From 51b30a1b27db4f9b3974d728ecebf029319db540 Mon Sep 17 00:00:00 2001
From: "Eric D. Helms" <ericdhelms@gmail.com>
Date: Tue, 27 Aug 2024 15:18:58 -0400
Subject: [PATCH 1/4] Use almalinux 8 for EL8 testing

---
 .github/workflows/main.yml | 15 ++++++++++++++-
 test.sh                    |  2 +-
 2 files changed, 15 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 49ac7f5..6cd2c5a 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -39,7 +39,6 @@ jobs:
       fail-fast: false
       matrix:
         centos:
-          - stream8
           - stream9
     container:
       image: quay.io/centos/centos:${{ matrix.centos }}
@@ -47,3 +46,17 @@ jobs:
       - uses: actions/checkout@v2
       - name: Run tests
         run: ./test.sh
+
+  almalinux:
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        almalinux:
+          - 8
+    container:
+      image: almalinux:${{ matrix.almalinux }}
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run tests
+        run: ./test.sh
diff --git a/test.sh b/test.sh
index 464b34b..0369396 100755
--- a/test.sh
+++ b/test.sh
@@ -8,7 +8,7 @@ PYTHON=python3
 
 if [[ -f /etc/redhat-release ]]; then
   . /etc/os-release
-  if [[ $VERSION_ID == 8 ]] ; then
+  if [[ $VERSION_ID == "8.10" ]] ; then
     REPOS="--enablerepo=powertools"
   else
     REPOS=""

From 3fc6f2ba0ae22fbba63963e9cd84ea515622f1b6 Mon Sep 17 00:00:00 2001
From: "Eric D. Helms" <ericdhelms@gmail.com>
Date: Tue, 27 Aug 2024 13:35:03 -0400
Subject: [PATCH 2/4] Remove deprecated nsComment from OpenSSL config

---
 katello_certs_tools/sslToolConfig.py | 8 --------
 1 file changed, 8 deletions(-)

diff --git a/katello_certs_tools/sslToolConfig.py b/katello_certs_tools/sslToolConfig.py
index bb34fd5..d583a4c 100644
--- a/katello_certs_tools/sslToolConfig.py
+++ b/katello_certs_tools/sslToolConfig.py
@@ -370,8 +370,6 @@ def figureDEFS_distinguishing(options):
 keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
 extendedKeyUsage = serverAuth, clientAuth
 nsCertType = server, sslCA
-# PKIX recommendations harmless if included in all certificates.
-nsComment               = "Katello SSL Tool Generated Certificate"
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
@@ -380,8 +378,6 @@ def figureDEFS_distinguishing(options):
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 nsCertType = server
-# PKIX recommendations harmless if included in all certificates.
-nsComment               = "Katello SSL Tool Generated Certificate"
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
@@ -390,8 +386,6 @@ def figureDEFS_distinguishing(options):
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 nsCertType = client
-# PKIX recommendations harmless if included in all certificates.
-nsComment               = "Katello SSL Tool Generated Certificate"
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 #===========================================================================
@@ -418,8 +412,6 @@ def figureDEFS_distinguishing(options):
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
 nsCertType = %s
-# PKIX recommendations harmless if included in all certificates.
-nsComment               = "Katello SSL Tool Generated Certificate, got it?"
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 

From d56893ca5625ab004ddc007658149d25d970e0bb Mon Sep 17 00:00:00 2001
From: "Eric D. Helms" <ericdhelms@gmail.com>
Date: Tue, 27 Aug 2024 14:51:14 -0400
Subject: [PATCH 3/4] Drop use of deprecated nsCertType

---
 katello-certs-sign                   | 1 -
 katello_certs_tools/sslToolConfig.py | 6 +-----
 2 files changed, 1 insertion(+), 6 deletions(-)

diff --git a/katello-certs-sign b/katello-certs-sign
index 38d6962..e0a3198 100755
--- a/katello-certs-sign
+++ b/katello-certs-sign
@@ -149,7 +149,6 @@ emailAddress		= optional
 [ usr_cert ]
 basicConstraints = CA:false
 extendedKeyUsage = serverAuth,clientAuth
-nsCertType = server
 keyUsage = digitalSignature, keyEncipherment
 
 # PKIX recommendations harmless if included in all certificates.
diff --git a/katello_certs_tools/sslToolConfig.py b/katello_certs_tools/sslToolConfig.py
index d583a4c..0464e6b 100644
--- a/katello_certs_tools/sslToolConfig.py
+++ b/katello_certs_tools/sslToolConfig.py
@@ -369,7 +369,6 @@ def figureDEFS_distinguishing(options):
 basicConstraints = CA:true
 keyUsage = digitalSignature, keyEncipherment, keyCertSign, cRLSign
 extendedKeyUsage = serverAuth, clientAuth
-nsCertType = server, sslCA
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
@@ -377,7 +376,6 @@ def figureDEFS_distinguishing(options):
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
-nsCertType = server
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
@@ -385,7 +383,6 @@ def figureDEFS_distinguishing(options):
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
-nsCertType = client
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 #===========================================================================
@@ -411,7 +408,6 @@ def figureDEFS_distinguishing(options):
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
 extendedKeyUsage = serverAuth, clientAuth
-nsCertType = %s
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
@@ -709,7 +705,7 @@ def save(self, d, caYN=0, verbosity=0):
               )
         else:
             openssl_cnf = CONF_TEMPLATE_SERVER \
-              % (gen_req_distinguished_name(rdn), d['--purpose'],  gen_req_alt_names(d, rdn['CN']))
+              % (gen_req_distinguished_name(rdn), gen_req_alt_names(d, rdn['CN']))
 
         try:
             rotated = rotateFile(filepath=self.filename, verbosity=verbosity)

From 60035683456d9abb6641a2edc74c59225ceccd60 Mon Sep 17 00:00:00 2001
From: "Eric D. Helms" <ericdhelms@gmail.com>
Date: Tue, 27 Aug 2024 14:54:24 -0400
Subject: [PATCH 4/4] Align extendedKeyUsage to the intended type for server
 and client

---
 katello_certs_tools/sslToolConfig.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/katello_certs_tools/sslToolConfig.py b/katello_certs_tools/sslToolConfig.py
index 0464e6b..7a1f56a 100644
--- a/katello_certs_tools/sslToolConfig.py
+++ b/katello_certs_tools/sslToolConfig.py
@@ -375,14 +375,14 @@ def figureDEFS_distinguishing(options):
 [ req_server_x509_extensions ]
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
+extendedKeyUsage = serverAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 
 [ req_client_x509_extensions ]
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
+extendedKeyUsage = clientAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always
 #===========================================================================
@@ -407,7 +407,7 @@ def figureDEFS_distinguishing(options):
 [ req_server_x509_extensions ]
 basicConstraints = CA:false
 keyUsage = digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
+extendedKeyUsage = serverAuth
 subjectKeyIdentifier    = hash
 authorityKeyIdentifier  = keyid, issuer:always