freeipa

Clone
Source Code
GIT

#8999 Nightly failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by frenaud.

Closed: fixed
Reopen Issue

The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_ipahealthcheck_ipaopensslchainvalidation is failing in rawhide, see for instance PR #1195: Details, report:

self = <ipatests.test_integration.test_ipahealthcheck.TestIpaHealthCheckWithExternalCA object at 0x7fe63c0505e0>
rename_httpd_cert = None

    def test_ipahealthcheck_ipaopensslchainvalidation(self, rename_httpd_cert):
        """
        Test for IPAOpenSSLChainValidation when httpd cert is moved.
        """
        error_msg = "Can't open {} for reading".format(paths.HTTPD_CERT_FILE)
        returncode, data = run_healthcheck(
            self.master,
            "ipahealthcheck.ipa.certs",
            "IPAOpenSSLChainValidation",
        )
        assert returncode == 1
        for check in data:
            if check["kw"]["key"] == paths.HTTPD_CERT_FILE:
                assert check["result"] == "ERROR"
>               assert error_msg in check["kw"]["reason"]
E               assert "Can't open /var/lib/ipa/certs/httpd.crt for reading" in 'Could not open file or uri for loading certificate file from /var/lib/ipa/certs/httpd.crt\n006C2E84247F0000:error:160...plementations/storemgmt/file_store.c:269:calling stat(/var/lib/ipa/certs/httpd.crt)\nUnable to load certificate file\n'

The failure started happening after the move to openssl3.
The test is running ipa-healthcheck with the check IPAOpenSSLChainValidation, which basically does openssl verify -verbose -show_chain -CAfile /etc/ipa/ca.crt $file, on a non-existent file.
With openssl-1, the output was:

RUN ['ipa-healthcheck', '--source', 'ipahealthcheck.ipa.certs', '--check', 'IPAOpenSSLChainValidation', '--output-type', 'json']
[
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPAOpenSSLChainValidation",
    "result": "ERROR",
    "uuid": "73046605-4bfe-4287-98ad-97d64c0c1548",
    "when": "20210911135542Z",
    "duration": "0.013849",
    "kw": {
      "key": "/var/lib/ipa/certs/httpd.crt",
      "reason": "Can't open /var/lib/ipa/certs/httpd.crt for reading, No such file or directory\n140714554179008:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/var/lib/ipa/certs/httpd.crt','r')\n140714554179008:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:\nunable to load certificate\n",
      "msg": "Certificate validation for {key} failed: {reason}"
    }
  },

and with openssl3, the reason is now:

      "reason": "Could not open file or uri for loading certificate file from /var/lib/ipa/certs/httpd.crt\n006C2E84247F0000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:crypto/store/store_register.c:237:scheme=file\n006C2E84247F0000:error:80000002:system library:file_open:No such file or directory:providers/implementations/storemgmt/file_store.c:269:calling stat(/var/lib/ipa/certs/httpd.crt)\nUnable to load certificate file\n",

We need to adapt the test and support old message as well as new message.

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6030
2 years ago

master:

  • 2d53466 ipatests: update expected error message for openssl verify

ipa-4-9:

  • 01dfce6 ipatests: update expected error message for openssl verify

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Login to comment on this ticket.

Metadata

tests test-failure

None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/6030
None
None
None
None
None
None
None
None
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.