The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA is failing during the test setup, see PR #370 with the following report and logs:
test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt'] RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt'] The log file for this installation can be found in /var/log/ipaserver-install.log ============================================================================== This program will set up the FreeIPA Server. Version 4.9.0.dev This includes: * Configure a stand-alone CA (dogtag) for certificate management * Configure the NTP client (chronyd) * Create and configure an instance of Directory Server * Create and configure a Kerberos Key Distribution Center (KDC) * Configure Apache (httpd) * Configure DNS (bind) * Configure the KDC to enable PKINIT Warning: skipping DNS resolution of host master.ipa.test CA certificate CN=Certificate Authority,O=IPA.TEST in /ipatests/ipa_ca.crt, /ipatests/root_ca.crt is not valid: not valid before 2020-08-25 01:38:13 UTC is in the future. The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information Exit code: 1
Investigation: the issue happens because of a test run before this test, test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring, that is changing the date in the future to trigger cert expiration, then resetting the date. The PR-CI infra does not properly configure the NTP servers and as a consequence, the date is not re-synchronised after the test. The test controller is slightly ahead of the master, IPA CA is signed by a external CA set up in the controller and this results in IPA CA "valid from" date seen in the future from the master => ipa-server-install fails.
test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring
ipa-server-install
I opened a ticket in our infra project to properly configure chrony client on the test machines, this ticket will be used to keep track of the investigation and avoid duplicate work on the test failure.
Metadata Update from @frenaud: - Issue assigned to frenaud
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5066
master:
ipa-4-8:
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.