Skip to content

fix: stabilize root CSR generation on OpenSSL 3#7528

Merged
vitormattos merged 1 commit intomainfrom
fix/openssl-root-csr-error-7519
Apr 21, 2026
Merged

fix: stabilize root CSR generation on OpenSSL 3#7528
vitormattos merged 1 commit intomainfrom
fix/openssl-root-csr-error-7519

Conversation

@vitormattos
Copy link
Copy Markdown
Member

@vitormattos vitormattos commented Apr 21, 2026

Summary

  • use generated OpenSSL config during root CSR creation (openssl_csr_new) with explicit req section
  • avoid applying CA extensions at CSR stage
  • improve OpenSSL error diagnostics by capturing warnings and error queue details
  • add regression tests for root CSR config usage and real OpenSSL failures

Why

Issue #7519 reports root certificate generation failing on Oracle Linux 9 / OpenSSL 3 because CSR generation fails and previously bubbled as TypeError.

This change addresses the root CSR flow so it uses a valid config at CSR time, and preserves actionable diagnostics if OpenSSL still fails.

Validation

  • composer test:unit -- --filter OpenSslHandlerTest
  • composer test:unit -- --filter 'InstallService|Configure|OpenSsl'

Fixes #7519

@vitormattos
fix: stabilize root CSR generation on OpenSSL 3
250fd18 
Use the generated OpenSSL config during root CSR creation with a valid req section, avoid invalid CA extensions at CSR stage, and improve OpenSSL error diagnostics.

Add regression tests for root CSR config usage, real OpenSSL failure diagnostics, and root CSR/sign failure handling.

Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
@github-project-automation github-project-automation Bot moved this to 0. Needs triage in Roadmap Apr 21, 2026
@vitormattos
Copy link
Copy Markdown
Member Author

vitormattos commented Apr 21, 2026

/backport to stable33

@vitormattos
Copy link
Copy Markdown
Member Author

vitormattos commented Apr 21, 2026

/backport to stable32

@vitormattos vitormattos merged commit f5a8065 into main Apr 21, 2026
77 checks passed
@vitormattos vitormattos deleted the fix/openssl-root-csr-error-7519 branch April 21, 2026 16:20
@github-project-automation github-project-automation Bot moved this from 0. Needs triage to 4. to release in Roadmap Apr 21, 2026
This was referenced Apr 21, 2026
Merged
Merged
@vitormattos vitormattos mentioned this pull request Apr 21, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

Roadmap
Status: 4. to release

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Cannot generate root certificate on Oracle Linux 9

1 participant

@vitormattos