[Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
Martin Basti
mbasti at redhat.com
Thu Sep 22 12:06:42 UTC 2016
On 22.09.2016 13:56, Martin Babinsky wrote:
> On 09/22/2016 01:41 PM, Martin Basti wrote:
>> Hello all,
>>
>>
>> Following test is failing:
>>
>>
>> ________________________________________________________________________________
>>
>> test_cert_find.test_0007_find_revocation_reason_0
>> ________________________________________________________________________________
>>
>>
>>
>> self = <ipatests.test_xmlrpc.test_cert_plugin.test_cert_find object at
>> 0x7f1bf4532f90>
>>
>> def test_0007_find_revocation_reason_0(self):
>> """
>> Find all certificates with revocation reason 0
>> """
>> res = api.Command['cert_find'](revocation_reason=0)
>>> assert 'count' in res and res['count'] == 0
>> E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
>> 'issuer': 'CN=Certificate
>> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM',
>> 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
>> matched', 'truncated': False} and 4 == 0)
>>
>> test_xmlrpc/test_cert_plugin.py:302: AssertionError
>> ======================================================================================
>>
>> 1 failed, 38 passed in 10.77 seconds
>> =======================================================================================
>>
>>
>>
>>
>> Steps to reproduce:
>>
>> 1. upgrade to pki-ca-10.3.5-6
>>
>> 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)
>>
>> 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with
>> error above
>>
>>
>> The curious thing is that with pki-ca-10.3.5-1, I'm not able to
>> reproduce this. Probably something was changed on pki-ca side.
>>
>> [root at vm-058-017 ~]# ipa cert-find --revocation-reason=0
>> ----------------------
>> 4 certificates matched
>> ----------------------
>> Issuing CA: ipa
>> Subject: CN=crud subca test,O=crud testing inc
>> Issuer: CN=Certificate
>> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
>> Serial number: 78
>> Serial number (hex): 0x4E
>> Status: REVOKED
>> Revoked: True
>>
>> Issuing CA: ipa
>> Subject: CN=crud subca test,O=crud testing inc
>> Issuer: CN=Certificate
>> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
>> Serial number: 79
>> Serial number (hex): 0x4F
>> Status: REVOKED
>> Revoked: True
>>
>> Issuing CA: ipa
>> Subject: CN=caacl test subca,O=test industries inc.
>> Issuer: CN=Certificate
>> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
>> Serial number: 80
>> Serial number (hex): 0x50
>> Status: REVOKED
>> Revoked: True
>>
>> Issuing CA: ipa
>> Subject: CN=SMIME CA,O=test industries Inc.
>> Issuer: CN=Certificate
>> Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
>> Serial number: 85
>> Serial number (hex): 0x55
>> Status: REVOKED
>> Revoked: True
>> ----------------------------
>> Number of entries returned 4
>> ----------------------------
>>
>> My question is, should we update tests, or is it a bug on PKI-CA side??
>> I actually dont know why certificates are present there, it needs more
>> investigation.
>>
>>
>> Martin^2
>>
>>
>>
> Seeing that all the certs are actually intermediary CA certs and
> seeing the following line:
>
> """
> - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
> deletion (ftweedal)
>
> """
>
> in pki-core 10.3.5-6 release notes, I would guess that these are
> leftover certificates from sub-CA tests which were previously just
> sitting there but are now marked as revoked with reason 0 -
> unspecified (as a side note, shouldn't there be different reason, i.e.
> 5 -cessationOfOperation?).
>
> Seems like we need to fix our tests to cleanup sub-CA certificates as
> well, should I open a ticket for this?
>
Yes please, thank you
More information about the Freeipa-devel
mailing list