#9567 Nightly test failure (rawhide) in test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert
Closed: fixed 9 months ago by frenaud. Opened 9 months ago by frenaud.

The nightly test test_ipahealthcheck.py::TestIpaHealthCheckWithExternalCA::test_opensslchainvalidation_ipa_ca_cert is failing in rawhide because the formatting of an expected error message has changed.

Test scenario:
- install IPA server with an external CA
- keep only ipa ca in /etc/ipa/ca.crt and remove the external CA cert from the file
- call ipa-healthcheck --source ipahealthcheck.ipa.certs --check IPAOpenSSLChainValidation

The output of healthcheck is the following in rawhide:

RUN ['ipa-healthcheck', '--source', 'ipahealthcheck.ipa.certs', '--check', 'IPAOpenSSLChainValidation', '--output-type', 'json']
[
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPAOpenSSLChainValidation",
    "result": "ERROR",
    "uuid": "a7e21cce-fdd5-4c38-89b9-3fc846e92752",
    "when": "20240330203322Z",
    "duration": "0.004492",
    "kw": {
      "key": "/var/lib/ipa/certs/httpd.crt",
      "reason": "O=UFREEIPA.TEST, CN=Certificate Authority\nerror 2 at 1 depth lookup: unable to get issuer certificate\nerror /var/lib/ipa/certs/httpd.crt: verification failed\n",
      "msg": "Certificate validation for {key} failed: {reason}"
    }
  },
  {
    "source": "ipahealthcheck.ipa.certs",
    "check": "IPAOpenSSLChainValidation",
    "result": "ERROR",
    "uuid": "41a0dca9-c212-43b6-8cc8-1f14c245cecb",
    "when": "20240330203322Z",
    "duration": "0.008365",
    "kw": {
      "key": "/var/lib/ipa/ra-agent.pem",
      "reason": "O=UFREEIPA.TEST, CN=Certificate Authority\nerror 2 at 1 depth lookup: unable to get issuer certificate\nerror /var/lib/ipa/ra-agent.pem: verification failed\n",
      "msg": "Certificate validation for {key} failed: {reason}"
    }
  }
]

Note there is no space around the = sign in O=UFREEIPA.TEST, CN=Certificate Authority while the test expects CN = Certificate Authority with spaces.

The format has changed, probably with a new version of openssl.
Need to fix the test to be compatible with old/new versions.


Metadata Update from @rcritten:
- Issue assigned to rcritten

9 months ago

master:

  • 6294b93 ipatests: Ignore spacing in OpenSSL validation error message

ipa-4-11:

  • 9731cdd ipatests: Ignore spacing in OpenSSL validation error message

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

Log in to comment on this ticket.

Metadata