Re: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
On 22.09.2016 13:56, Martin Babinsky wrote:
On 09/22/2016 01:41 PM, Martin Basti wrote:
Hello all,
Following test is failing:
test_cert_find.test_0007_find_revocation_reason_0
self =
def test_0007_find_revocation_reason_0(self):
"""
Find all certificates with revocation reason 0
"""
res = api.Command['cert_find'](revocation_reason=0)
assert 'count' in res and res['count'] == 0
E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
'issuer': 'CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM',
'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
matched', 'truncated': False} and 4 == 0)
test_xmlrpc/test_cert_plugin.py:302: AssertionError
==
1 failed, 38 passed in 10.77 seconds
===
Steps to reproduce:
1. upgrade to pki-ca-10.3.5-6
2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)
3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with
error above
The curious thing is that with pki-ca-10.3.5-1, I'm not able to
reproduce this. Probably something was changed on pki-ca side.
[root@vm-058-017 ~]# ipa cert-find --revocation-reason=0
--
4 certificates matched
--
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 78
Serial number (hex): 0x4E
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 79
Serial number (hex): 0x4F
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=caacl test subca,O=test industries inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 80
Serial number (hex): 0x50
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=SMIME CA,O=test industries Inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 85
Serial number (hex): 0x55
Status: REVOKED
Revoked: True
Number of entries returned 4
My question is, should we update tests, or is it a bug on PKI-CA side??
I actually dont know why certificates are present there, it needs more
investigation.
Martin^2
Seeing that all the certs are actually intermediary CA certs and
seeing the following line:
"""
- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
deletion (ftweedal)
"""
in pki-core 10.3.5-6 release notes, I would guess that these are
leftover certificates from sub-CA tests which were previously just
sitting there but are now marked as revoked with reason 0 -
unspecified (as a side note, shouldn't there be different reason, i.e.
5 -cessationOfOperation?).
Seems like we need to fix our tests to cleanup sub-CA certificates as
well, should I open a ticket for this?
Yes please, thank you
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Re: [Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
On 09/22/2016 01:41 PM, Martin Basti wrote:
Hello all,
Following test is failing:
test_cert_find.test_0007_find_revocation_reason_0
self =
def test_0007_find_revocation_reason_0(self):
"""
Find all certificates with revocation reason 0
"""
res = api.Command['cert_find'](revocation_reason=0)
assert 'count' in res and res['count'] == 0
E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
'issuer': 'CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM',
'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
matched', 'truncated': False} and 4 == 0)
test_xmlrpc/test_cert_plugin.py:302: AssertionError
==
1 failed, 38 passed in 10.77 seconds
===
Steps to reproduce:
1. upgrade to pki-ca-10.3.5-6
2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)
3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with
error above
The curious thing is that with pki-ca-10.3.5-1, I'm not able to
reproduce this. Probably something was changed on pki-ca side.
[root@vm-058-017 ~]# ipa cert-find --revocation-reason=0
--
4 certificates matched
--
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 78
Serial number (hex): 0x4E
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 79
Serial number (hex): 0x4F
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=caacl test subca,O=test industries inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 80
Serial number (hex): 0x50
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=SMIME CA,O=test industries Inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 85
Serial number (hex): 0x55
Status: REVOKED
Revoked: True
Number of entries returned 4
My question is, should we update tests, or is it a bug on PKI-CA side??
I actually dont know why certificates are present there, it needs more
investigation.
Martin^2
Seeing that all the certs are actually intermediary CA certs and seeing
the following line:
"""
- PKI TRAC Ticket #1638 - Lightweight CAs: revoke certificate on CA
deletion (ftweedal)
"""
in pki-core 10.3.5-6 release notes, I would guess that these are
leftover certificates from sub-CA tests which were previously just
sitting there but are now marked as revoked with reason 0 - unspecified
(as a side note, shouldn't there be different reason, i.e. 5
-cessationOfOperation?).
Seems like we need to fix our tests to cleanup sub-CA certificates as
well, should I open a ticket for this?
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
[Freeipa-devel] Suspicious IPA cert test fail after upgrade to pki-ca-10.3.5-6
Hello all,
Following test is failing:
test_cert_find.test_0007_find_revocation_reason_0
self = 0x7f1bf4532f90>
def test_0007_find_revocation_reason_0(self):
"""
Find all certificates with revocation reason 0
"""
res = api.Command['cert_find'](revocation_reason=0)
> assert 'count' in res and res['count'] == 0
E assert ('count' in {'count': 4, 'result': ({'cacn': 'ipa',
'issuer': 'CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.CBRQ.REDHAT.COM',
'revoked': True, 'serial_number': 85, ...}), 'summary': '4 certificates
matched', 'truncated': False} and 4 == 0)
test_xmlrpc/test_cert_plugin.py:302: AssertionError
==
1 failed, 38 passed in 10.77 seconds
===
Steps to reproduce:
1. upgrade to pki-ca-10.3.5-6
2. run all xmlrpc_tests (ipa-run-test test_xmlrpc)
3. ipa-run-tests test_xmlrpc/test_cert_plugin.py will always fail with
error above
The curious thing is that with pki-ca-10.3.5-1, I'm not able to
reproduce this. Probably something was changed on pki-ca side.
[root@vm-058-017 ~]# ipa cert-find --revocation-reason=0
--
4 certificates matched
--
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 78
Serial number (hex): 0x4E
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=crud subca test,O=crud testing inc
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 79
Serial number (hex): 0x4F
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=caacl test subca,O=test industries inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 80
Serial number (hex): 0x50
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=SMIME CA,O=test industries Inc.
Issuer: CN=Certificate
Authority,O=DOM-058-017.ABC.IDM.LAB.ENG.BRQ.REDHAT.COM
Serial number: 85
Serial number (hex): 0x55
Status: REVOKED
Revoked: True
Number of entries returned 4
My question is, should we update tests, or is it a bug on PKI-CA side??
I actually dont know why certificates are present there, it needs more
investigation.
Martin^2
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
