From: Kefu Chai Date: Sat, 13 Jun 2026 01:50:09 +0000 (+0800) Subject: python-common/cryptotools: stop using the removed X509Req API X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=1dda56b1a00a6cbf520d932332ff097716ab256e;p=ceph.git python-common/cryptotools: stop using the removed X509Req API pyOpenSSL deprecated OpenSSL.crypto.X509Req in 24.2.0 (2024-07-20) and removed it in 26.3.0 (2026-06-12). as we don't pin pyopenssl, CI picked up the new release, and create_self_signed_cert() started failing with: AttributeError: module 'OpenSSL.crypto' has no attribute 'X509Req' this took down run-tox-mgr, run-tox-mgr-dashboard-py3 and the mypy check. we only used X509Req to build a subject name and then copied it into the X509 cert. so drop it, and set the subject on the cert directly. the resulting cert stays the same: subject from dname, issuer set to the same subject, self-signed. Fixes: https://tracker.ceph.com/issues/77391 Signed-off-by: Kefu Chai --- diff --git a/src/python-common/ceph/cryptotools/internal.py b/src/python-common/ceph/cryptotools/internal.py index 7d6e0a487ec..db3d6a5c048 100644 --- a/src/python-common/ceph/cryptotools/internal.py +++ b/src/python-common/ceph/cryptotools/internal.py @@ -45,19 +45,13 @@ class InternalCryptoCaller(CryptoCaller): ) -> str: _pkey = crypto.load_privatekey(crypto.FILETYPE_PEM, pkey) - # Create a "subject" object - with warnings.catch_warnings(): - warnings.simplefilter("ignore") - req = crypto.X509Req() - subj = req.get_subject() - - # populate the subject with the dname settings + # create a self-signed cert and populate its subject with the dname + # settings + cert = crypto.X509() + subj = cert.get_subject() for k, v in dname.items(): setattr(subj, k, v) - - # create a self-signed cert - cert = crypto.X509() - cert.set_subject(req.get_subject()) + cert.set_subject(subj) cert.set_serial_number(int(uuid4())) cert.gmtime_adj_notBefore(0) cert.gmtime_adj_notAfter(10 * 365 * 24 * 60 * 60) # 10 years