From 93fad5a89c39310054b0db1a268d13d9ceeb4275 Mon Sep 17 00:00:00 2001 From: François Cami Date: Jul 21 2021 13:27:31 +0000 Subject: test_acme: make password renewal more robust A kinit immediately following a password change can fail. Setting KRB5_TRACE and retrieving kdcinfo will help to understand the cause of failure. Fixes: https://pagure.io/freeipa/issue/8929 Signed-off-by: François Cami Reviewed-By: Michal Polovka --- diff --git a/ipatests/test_integration/test_acme.py b/ipatests/test_integration/test_acme.py index b4aa1b3..10195a9 100644 --- a/ipatests/test_integration/test_acme.py +++ b/ipatests/test_integration/test_acme.py @@ -576,25 +576,25 @@ class TestACMERenew(IntegrationTest): # request a standalone acme cert certbot_standalone_cert(self.clients[0], self.acme_server) - cmd_input = ( - # Password for admin@{REALM}: - "{pwd}\n" - # Password expired. You must change it now. - # Enter new password: - "{pwd}\n" - # Enter it again: - "{pwd}\n" - ) # move system date to expire acme cert for host in self.clients[0], self.master: tasks.kdestroy_all(host) tasks.move_date(host, 'stop', '+90days') - self.clients[0].run_command( - ['kinit', 'admin'], - stdin_text=cmd_input.format( - pwd=self.clients[0].config.admin_password - ) + + tasks.get_kdcinfo(host) + # Note raiseonerr=False: + # the assert is located after kdcinfo retrieval. + result = host.run_command( + "KRB5_TRACE=/dev/stdout kinit %s" % 'admin', + stdin_text='{0}\n{0}\n{0}\n'.format( + self.clients[0].config.admin_password + ), + raiseonerr=False ) + # Retrieve kdc.$REALM after the password change, just in case SSSD + # domain status flipped to online during the password change. + tasks.get_kdcinfo(host) + assert result.returncode == 0 yield