certs fails with "no issuer certificate" with recent openssl #120762
Description
Bug report
Bug description:
Running python3 ./make_ssl_certs.py in Lib/test/certdata with openssl 3.2.2 fails:
creating cert for localhost
Ignoring -days without -x509; not generating a certificate
..+.+..+......+......+.+...+.........+..++++++++++++++++++++++++++++++++++++++++++*...+......+...+...+.....+.........+......+.........+.+..+.+..............+.......+........+......+.++++++++++++++++++++++++++++++++++++++++++*..+.........+..+......+...+...................+...+...+......+...+......+..+...+.........+.+......+.....+.+........+......+..........+..................+..+......+.......+...+...+......+........+...+...+.......+...+...................................+....+...+.....+....+.....+.+..............+...+...+.......+.....+......+...................+...+..+......+.......+........+.+...+............+.....+.+.....+..........+..+.+..+..................+.......+..+.+......+........+..................+...............+...+.+..............+....+...+.....+.......+...........+.......+........+......+...............+...............+.+........+.+......+...+...............+..............................+++++
........+......+....................+....+..+...+....+..+......++++++++++++++++++++++++++++++++++++++++++*.+.....+.++++++++++++++++++++++++++++++++++++++++++*....+............+...+....+........+..........+........+....+...+...+......+...+........+...+...................+..+.........+.+.....+...+...+.....................................+........+.........+....+..+....+......+...+.....+.+......+........+..............................+......+....+++++
-----
Error adding request extensions from section req_x509_extensions_full
80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
80D2CF679F7F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=req_x509_extensions_full, name=authorityKeyIdentifier, value=keyid:always,issuer:always
Traceback (most recent call last):
File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 252, in <module>
cert, key = make_cert_key('localhost', sign=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 149, in make_cert_key
check_call(['openssl'] + args)
File "/usr/lib64/python3.12/subprocess.py", line 413, in check_call
raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['openssl', 'req', '-new', '-nodes', '-days', '7000', '-newkey', 'rsa:3072', '-keyout', '/tmp/tmp0z74w6gi', '-extensions', 'req_x509_extensions_full', '-config', '/tmp/tmpx9yl3uel', '-out', '/tmp/tmp2k3xk1tq']' returned non-zero exit status 1.
Per this openssl issue, this is because we're including an SKID and AKID when producing a CSR - the openssl req -new command in make_cert_key, when run with sign=True, creates a CSR. This was never valid, and the fact that it used to succeed was apparently a bug in openssl.
However, I'm not totally sure how to fix this so there's no SKID or AKID in the CSR, but there is one in the final certificate, when created a signed certificate (as, presumably, is our intent here).
CPython versions tested on:
3.12
Operating systems tested on:
Linux
Linked PRs
keepworking