#8472 [tracker] Nightly test failure in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA
Closed: fixed 8 months ago by abbra. Opened 8 months ago by frenaud.

Issue

The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA is failing during the test setup, see PR #370 with the following report and logs:

 RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt']
 RUN ['ipa-server-install', '-U', '-r', 'IPA.TEST', '-a', 'Secret.123', '-p', 'Secret.123', '--external-cert-file', '/ipatests/ipa_ca.crt', '--external-cert-file', '/ipatests/root_ca.crt']
 The log file for this installation can be found in /var/log/ipaserver-install.log
 ==============================================================================
 This program will set up the FreeIPA Server.
 Version 4.9.0.dev

 This includes:
   * Configure a stand-alone CA (dogtag) for certificate management
   * Configure the NTP client (chronyd)
   * Create and configure an instance of Directory Server
   * Create and configure a Kerberos Key Distribution Center (KDC)
   * Configure Apache (httpd)
   * Configure DNS (bind)
   * Configure the KDC to enable PKINIT

 Warning: skipping DNS resolution of host master.ipa.test
 CA certificate CN=Certificate Authority,O=IPA.TEST in /ipatests/ipa_ca.crt, /ipatests/root_ca.crt is not valid: not valid before 2020-08-25 01:38:13 UTC is in the future.
 The ipa-server-install command failed. See /var/log/ipaserver-install.log for more information
 Exit code: 1

Investigation:
the issue happens because of a test run before this test, test_ipahealthcheck.py::TestIpaHealthCheck::test_ipa_healthcheck_expiring, that is changing the date in the future to trigger cert expiration, then resetting the date. The PR-CI infra does not properly configure the NTP servers and as a consequence, the date is not re-synchronised after the test. The test controller is slightly ahead of the master, IPA CA is signed by a external CA set up in the controller and this results in IPA CA "valid from" date seen in the future from the master => ipa-server-install fails.

I opened a ticket in our infra project to properly configure chrony client on the test machines, this ticket will be used to keep track of the investigation and avoid duplicate work on the test failure.


Metadata Update from @frenaud:
- Issue assigned to frenaud

8 months ago

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/5066

8 months ago

master:

  • ec67022 ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
  • 2c15e99 ipatests: add missing healthcheck test in PRCI nightlies

ipa-4-8:

  • 2ce880e ipatests: run test_ipahealthcheck.py::TestIpaHealthCheck separately
  • ab6811a ipatests: add missing healthcheck test in PRCI nightlies

Metadata Update from @abbra:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata