The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation is failing in rawhide, see for instance PR #1195: Details, report:
test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheckWithExternalCA object at 0x7fe63c0505e0> rename_httpd_cert = None def test_ipahealthcheck_ipaopensslchainvalidation(self, rename_httpd_cert): """ Test for IPAOpenSSLChainValidation when httpd cert is moved. """ error_msg = "Can't open {} for reading".format(paths.HTTPD_CERT_FILE) returncode, data = run_healthcheck( self.master, "ipahealthcheck.ipa.certs", "IPAOpenSSLChainValidation", ) assert returncode == 1 for check in data: if check["kw"]["key"] == paths.HTTPD_CERT_FILE: assert check["result"] == "ERROR" > assert error_msg in check["kw"]["reason"] E assert "Can't open /var/lib/ipa/certs/httpd.crt for reading" in 'Could not open file or uri for loading certificate file from /var/lib/ipa/certs/httpd.crt\n006C2E84247F0000:error:160...plementations/storemgmt/file_store.c:269:calling stat(/var/lib/ipa/certs/httpd.crt)\nUnable to load certificate file\n'
The failure started happening after the move to openssl3. The test is running ipa-healthcheck with the check IPAOpenSSLChainValidation, which basically does openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt $file, on a non-existent file. With openssl-1, the output was:
IPAOpenSSLChainValidation
openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt $file
RUN ['ipa-healthcheck', '--source', 'ipahealthcheck.ipa.certs', '--check', 'IPAOpenSSLChainValidation', '--output-type', 'json'] [ { "source": "ipahealthcheck.ipa.certs", "check": "IPAOpenSSLChainValidation", "result": "ERROR", "uuid": "73046605-4bfe-4287-98ad-97d64c0c1548", "when": "20210911135542Z", "duration": "0.013849", "kw": { "key": "/var/lib/ipa/certs/httpd.crt", "reason": "Can't open /var/lib/ipa/certs/httpd.crt for reading, No such file or directory\n140714554179008:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/var/lib/ipa/certs/httpd.crt','r')\n140714554179008:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:\nunable to load certificate\n", "msg": "Certificate validation for {key} failed: {reason}" } },
and with openssl3, the reason is now:
"reason": "Could not open file or uri for loading certificate file from /var/lib/ipa/certs/httpd.crt\n006C2E84247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file\n006C2E84247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/var/lib/ipa/certs/httpd.crt)\nUnable to load certificate file\n",
We need to adapt the test and support old message as well as new message.
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6030
master:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.