#9298 [Tracker] Nightly test failure (updates-testing) in test_acme.py::TestACME::test_certbot_certonly_standalone
Opened 2 years ago by frenaud. Modified a year ago

Issue

The nightly test test_acme.py::TestACME::test_certbot_certonly_standalone is failing when the repository updates-testing is enabled. See PR #2279 with the following logs and report:

self = <ipatests.test_integration.test_acme.TestACME object at 0x7faaa47b8890>

    @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
    def test_certbot_certonly_standalone(self):
>       certbot_standalone_cert(self.clients[0], self.acme_server)

test_integration/test_acme.py:262: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 
test_integration/test_acme.py:127: in certbot_standalone_cert
    host.run_command(
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

self = <ipatests.pytest_ipa.integration.host.Host client0.ipa.test (client)>
argv = ['certbot', '--server', 'https://ipa-ca.ipa.test/acme/directory', 'certonly', '--domain', 'client0.ipa.test', ...]
set_env = True, stdin_text = None, log_stdout = True, raiseonerr = True
cwd = None, bg = False, encoding = 'utf-8', ok_returncode = 0

    def run_command(self, argv, set_env=True, stdin_text=None,
                    log_stdout=True, raiseonerr=True,
                    cwd=None, bg=False, encoding='utf-8', ok_returncode=0):
        """Wrapper around run_command to log stderr on raiseonerr=True

        :param ok_returncode: return code considered to be correct,
                              you can pass an integer or sequence of integers
        """
        result = super().run_command(
            argv, set_env=set_env, stdin_text=stdin_text,
            log_stdout=log_stdout, raiseonerr=False, cwd=cwd, bg=bg,
            encoding=encoding
        )
        # in FIPS mode SSH may print noise to stderr, remove the string
        # "FIPS mode initialized" + optional newline.
        result.stderr_bytes = FIPS_NOISE_RE.sub(b'', result.stderr_bytes)
        try:
            result_ok = result.returncode in ok_returncode
        except TypeError:
            result_ok = result.returncode == ok_returncode
        if not result_ok and raiseonerr:
            result.log.error('stderr: %s', result.stderr_text)
>           raise subprocess.CalledProcessError(
                result.returncode, argv,
                result.stdout_text, result.stderr_text
            )
E           subprocess.CalledProcessError: Command '['certbot', '--server', 'https://ipa-ca.ipa.test/acme/directory', 'certonly', '--domain', 'client0.ipa.test', '--standalone']' returned non-zero exit status 1.

pytest_ipa/integration/host.py:202: CalledProcessError
 ------------------------------Captured stderr call------------------------------ 
ipa: ERROR: stderr: Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
acme.errors.ClientError: <Response [500]>
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Test scenario:
- configure ipa server
- enable ACME with ipa-acme-manage enable on the server
- register the client with certbot --server https://ipa-ca.ipa.test/acme/directory register -m nobody@example.test --agree-tos --no-eff-email
- stop httpd on the client
- request a cert on the client with certbot --server https://ipa-ca.ipa.test/acme/directory certonly --domain client.ipa.test --standalone

The request fails with

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for client0.ipa.test
An unexpected error occurred:
acme.errors.ClientError: <Response [500]>
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Exit code: 1

The logs on the client show the response received from the server:

org.jboss.resteasy.spi.UnhandledException: java.lang.Exception: Unable to generate certificate: Key Type RSA Not Matched

Installed packages:
dogtag-pki-server-11.2.0-2.fc37.noarch
openssl-3.0.5-3.fc37.x86_64
crypto-policies-20220815-1.gite4ed860.fc37.noarch
tomcat-9.0.68-1.fc37.noarch


Metadata Update from @frenaud:
- Issue tagged with: test-failure

2 years ago

With an old certbot package (1.32.0-1.fc37), the log in /var/log/letsencrypt/letsencrypt.log shows that the key is an RSA key:

certbot.crypto_util:Generating RSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem

But with the new certbot package, the key is EDCSA:

certbot.crypto_util:Generating ECDSA key (2048 bits): /etc/letsencrypt/keys/0000_key-certbot.pem

Opening an issue against pki, for them to investigate if their acme server supports ECDSA keys:
https://github.com/dogtagpki/pki/issues/4273

Metadata Update from @frenaud:
- Issue tagged with: tracker

2 years ago

Metadata Update from @frenaud:
- Custom field changelog adjusted to With Certbot update to 2.0.0, Certbot defaults to ECDSA certificate private keys for all new certificates. PKI ACME cert profile supports only rsa private keys, meaning that the key type needs to be forced to rsa when requesting an ACME certificate, using certbot --key-type rsa [...]

a year ago

master:

  • 36cba23 Tests: force key type in ACME tests

ipa-4-9:

  • 16c37cf Tests: force key type in ACME tests

ipa-4-10:

  • 0fa9585 Tests: force key type in ACME tests

Log in to comment on this ticket.

Metadata