make_ssl_certs fails with "no issuer certificate" with recent openssl

[AdamWill]

Bug report

Bug description:

Running python3 ./make_ssl_certs.py in Lib/test/certdata with openssl 3.2.2 fails:

creating cert for localhost
Ignoring -days without -x509; not generating a certificate
..+.+..+......+......+.+...+.........+..++++++++++++++++++++++++++++++++++++++++++*...+......+...+...+.....+.........+......+.........+.+..+.+..............+.......+........+......+.++++++++++++++++++++++++++++++++++++++++++*..+.........+..+......+...+...................+...+...+......+...+......+..+...+.........+.+......+.....+.+........+......+..........+..................+..+......+.......+...+...+......+........+...+...+.......+...+...................................+....+...+.....+....+.....+.+..............+...+...+.......+.....+......+...................+...+..+......+.......+........+.+...+............+.....+.+.....+..........+..+.+..+..................+.......+..+.+......+........+..................+...............+...+.+..............+....+...+.....+.......+...........+.......+........+......+...............+...............+.+........+.+......+...+...............+..............................+++++
........+......+....................+....+..+...+....+..+......++++++++++++++++++++++++++++++++++++++++++*.+.....+.++++++++++++++++++++++++++++++++++++++++++*....+............+...+....+........+..........+........+....+...+...+......+...+........+...+...................+..+.........+.+.....+...+...+.....................................+........+.........+....+..+....+......+...+.....+.+......+........+..............................+......+....+++++
-----
Error adding request extensions from section req_x509_extensions_full
80D2CF679F7F0000:error:11000079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:crypto/x509/v3_akid.c:156:
80D2CF679F7F0000:error:11000080:X509 V3 routines:X509V3_EXT_nconf_int:error in extension:crypto/x509/v3_conf.c:48:section=req_x509_extensions_full, name=authorityKeyIdentifier, value=keyid:always,issuer:always
Traceback (most recent call last):
  File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 252, in <module>
    cert, key = make_cert_key('localhost', sign=True)
                ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/home/adamw/local/cpython/Lib/test/certdata/./make_ssl_certs.py", line 149, in make_cert_key
    check_call(['openssl'] + args)
  File "/usr/lib64/python3.12/subprocess.py", line 413, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['openssl', 'req', '-new', '-nodes', '-days', '7000', '-newkey', 'rsa:3072', '-keyout', '/tmp/tmp0z74w6gi', '-extensions', 'req_x509_extensions_full', '-config', '/tmp/tmpx9yl3uel', '-out', '/tmp/tmp2k3xk1tq']' returned non-zero exit status 1.

Per this openssl issue, this is because we're including an SKID and AKID when producing a CSR - the openssl req -new command in make_cert_key, when run with sign=True, creates a CSR. This was never valid, and the fact that it used to succeed was apparently a bug in openssl.

However, I'm not totally sure how to fix this so there's no SKID or AKID in the CSR, but there is one in the final certificate, when created a signed certificate (as, presumably, is our intent here).

CPython versions tested on:

3.12

Operating systems tested on:

Linux

Linked PRs

• gh-120762: fix make_ssl_certs.py - no SKID or AKID in CSR #120764
• gh-120762: make_ssl_certs: Don't set extensions for the temporary CSR #125045

[AdamWill]

#120764 is a speculative fix, but I'm not 100% confident of it.

[encukou]

Here's what I came up with: #125045

@gpshead, if you have some cycles, your expertise would be welcome.

[encukou]

Fixed in 3.14.
I don't think we're planning to regenerate test certs in 3.13; if we need to we can backport this later.