Issue #8598: Nightly failure in test_acme.py::TestACMEwithExternalCA::test_certbot_dns: Some challenges have failed - freeipa

freeipa

#8598 Nightly failure in test_acme.py::TestACMEwithExternalCA::test_certbot_dns: Some challenges have failed

Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by frenaud.

The nightly test test_acme.py::TestACMEwithExternalCA::test_certbot_dns failed while getting a cert with a DNS challenge, with the error Some challenges have failed, in [testing_master_latest] = master branch with only the updates repo enabled.

See PR #552 with logs and report:

self = <ipatests.test_integration.test_acme.TestACMEwithExternalCA object at 0x7fd6e4596fd0>

    @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
    def test_certbot_dns(self):
        # Assume previous revoke operation succeeded and cert was deleted.
        # We can now request a new certificate.

        # Get a cert from ACME service using dns-01 challenge and Certbot's
        # standalone HTTP server mode
>       self.clients[0].run_command([
            'certbot',
            '--server', self.acme_server,
            'certonly',
            '--non-interactive',
            '--domain', self.clients[0].hostname,
            '--preferred-challenges', 'dns',
            '--manual',
            '--manual-public-ip-logging-ok',
            '--manual-auth-hook', CERTBOT_DNS_IPA_SCRIPT,
            '--manual-cleanup-hook', CERTBOT_DNS_IPA_SCRIPT,
        ])

The output is the following:

Plugins selected: Authenticator manual, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for client0.ipa.test
Running manual-auth-hook command: /usr/libexec/ipa/acme/certbot-dns-ipa
Waiting for verification...
Challenge failed for domain client0.ipa.test
Cleaning up challenges
Running manual-cleanup-hook command: /usr/libexec/ipa/acme/certbot-dns-ipa
Some challenges have failed.

Metadata Update from @frenaud:
- Issue tagged with: test-failure, tests

3 years ago

frenaud commented 3 years ago

@rcritten could you have a look? thx

frenaud commented 3 years ago

Clsoing as duplicate of https://pagure.io/freeipa/issue/8602. The ACME failures seem to happen when the communications between the client and ACME server switch between master and replica because of the DNS round-robin selection (acme server is set using the alias ipa-ca.$domain and may resolve to different hosts).

Metadata Update from @frenaud:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

3 years ago

Metadata

Assignee

None

Tags

Blocking

None

Depending on

None

Priority

None

Milestone

None

affects_doc

None

source

None

knownissue

None

type

None

blockedby

None

test_case

None

component

None

blocking

None

on_review

None

keywords

None

test_coverage

None

reviewer

None

external_tracker

None

rhbz

None

tester

None

changelog

None

design

None

freeipa

Source Code

#8598 Nightly failure in test_acme.py::TestACMEwithExternalCA::test_certbot_dns: Some challenges have failed Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by frenaud.

Metadata

tests test-failure

#8598 Nightly failure in test_acme.py::TestACMEwithExternalCA::test_certbot_dns: Some challenges have failed

Closed: duplicate 3 years ago by frenaud. Opened 3 years ago by frenaud.