[Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
Martin Babinsky
mbabinsk at redhat.com
Thu Sep 22 11:56:49 UTC 2016
On 09/22/2016 01:41 PM, Martin Basti wrote:
> Hello all,
>
>
> Following test is failing:
>
>
> ________________________________________________________________________________
> test_cert_find.test_0007_find_revocation_reason_0
> ________________________________________________________________________________
>
>
> self = <ipatests.test_xmlrpc.test_cert_plugin.test_cert_find object at
> 0x7f1bf4532f90>
>
> def test_0007_find_revocation_reason_0(self):
> """
> Find all certificates with revocation reason 0
> """
> res = api.Command['cert_find'](revocation_reason=0)
>> assert 'count' in res and res['count'] == 0
> E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
> 'issuer': 'CN=Certificate
> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM',
> 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
> matched', 'truncated': False} and 4 == 0)
>
> test_xmlrpc/test_cert_plugin.py:302: AssertionError
> ======================================================================================
> 1 failed, 38 passed in 10.77 seconds
> =======================================================================================
>
>
>
> Steps to reproduce:
>
> 1. upgrade to pki-ca-10.3.5-6
>
> 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)
>
> 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with
> error above
>
>
> The curious thing is that with pki-ca-10.3.5-1, I'm not able to
> reproduce this. Probably something was changed on pki-ca side.
>
> [root at vm-058-017 ~]# ipa cert-find --revocation-reason=0
> ----------------------
> 4 certificates matched
> ----------------------
> Issuing CA: ipa
> Subject: CN=crud subca test,O=crud testing inc
> Issuer: CN=Certificate
> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
> Serial number: 78
> Serial number (hex): 0x4E
> Status: REVOKED
> Revoked: True
>
> Issuing CA: ipa
> Subject: CN=crud subca test,O=crud testing inc
> Issuer: CN=Certificate
> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
> Serial number: 79
> Serial number (hex): 0x4F
> Status: REVOKED
> Revoked: True
>
> Issuing CA: ipa
> Subject: CN=caacl test subca,O=test industries inc.
> Issuer: CN=Certificate
> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
> Serial number: 80
> Serial number (hex): 0x50
> Status: REVOKED
> Revoked: True
>
> Issuing CA: ipa
> Subject: CN=SMIME CA,O=test industries Inc.
> Issuer: CN=Certificate
> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
> Serial number: 85
> Serial number (hex): 0x55
> Status: REVOKED
> Revoked: True
> ----------------------------
> Number of entries returned 4
> ----------------------------
>
> My question is, should we update tests, or is it a bug on PKI-CA side??
> I actually dont know why certificates are present there, it needs more
> investigation.
>
>
> Martin^2
>
>
>
Seeing that all the certs are actually intermediary CA certs and seeing
the following line:
"""
- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
deletion (ftweedal)
"""
in pki-core 10.3.5-6 release notes, I would guess that these are
leftover certificates from sub-CA tests which were previously just
sitting there but are now marked as revoked with reason 0 - unspecified
(as a side note, shouldn't there be different reason, i.e. 5
-cessationOfOperation?).
Seems like we need to fix our tests to cleanup sub-CA certificates as
well, should I open a ticket for this?
--
Martin^3 Babinsky
More information about the Freeipa-devel
mailing list