[Freeipa-devel] [patch 0038-0040] Sub CA test patches

Fraser Tweedale ftweedal at redhat.com
Fri Jul 8 04:06:42 UTC 2016 

On Thu, Jul 07, 2016 at 03:46:52PM +0200, Milan Kubík wrote:
> On 07/04/2016 08:57 AM, Fraser Tweedale wrote:
> > Hi Milan,
> > 
> > Yes, we can :)  Two issues, outlined below.
> > 
> > 
> > 1)
> > Running the tests, I get error in
> > test_create_subca_with_subject_conflict cleanup::
> > 
> >      ____________ ERROR at teardown of TestCAbasicCRUD.test_create_subca_with_subject_conflict _____________
> > 
> >          def cleanup():
> >              created = self.exists
> >              try:
> >                  del_command()
> > 
> >      <snip>
> >      E               NotFound: crud-subca-2: Certificate Authority not found
> > 
> > 
> > I do not know testing framework very well but it looks like
> > track_create() sets 'self.exists = True' before the create command
> > throws the (expected) DuplicateEntry error.  (These are called from
> > create() in the tracker 'base' class).  Later, cleanup() catches a
> > NotFound but re-throws it because it believes the entry should have
> > existed.
> > 
> > 
> > 2)
> > the usercert.conf.tmpl does not like a subject base with spaces in
> > it, i.e. if 'openssl req' config template gets formatted like:
> > 
> >      [ dn ]
> >      commonName = "alice"
> >      o=IPA.LOCAL 201606201330
> > 
> > then 'openssl req' fails with nasty error like:
> > 
> >      140644791924600:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num too large:a_object.c:108:
> >      140644791924600:error:0B083077:x509 certificate routines:X509_NAME_ENTRY_create_by_txt:invalid field name:x509name.c:295:name=o
> > 
> > and CalledProcessError gets raised and the test fails.
> > 
> > Simplest solution is to simply remove the '{ipacertbase}' from the
> > template, because AFAIK it is not needed and parsing and formatting
> > the certbase (which could have multiple AVAs) is more complex than
> > the test calls for, IMO.
> > 
> > 
> > Thanks,
> > Fraser
> Hi, thanks.
> 
> I must have missed the first issue after I removed the expected fail marker.
> I have fixed it now.
> 
> As for the usercert template, this code is older than the issues at hand. I
> do not remember why exactly I used that
> option in the openssl config. I have removed that in a new patch.
> 
Thanks Milan,

All working for me now.  ACK on all four patches.

Cheers,
Fraser

More information about the Freeipa-devel mailing list