test_KRA_install_after_cert_renew fails with
test_KRA_install_after_cert_renew
> raise AssertionError('TimeOut: Failed to renew all the certs') E AssertionError: TimeOut: Failed to renew all the certs
PR304 Test report
Similar error observed in [testing_master_testing_selinux] PR 526 : Logs for test: - test_KRA_install_after_cert_renew
The failure in recent runs looks different, but related to a wrong assumption in the test. The test moves the date in the future and then checks that all the certs are displayed as MONITORING in getcert list output. This is not sufficient to ensure that they have been renewed: the test also needs to check that the cert serial number is different.
MONITORING
As a consequence, the date is moved further in the future but some certs have not been renewed and pki startup fails (for instance with expired auditSigningCert cert-pki-ca, as we can see in these logs.
The failure to renew 'auditSigningCert cert-pki-ca' is linked to https://github.com/dogtagpki/pki/issues/3387. According to https://github.com/dogtagpki/pki/issues/3387#issuecomment-736154872 new installations should use caAuditSigningCert instead of caSignedLogCert profile.
Similar test failures observed in PR : log
Similar issue observed in PR674, report
Similar failure observer in PR689, report
Similar failure observed in PR680, report
Failure observed: PR695, report
Failure observed: PR704, logs
Failure observed: [testing_ipa-4.9_latest] Nightly PR #711 , logs
Failure observer [testing_ipa-4.9_latest] Nightly PR #726, logs
The dogtag issue has been fixed and the runs are now green: - [testing_master_rawhide]: report - [testing_master_testing_selinux]: report - [testing_master_testing]: report - [testing_master_latest]: report - [testing_master_latest_selinux]: report - [testing_master_previous]: report
The issue can be closed. - [testing_ipa-4.9_latest]: report - [testing_ipa-4.9_latest_selinux]: report - [testing_ipa-4.9_previous]: report
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Issue observed again: [testing_master_previous] Nightly PR #993 , report
Actually this time the logs show
2021-06-22 23:59:35 [AuthorityMonitor] SEVERE: LdapBoundConnFactory: Unable to create master connection: Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) Unable to connect to LDAP server: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:302) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:440) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:402) at com.netscape.ca.AuthorityMonitor.run(AuthorityMonitor.java:69) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:201) at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source) at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source) at netscape.ldap.LDAPConnThread.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at netscape.ldap.LDAPConnection.connect(Unknown Source) at com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:105) at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:284) ... 4 more
@mpolovka the logs from 2021-06-22 happen before the date is moved in the future and probably have no link with the issue. They happen when pki is trying to connect to LDAP but the server is not up.
The issue in PR#993 seems transient, I could only find one unusual message in the journal:
Jun 02 23:55:45 master.ipa.test certmonger[22261]: 2023-06-02 23:55:45 [22261] error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large
Let's wait and see if the issue happens again. If it does, please file a separate pagure ticket.
Login to comment on this ticket.