Re: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6

Thu, 22 Sep 2016 05:07:53 -0700 


On 22.09.2016 13:56, Martin Babinsky wrote:

On 09/22/2016 01:41 PM, Martin Basti wrote:

Hello all,


Following test is failing:



________________________________________________________________________________ 


test_cert_find.test_0007_find_revocation_reason_0

________________________________________________________________________________ 




self = <ipatests.test_xmlrpc.test_cert_plugin.test_cert_find object at
0x7f1bf4532f90>

    def test_0007_find_revocation_reason_0(self):
        """
            Find all certificates with revocation reason 0
            """
        res = api.Command['cert_find'](revocation_reason=0)

      assert 'count' in res and res['count'] == 0

E       assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
'issuer': 'CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.C....BRQ.REDHAT.COM',
'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
matched', 'truncated': False} and 4 == 0)

test_xmlrpc/test_cert_plugin.py:302: AssertionError

====================================================================================== 


1 failed, 38 passed in 10.77 seconds

======================================================================================= 





Steps to reproduce:

1. upgrade to pki-ca-10.3.5-6

2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)

3. ipa-run-tests test_xmlrpc/test_cert_plugin.py  will always fail with
error above


The curious thing is that with pki-ca-10.3.5-1, I'm not able to
reproduce this. Probably something was changed on pki-ca side.

[root@vm-058-017 ~]# ipa cert-find --revocation-reason=0
----------------------
4 certificates matched
----------------------
  Issuing CA: ipa
  Subject: CN=crud subca test,O=crud testing inc
  Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Serial number: 78
  Serial number (hex): 0x4E
  Status: REVOKED
  Revoked: True

  Issuing CA: ipa
  Subject: CN=crud subca test,O=crud testing inc
  Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Serial number: 79
  Serial number (hex): 0x4F
  Status: REVOKED
  Revoked: True

  Issuing CA: ipa
  Subject: CN=caacl test subca,O=test industries inc.
  Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Serial number: 80
  Serial number (hex): 0x50
  Status: REVOKED
  Revoked: True

  Issuing CA: ipa
  Subject: CN=SMIME CA,O=test industries Inc.
  Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
  Serial number: 85
  Serial number (hex): 0x55
  Status: REVOKED
  Revoked: True
----------------------------
Number of entries returned 4
----------------------------

My question is, should we update tests, or is it a bug on PKI-CA side??
I actually dont know why certificates are present there, it needs more
investigation.


Martin^2




Seeing that all the certs are actually intermediary CA certs and 
seeing the following line:


"""

- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA 
deletion (ftweedal)


"""


in pki-core 10.3.5-6 release notes, I would guess that these are 
leftover certificates from sub-CA tests which were previously just 
sitting there but are now marked as revoked with reason 0 - 
unspecified (as a side note, shouldn't there be different reason, i.e. 
5 -cessationOfOperation?).



Seems like we need to fix our tests to cleanup sub-CA certificates as 
well, should I open a ticket for this?




Yes please, thank you

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code






















					Reply via email to