#9518 tox failure on ipa-4-10 and ipa-4-9 branches
Closed: fixed a year ago by frenaud. Opened a year ago by frenaud.

The azure pipeline is running tox tests, and they are failing on ipa-4-10 and ipa-4-9 branches:
- example on ipa-4-10: https://github.com/freeipa/freeipa/pull/7174, logs
- example on ipa-4-9: https://github.com/freeipa/freeipa/pull/7176, logs

The failure started happening with the release of python-cryptography 42.
The tox pipeline is installing python-cryptography using pip but the version is different from the standard version shipped as a rpm on fedora 37 and fedora 38: 37.0.2


Metadata Update from @frenaud:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/7181

a year ago

ipa-4-10:

  • c3d5ecf azure pipeline: pin cryptography version to 37.0.2

master:

  • a45a7a2 Compatibility fix for PyCA cryptography 42.0.0

ipa-4-11:

  • fa46b41 Compatibility fix for PyCA cryptography 42.0.0

ipa-4-9:

  • fbe6056 azure pipeline: pin cryptography version to 37.0.2

ipa-4-10:

  • 0f9a8b7 Compatibility fix for PyCA cryptography 42.0.0

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

a year ago

Metadata Update from @frenaud:
- Issue status updated to: Open (was: Closed)

a year ago

The fix for cryptography 42.0.0 introduces a regression in the tests: PR3338
- test_acme: logs and report

self = <ipatests.test_integration.test_acme.TestACMERenew object at 0x7fe62b9cea80>
issue_and_expire_acme_cert = <function issue_and_expire_acme_cert.<locals>._issue_and_expire_acme_cert at 0x7fe629b71c60>

    @pytest.mark.skipif(skip_certbot_tests, reason='certbot not available')
    def test_renew(self, issue_and_expire_acme_cert):
        """Test if ACME renews the issued cert with cerbot

        This test is to check if ACME certificate renews upon
        reaching expiry

        related: https://pagure.io/freeipa/issue/4751
        """
        issue_and_expire_acme_cert(
            self.master, self.clients[0], self.acme_server)
        data = self.clients[0].get_file_contents(
            f'/etc/letsencrypt/live/{self.clients[0].hostname}/cert.pem'
        )
        cert = x509.load_pem_x509_certificate(data, backend=default_backend())
>       initial_expiry = cert.not_valid_after_utc
E       AttributeError: 'cryptography.hazmat.bindings._rust.x509.Certificate' object has no attribute 'not_valid_after_utc'. Did you mean: 'not_valid_after'?
self = <ipatests.test_integration.test_ipa_cert_fix.TestCertFixReplica object at 0x7fc0e96b94f0>
expire_certs = None

    def test_renew_expired_cert_replica(self, expire_certs):
        """Test renewal of certificates on replica with ipa-cert-fix

        This is to check that ipa-cert-fix renews the certificates
        on replica

        related: https://pagure.io/freeipa/issue/7885
        """
        # wait for cert expiry
        check_status(self.master, 8, "CA_UNREACHABLE")

        self.master.run_command(['ipa-cert-fix', '-v'], stdin_text='yes\n')

        check_status(self.master, 9, "MONITORING")

        # replica operations
        # 'Server-Cert cert-pki-ca' cert will be in CA_UNREACHABLE state
        cmd = self.replicas[0].run_command(
            ['getcert', 'list',
             '-d', paths.PKI_TOMCAT_ALIAS_DIR,
             '-n', 'Server-Cert cert-pki-ca']
        )
        req_id = get_certmonger_fs_id(cmd.stdout_text)
        tasks.wait_for_certmonger_status(
            self.replicas[0], ('CA_UNREACHABLE'), req_id, timeout=600
        )
        # get initial expiry date to compare later with renewed cert
>       initial_expiry = get_cert_expiry(
            self.replicas[0],
            paths.PKI_TOMCAT_ALIAS_DIR,
            'Server-Cert cert-pki-ca'
        )

test_integration/test_ipa_cert_fix.py:449: 
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ 

host = <ipatests.pytest_ipa.integration.host.Host replica0.ipa.test (replica)>
nssdb_path = '/etc/pki/pki-tomcat/alias', cert_nick = 'Server-Cert cert-pki-ca'

    def get_cert_expiry(host, nssdb_path, cert_nick):
        """Method to get cert expiry date of given certificate

        :param host: the host
        :param nssdb_path: nssdb path of certificate
        :param cert_nick: certificate nick name for extracting cert from nssdb
        """
        # get initial expiry date to compare later with renewed cert
        host.run_command([
            'certutil', '-L', '-a',
            '-d', nssdb_path,
            '-n', cert_nick,
            '-o', '/root/cert.pem'
        ])
        data = host.get_file_contents('/root/cert.pem')
        cert = x509.load_pem_x509_certificate(data, backend=default_backend())
>       return cert.not_valid_after_utc
E       AttributeError: 'cryptography.hazmat.bindings._rust.x509.Certificate' object has no attribute 'not_valid_after_utc'. Did you mean: 'not_valid_after'?

Metadata Update from @frenaud:
- Issue close_status updated to: fixed

a year ago

master:

  • 22875ea test_acme: Use ipalib.x509

ipa-4-11:

  • 18244d7 test_acme: Use ipalib.x509

ipa-4-10:

  • 03d48ca test_acme: Use ipalib.x509

Log in to comment on this ticket.

Metadata