Re: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
On 22.09.2016 13:56, Martin Babinsky wrote: On 09/22/2016 01:41 PM, Martin Basti wrote: Hello all, Following test is failing: test_cert_find.test_0007_find_revocation_reason_0 self = def test_0007_find_revocation_reason_0(self): """ Find all certificates with revocation reason 0 """ res = api.Command['cert_find'](revocation_reason=0) assert 'count' in res and res['count'] == 0 E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', 'issuer': 'CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM', 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates matched', 'truncated': False} and 4 == 0) test_xmlrpc/test_cert_plugin.py:302: AssertionError == 1 failed, 38 passed in 10.77 seconds === Steps to reproduce: 1. upgrade to pki-ca-10.3.5-6 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with error above The curious thing is that with pki-ca-10.3.5-1, I'm not able to reproduce this. Probably something was changed on pki-ca side. [root@vm-058-017 ~]# ipa cert-find --revocation-reason=0 -- 4 certificates matched -- Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 78 Serial number (hex): 0x4E Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 79 Serial number (hex): 0x4F Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=caacl test subca,O=test industries inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 80 Serial number (hex): 0x50 Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=SMIME CA,O=test industries Inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 85 Serial number (hex): 0x55 Status: REVOKED Revoked: True Number of entries returned 4 My question is, should we update tests, or is it a bug on PKI-CA side?? I actually dont know why certificates are present there, it needs more investigation. Martin^2 Seeing that all the certs are actually intermediary CA certs and seeing the following line: """ - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) """ in pki-core 10.3.5-6 release notes, I would guess that these are leftover certificates from sub-CA tests which were previously just sitting there but are now marked as revoked with reason 0 - unspecified (as a side note, shouldn't there be different reason, i.e. 5 -cessationOfOperation?). Seems like we need to fix our tests to cleanup sub-CA certificates as well, should I open a ticket for this? Yes please, thank you -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
On 09/22/2016 01:41 PM, Martin Basti wrote: Hello all, Following test is failing: test_cert_find.test_0007_find_revocation_reason_0 self = def test_0007_find_revocation_reason_0(self): """ Find all certificates with revocation reason 0 """ res = api.Command['cert_find'](revocation_reason=0) assert 'count' in res and res['count'] == 0 E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', 'issuer': 'CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM', 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates matched', 'truncated': False} and 4 == 0) test_xmlrpc/test_cert_plugin.py:302: AssertionError == 1 failed, 38 passed in 10.77 seconds === Steps to reproduce: 1. upgrade to pki-ca-10.3.5-6 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with error above The curious thing is that with pki-ca-10.3.5-1, I'm not able to reproduce this. Probably something was changed on pki-ca side. [root@vm-058-017 ~]# ipa cert-find --revocation-reason=0 -- 4 certificates matched -- Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 78 Serial number (hex): 0x4E Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 79 Serial number (hex): 0x4F Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=caacl test subca,O=test industries inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 80 Serial number (hex): 0x50 Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=SMIME CA,O=test industries Inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 85 Serial number (hex): 0x55 Status: REVOKED Revoked: True Number of entries returned 4 My question is, should we update tests, or is it a bug on PKI-CA side?? I actually dont know why certificates are present there, it needs more investigation. Martin^2 Seeing that all the certs are actually intermediary CA certs and seeing the following line: """ - PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA deletion (ftweedal) """ in pki-core 10.3.5-6 release notes, I would guess that these are leftover certificates from sub-CA tests which were previously just sitting there but are now marked as revoked with reason 0 - unspecified (as a side note, shouldn't there be different reason, i.e. 5 -cessationOfOperation?). Seems like we need to fix our tests to cleanup sub-CA certificates as well, should I open a ticket for this? -- Martin^3 Babinsky -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
Hello all, Following test is failing: test_cert_find.test_0007_find_revocation_reason_0 self = 0x7f1bf4532f90> def test_0007_find_revocation_reason_0(self): """ Find all certificates with revocation reason 0 """ res = api.Command['cert_find'](revocation_reason=0) > assert 'count' in res and res['count'] == 0 E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa', 'issuer': 'CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM', 'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates matched', 'truncated': False} and 4 == 0) test_xmlrpc/test_cert_plugin.py:302: AssertionError == 1 failed, 38 passed in 10.77 seconds === Steps to reproduce: 1. upgrade to pki-ca-10.3.5-6 2. run all xmlrpc_tests (ipa-run-test test_xmlrpc) 3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with error above The curious thing is that with pki-ca-10.3.5-1, I'm not able to reproduce this. Probably something was changed on pki-ca side. [root@vm-058-017 ~]# ipa cert-find --revocation-reason=0 -- 4 certificates matched -- Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 78 Serial number (hex): 0x4E Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=crud subca test,O=crud testing inc Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 79 Serial number (hex): 0x4F Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=caacl test subca,O=test industries inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 80 Serial number (hex): 0x50 Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=SMIME CA,O=test industries Inc. Issuer: CN=Certificate Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM Serial number: 85 Serial number (hex): 0x55 Status: REVOKED Revoked: True Number of entries returned 4 My question is, should we update tests, or is it a bug on PKI-CA side?? I actually dont know why certificates are present there, it needs more investigation. Martin^2 -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code