The azure pipeline is running tox tests, and they are failing on ipa-4-10 and ipa-4-9 branches: - example on ipa-4-10: https://github.com/freeipa/freeipa/pull/7174, logs - example on ipa-4-9: https://github.com/freeipa/freeipa/pull/7176, logs
The failure started happening with the release of python-cryptography 42. The tox pipeline is installing python-cryptography using pip but the version is different from the standard version shipped as a rpm on fedora 37 and fedora 38: 37.0.2
Metadata Update from @frenaud: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7181
ipa-4-10:
master:
ipa-4-11:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Metadata Update from @frenaud: - Issue status updated to: Open (was: Closed)
The fix for cryptography 42.0.0 introduces a regression in the tests: PR3338 - test_acme: logs and report
test_acme
self = <ipatests.test_integration.test_acme.TestACMERenew object at 0x7fe62b9cea80> issue_and_expire_acme_cert = <function issue_and_expire_acme_cert.<locals>._issue_and_expire_acme_cert at 0x7fe629b71c60> @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available') def test_renew(self, issue_and_expire_acme_cert): """Test if ACME renews the issued cert with cerbot This test is to check if ACME certificate renews upon reaching expiry related: https://pagure.io/freeipa/issue/4751 """ issue_and_expire_acme_cert( self.master, self.clients[0], self.acme_server) data = self.clients[0].get_file_contents( f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem' ) cert = x509.load_pem_x509_certificate(data, backend=default_backend()) > initial_expiry = cert.not_valid_after_utc E AttributeError: 'cryptography.hazmat.bindings._rust.x509.Certificate' object has no attribute 'not_valid_after_utc'. Did you mean: 'not_valid_after'?
test_cert_fix
self = <ipatests.test_integration.test_ipa_cert_fix.TestCertFixReplica object at 0x7fc0e96b94f0> expire_certs = None def test_renew_expired_cert_replica(self, expire_certs): """Test renewal of certificates on replica with ipa-cert-fix This is to check that ipa-cert-fix renews the certificates on replica related: https://pagure.io/freeipa/issue/7885 """ # wait for cert expiry check_status(self.master, 8, "CA_UNREACHABLE") self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n') check_status(self.master, 9, "MONITORING") # replica operations # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state cmd = self.replicas[0].run_command( ['getcert', 'list', '-d', paths.PKI_TOMCAT_ALIAS_DIR, '-n', 'Server-Cert cert-pki-ca'] ) req_id = get_certmonger_fs_id(cmd.stdout_text) tasks.wait_for_certmonger_status( self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600 ) # get initial expiry date to compare later with renewed cert > initial_expiry = get_cert_expiry( self.replicas[0], paths.PKI_TOMCAT_ALIAS_DIR, 'Server-Cert cert-pki-ca' ) test_integration/test_ipa_cert_fix.py:449: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ host = <ipatests.pytest_ipa.integration.host.Host replica0.ipa.test (replica)> nssdb_path = '/etc/pki/pki-tomcat/alias', cert_nick = 'Server-Cert cert-pki-ca' def get_cert_expiry(host, nssdb_path, cert_nick): """Method to get cert expiry date of given certificate :param host: the host :param nssdb_path: nssdb path of certificate :param cert_nick: certificate nick name for extracting cert from nssdb """ # get initial expiry date to compare later with renewed cert host.run_command([ 'certutil', '-L', '-a', '-d', nssdb_path, '-n', cert_nick, '-o', '/root/cert.pem' ]) data = host.get_file_contents('/root/cert.pem') cert = x509.load_pem_x509_certificate(data, backend=default_backend()) > return cert.not_valid_after_utc E AttributeError: 'cryptography.hazmat.bindings._rust.x509.Certificate' object has no attribute 'not_valid_after_utc'. Did you mean: 'not_valid_after'?
Metadata Update from @frenaud: - Issue close_status updated to: fixed
Log in to comment on this ticket.