The nightly test test_integration/test_installation.py::TestKRAinstallAfterCertRenew::test_KRA_install_after_cert_renew is failing in rawhide. See PR #2773 with the following logs and report:
test_integration/test_installation.py::TestKRAinstallAfterCertRenew::test_KRA_install_after_cert_renew
self = <ipatests.test_integration.test_installation.TestKRAinstallAfterCertRenew object at 0x7f513b96b650> def test_KRA_install_after_cert_renew(self): tasks.install_master(self.master) # get ca-agent cert and load as pem dm_pass = self.master.config.dirman_password admin_pass = self.master.config.admin_password args = [paths.OPENSSL, "pkcs12", "-in", paths.DOGTAG_ADMIN_P12, "-nodes", "-passin", "pass:{}".format(dm_pass)] cmd = self.master.run_command(args) certs = x509.load_certificate_list(cmd.stdout_text.encode('utf-8')) # get expiry date of agent cert cert_expiry = certs[0].not_valid_after # move date to grace period so that certs get renewed self.master.run_command(['systemctl', 'stop', 'chronyd']) grace_date = cert_expiry - timedelta(days=10) grace_date = datetime.strftime(grace_date, "%Y-%m-%d %H:%M:%S") self.master.run_command(['date', '-s', grace_date]) # get the count of certs track by certmonger cmd = self.master.run_command(['getcert', 'list']) cert_count = cmd.stdout_text.count('Request ID') timeout = 600 count = 0 start = time.time() # wait sometime for cert renewal while time.time() - start < timeout: cmd = self.master.run_command(['getcert', 'list']) count = cmd.stdout_text.count('status: MONITORING') if count == cert_count: break time.sleep(100) else: # timeout > raise AssertionError('TimeOut: Failed to renew all the certs') E AssertionError: TimeOut: Failed to renew all the certs
Test scenario:
After 10 minutes, some certs are not renewed and the getcert list command shows that the CA is unreachable:
getcert list
Request ID '20230627195010': status: CA_UNREACHABLE ca-error: Server at https://master.ipa.test/ipa/json failed request, will retry: 4016 (Failed to authenticate to CA REST API). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/master.ipa.test-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.TEST subject: CN=master.ipa.test,O=IPA.TEST issued: 2023-06-27 19:50:11 UTC expires: 2025-06-27 19:50:11 UTC dns: master.ipa.test,ipa-ca.ipa.test principal name: HTTP/master.ipa.test@IPA.TEST key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7107 - Issue assigned to frenaud
master:
ipa-4-11:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-21812
Log in to comment on this ticket.