[Freeipa-devel] [patch 0038-0040] Sub CA test patches
Fraser Tweedale
ftweedal at redhat.com
Fri Jul 8 04:06:42 UTC 2016
On Thu, Jul 07, 2016 at 03:46:52PM +0200, Milan Kubík wrote:
> On 07/04/2016 08:57 AM, Fraser Tweedale wrote:
> > Hi Milan,
> >
> > Yes, we can :) Two issues, outlined below.
> >
> >
> > 1)
> > Running the tests, I get error in
> > test_create_subca_with_subject_conflict cleanup::
> >
> > ____________ ERROR at teardown of TestCAbasicCRUD.test_create_subca_with_subject_conflict _____________
> >
> > def cleanup():
> > created = self.exists
> > try:
> > del_command()
> >
> > <snip>
> > E NotFound: crud-subca-2: Certificate Authority not found
> >
> >
> > I do not know testing framework very well but it looks like
> > track_create() sets 'self.exists = True' before the create command
> > throws the (expected) DuplicateEntry error. (These are called from
> > create() in the tracker 'base' class). Later, cleanup() catches a
> > NotFound but re-throws it because it believes the entry should have
> > existed.
> >
> >
> > 2)
> > the usercert.conf.tmpl does not like a subject base with spaces in
> > it, i.e. if 'openssl req' config template gets formatted like:
> >
> > [ dn ]
> > commonName = "alice"
> > o=IPA.LOCAL 201606201330
> >
> > then 'openssl req' fails with nasty error like:
> >
> > 140644791924600:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108:
> > 140644791924600:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:295:name=o
> >
> > and CalledProcessError gets raised and the test fails.
> >
> > Simplest solution is to simply remove the '{ipacertbase}' from the
> > template, because AFAIK it is not needed and parsing and formatting
> > the certbase (which could have multiple AVAs) is more complex than
> > the test calls for, IMO.
> >
> >
> > Thanks,
> > Fraser
> Hi, thanks.
>
> I must have missed the first issue after I removed the expected fail marker.
> I have fixed it now.
>
> As for the usercert template, this code is older than the issues at hand. I
> do not remember why exactly I used that
> option in the openssl config. I have removed that in a new patch.
>
Thanks Milan,
All working for me now. ACK on all four patches.
Cheers,
Fraser
More information about the Freeipa-devel
mailing list