Issue #8472: [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA - freeipa

freeipa

#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA

Closed: fixed 3 years ago by abbra. Opened 3 years ago by frenaud.

Issue

The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA is failing during the test setup, see PR #370 with the following report and logs:

 RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt']
 RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt']
 The log file for this installation can be found in /var/log/ipaserver-install.log
 ==============================================================================
 This program will set up the FreeIPA Server.
 Version 4.9.0.dev

 This includes:
   * Configure a stand-alone CA (dogtag) for certificate management
   * Configure the NTP client (chronyd)
   * Create and configure an instance of Directory Server
   * Create and configure a Kerberos Key Distribution Center (KDC)
   * Configure Apache (httpd)
   * Configure DNS (bind)
   * Configure the KDC to enable PKINIT

 Warning: skipping DNS resolution of host master.ipa.test
 CA certificate CN=Certificate Authority,O=IPA.TEST in /ipatests/ipa_ca.crt, /ipatests/root_ca.crt is not valid: not valid before 2020-08-25 01:38:13 UTC is in the future.
 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
 Exit code: 1

Investigation:
the issue happens because of a test run before this test, test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring, that is changing the date in the future to trigger cert expiration, then resetting the date. The PR-CI infra does not properly configure the NTP servers and as a consequence, the date is not re-synchronised after the test. The test controller is slightly ahead of the master, IPA CA is signed by a external CA set up in the controller and this results in IPA CA "valid from" date seen in the future from the master => ipa-server-install fails.

I opened a ticket in our infra project to properly configure chrony client on the test machines, this ticket will be used to keep track of the investigation and avoid duplicate work on the test failure.

Metadata Update from @frenaud:
- Issue assigned to frenaud

3 years ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5066

3 years ago

frenaud commented 3 years ago

master:

ec67022 ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
2c15e99 ipatests: add missing healthcheck test in PRCI nightlies

abbra commented 3 years ago

ipa-4-8:

2ce880e ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
ab6811a ipatests: add missing healthcheck test in PRCI nightlies

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

frenaud

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

https://github.com/freeipa/freeipa/pull/5066

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA Closed: fixed 3 years ago by abbra. Opened 3 years ago by frenaud.

Issue

Metadata

test-failure tests tracker

#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA

Closed: fixed 3 years ago by abbra. Opened 3 years ago by frenaud.