ci: enable rhel9.0 tests for openssh_cert (#463)

* ci: enable rhel9.0 tests for openssh_cert

* ci: allow openssh_cert second signature algorithm test for versions >8.7

* ci: narrowing condition to not attempt RSA1 signing exclusively on RHEL >=9

* ci: grouping and documenting condition

tests/integration/targets/openssh_cert/aliases

@@ -1,3 +1,2 @@
 shippable/posix/group1
 destructive
-skip/rhel9.0  # TODO figure out why and fix

tests/integration/targets/openssh_cert/tests/key_idempotency.yml

@@ -53,6 +53,7 @@
         that:
           - updated_signature_algorithm_idempotent is not changed
 
+    - block:
       - name: Generate cert with original signature algorithm
         openssh_cert:
           type: user
@@ -68,6 +69,9 @@
         assert:
           that:
             - second_signature_algorithm is changed
+      # RHEL9 disables SHA-1 algorithms by default making this test fail with a 'libcrypt' error. Other systems which
+      # impose a similar restriction may also need to skip this block in the future.
+      when: not (ansible_facts['distribution'] == "RedHat" and (ansible_facts['distribution_major_version'] | int) >= 9)
 
     - name: Omit signature algorithm
       openssh_cert: