[Bug 1861924] Re: 'command1' autopkgtest fails due to expired test certs

Dan Streetman Tue, 04 Feb 2020 12:59:13 -0800

** Description changed:

  [impact]
  
  autopkgtest 'command1' fails:
  
  # bootstrap.test.lua
  [ ta ] keyfile 'ok1.keys': doesn't exist, bootstrapping
  ok 1 - fake server certificate is detected
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/ok1.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_attr_extra_attr.keys': doesn't exist, bootstrapping
  ok 2 - bogus TA XML with an extra attribute
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_attr_extra_attr.xml"; failed: certificate verify 
failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_attr_validfrom_invalid.keys': doesn't exist, bootstrapping
  ok 3 - bogus TA XML with invalid validFrom value
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_attr_validfrom_invalid.xml"; failed: certificate 
verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_attr_validfrom_missing.keys': doesn't exist, bootstrapping
  ok 4 - bogus TA XML without mandatory validFrom attribute
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_attr_validfrom_missing.xml"; failed: certificate 
verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_elem_extra.keys': doesn't exist, bootstrapping
  ok 5 - bogus TA XML with an extra element
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_elem_extra.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_elem_missing.keys': doesn't exist, bootstrapping
  ok 6 - bogus TA XML without mandatory element
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_elem_missing.xml"; failed: certificate verify 
failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'err_multi_ta.keys': doesn't exist, bootstrapping
  ok 7 - bogus TA XML with multiple TAs
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/err_multi_ta.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'unsupp_nonroot.keys': doesn't exist, bootstrapping
  ok 8 - unsupported TA XML for non-root zone
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/unsupp_nonroot.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'unsupp_xml_v11.keys': doesn't exist, bootstrapping
  ok 9 - unsupported TA XML with XML v1.1
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/unsupp_xml_v11.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 'ok0_badtimes.keys': doesn't exist, bootstrapping
  ok 10 - TA XML with no valid keys
  # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch 
of "https://localhost:8080/ok0_badtimes.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec";
  [ ta ] keyfile 
'@/tmp/autopkgtest.UnFhsC/build.Co6/src/tests/config/test.cfg:23 
/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of 
"https://localhost:8080/ok1_expired1.xml"; failed: certificate verify failed
  [ ta ] Failed to bootstrap root trust anchors; see:
-        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec
+        
https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec
  ok1_expired1.keys': doesn't exist, bootstrapping
  Expected return code '0' got '2'.
  make: *** [tests/config/test_config.mk:22: 
daemon/lua/trust_anchors.test/bootstrap.test.lua] Error 1
  
+ 
+ [scope]
+ 
+ This is needed in Eoan and Focal, which use the test certs that expired.
+ 
+ Bionic and earlier do not contain the expired test certs and do not need
+ this patch (in addition, the Bionic autopkgtests have never worked)
  
  [test case]
  
  check autopkgtest output, e.g.:
  
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan/eoan/amd64/k/knot-resolver/20200204_001858_d45dd@/log.gz
  
  [regression potential]
  
  continued autopkgtest failures and/or incorrect failures or incorrect
  passes


** Also affects: knot-resolver (Ubuntu Focal)
   Importance: Undecided
       Status: New

** Also affects: knot-resolver (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Changed in: knot-resolver (Ubuntu Focal)
       Status: New => In Progress

** Changed in: knot-resolver (Ubuntu Eoan)
       Status: New => In Progress

** Changed in: knot-resolver (Ubuntu Focal)
   Importance: Undecided => Low

** Changed in: knot-resolver (Ubuntu Eoan)
   Importance: Undecided => Low

** Changed in: knot-resolver (Ubuntu Focal)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Changed in: knot-resolver (Ubuntu Eoan)
     Assignee: (unassigned) => Dan Streetman (ddstreet)

** Tags added: block-proposed-eoan

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861924

Title:
  'command1' autopkgtest fails due to expired test certs

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/knot-resolver/+bug/1861924/+subscriptions

-- 
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1861924] Re: 'command1' autopkgtest fails due to expired test certs

Reply via email to