#9405 Nightly test failure (rawhide) in test_installation_TestKRAinstallAfterCertRenew
Closed: fixed a year ago by frenaud. Opened 2 years ago by frenaud.

Issue

The nightly test test_integration/test_installation.py::TestKRAinstallAfterCertRenew::test_KRA_install_after_cert_renew is failing in rawhide. See PR #2773 with the following logs and report:

self = <ipatests.test_integration.test_installation.TestKRAinstallAfterCertRenew object at 0x7f513b96b650>

    def test_KRA_install_after_cert_renew(self):

        tasks.install_master(self.master)

        # get ca-agent cert and load as pem
        dm_pass = self.master.config.dirman_password
        admin_pass = self.master.config.admin_password
        args = [paths.OPENSSL, "pkcs12", "-in",
                paths.DOGTAG_ADMIN_P12, "-nodes",
                "-passin", "pass:{}".format(dm_pass)]
        cmd = self.master.run_command(args)

        certs = x509.load_certificate_list(cmd.stdout_text.encode('utf-8'))

        # get expiry date of agent cert
        cert_expiry = certs[0].not_valid_after

        # move date to grace period so that certs get renewed
        self.master.run_command(['systemctl', 'stop', 'chronyd'])
        grace_date = cert_expiry - timedelta(days=10)
        grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S")
        self.master.run_command(['date', '-s', grace_date])

        # get the count of certs track by certmonger
        cmd = self.master.run_command(['getcert', 'list'])
        cert_count = cmd.stdout_text.count('Request ID')
        timeout = 600
        count = 0
        start = time.time()
        # wait sometime for cert renewal
        while time.time() - start < timeout:
            cmd = self.master.run_command(['getcert', 'list'])
            count = cmd.stdout_text.count('status: MONITORING')
            if count == cert_count:
                break
            time.sleep(100)
        else:
            # timeout
>           raise AssertionError('TimeOut: Failed to renew all the certs')
E           AssertionError: TimeOut: Failed to renew all the certs

Steps to Reproduce

Test scenario:

  • install master with CA and DNS
  • find expiry date for RA cert, move date to expiry minus 10 days
  • wait up to 10 minutes for all the certs to be renewed

After 10 minutes, some certs are not renewed and the getcert list command shows that the CA is unreachable:

Request ID '20230627195010':
    status: CA_UNREACHABLE
    ca-error: Server at https://master.ipa.test/ipa/json failed request, will retry: 4016 (Failed to authenticate to CA REST API).
    stuck: no
    key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA'
    certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
    CA: IPA
    issuer: CN=Certificate Authority,O=IPA.TEST
    subject: CN=master.ipa.test,O=IPA.TEST
    issued: 2023-06-27 19:50:11 UTC
    expires: 2025-06-27 19:50:11 UTC
    dns: master.ipa.test,ipa-ca.ipa.test
    principal name: HTTP/master.ipa.test@IPA.TEST
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    profile: caIPAserviceCert
    pre-save command: 
    post-save command: /usr/libexec/ipa/certmonger/restart_httpd
    track: yes
    auto-renew: yes

Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7107
- Issue assigned to frenaud

a year ago

master:

  • 9abb50e test_install: restart services after date change

ipa-4-11:

  • c7f9995 test_install: restart services after date change

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @frenaud:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-21812

a year ago

Log in to comment on this ticket.

Metadata