Cloned nss repo and did a git bisect: the first commit that causes problems is at the upstream merge of 3.39 (upstream/3.39).
>From a very brief perusal of the upstream changes, I see there are some edits with respect to TLS1.3--perhaps this is the reason for our problems--I haven't yet looked hard at all the upstream changes (or tried to bisect the upstream repo yet). On Sat, Oct 9, 2021 at 12:05 PM Spencer Olson <olso...@umich.edu> wrote: > > Since it doesn't look like any progress has been made on this, I've > started to work through some debugging. > > Right now, it looks like the problem is probably actually due to a > change in libnss3. In fact, the problem appears to be specifically in > libssl3.so from the libnss3 package. > > The problem: > * certmonger has a hard time finishing the certificate requests > because it can't seem to authenticate to the dogtag PKI server. > > Observations: > * When certmonger attempts to request a signed certificate for the > renewal agent, it temporarily explicitly uses the ipa-ca-agent > certificate which has been temporarily extracted from the > /root/ca-agent.p12 storage. > * dogtag-submit attempts to use the CURL library to submit the > request, subsequently approve the request, and then poll for its > finish. > * The initial request does not use/require an encrypted channel, but > the approval and subsequent queries do. > * These attempts to authenticate over this encrypted channel using > the client certificate are rejected. > > Hacks & tests: > * By creating a very small c-program that does the same CURL commands > as dogtag-submit from the certmonger package, this same authorization > denied can be seen. > * By simply replacing the libssl3.so library, using either LD_PRELOAD > or LD_LIBRARY_PATH, from a prior version, the requests succeed. As of > now, I've tried only one other version of libssl3.so (libnss3 3.35 > from ubuntu 18.04). > * Also, instead of linking against libcurl-nss and manualy replacing > the libssl3.so library, success can be found by linking to > libcurl-gnutls or libcurl-openssl > > I suspect that a compile option in libnss3 has to be changed in order > for this to work again. > > Still todo: > * I haven't fully discovered which part/option from libnss3 might have > changed. > * I haven't yet successfully had libnss3 emit much > debugging--probably have to recompile with DEBUG=1.
