** Description changed: [impact] autopkgtest 'command1' fails: # bootstrap.test.lua [ ta ] keyfile 'ok1.keys': doesn't exist, bootstrapping ok 1 - fake server certificate is detected # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok1.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_extra_attr.keys': doesn't exist, bootstrapping ok 2 - bogus TA XML with an extra attribute # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_extra_attr.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_validfrom_invalid.keys': doesn't exist, bootstrapping ok 3 - bogus TA XML with invalid validFrom value # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_validfrom_invalid.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_validfrom_missing.keys': doesn't exist, bootstrapping ok 4 - bogus TA XML without mandatory validFrom attribute # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_validfrom_missing.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_elem_extra.keys': doesn't exist, bootstrapping ok 5 - bogus TA XML with an extra element # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_elem_extra.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_elem_missing.keys': doesn't exist, bootstrapping ok 6 - bogus TA XML without mandatory element # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_elem_missing.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_multi_ta.keys': doesn't exist, bootstrapping ok 7 - bogus TA XML with multiple TAs # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_multi_ta.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'unsupp_nonroot.keys': doesn't exist, bootstrapping ok 8 - unsupported TA XML for non-root zone # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/unsupp_nonroot.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'unsupp_xml_v11.keys': doesn't exist, bootstrapping ok 9 - unsupported TA XML with XML v1.1 # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/unsupp_xml_v11.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'ok0_badtimes.keys': doesn't exist, bootstrapping ok 10 - TA XML with no valid keys # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok0_badtimes.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile '@/tmp/autopkgtest.UnFhsC/build.Co6/src/tests/config/test.cfg:23 /usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok1_expired1.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec ok1_expired1.keys': doesn't exist, bootstrapping Expected return code '0' got '2'. make: *** [tests/config/test_config.mk:22: daemon/lua/trust_anchors.test/bootstrap.test.lua] Error 1 + [scope] - [scope] + This is fixed upstream with commit + https://gitlab.labs.nic.cz/knot/knot-resolver/commit/ae4808ab2329bdf190dcfd80b198ce0791a9b4f7 This is needed in Eoan and Focal, which use the test certs that expired. Bionic and earlier do not contain the expired test certs and do not need this patch (in addition, the Bionic autopkgtests have never worked) [test case] check autopkgtest output, e.g.: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan/eoan/amd64/k/knot-resolver/20200204_001858_d45dd@/log.gz [regression potential] continued autopkgtest failures and/or incorrect failures or incorrect passes
** Description changed: [impact] autopkgtest 'command1' fails: # bootstrap.test.lua [ ta ] keyfile 'ok1.keys': doesn't exist, bootstrapping ok 1 - fake server certificate is detected # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok1.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_extra_attr.keys': doesn't exist, bootstrapping ok 2 - bogus TA XML with an extra attribute # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_extra_attr.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_validfrom_invalid.keys': doesn't exist, bootstrapping ok 3 - bogus TA XML with invalid validFrom value # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_validfrom_invalid.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_attr_validfrom_missing.keys': doesn't exist, bootstrapping ok 4 - bogus TA XML without mandatory validFrom attribute # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_attr_validfrom_missing.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_elem_extra.keys': doesn't exist, bootstrapping ok 5 - bogus TA XML with an extra element # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_elem_extra.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_elem_missing.keys': doesn't exist, bootstrapping ok 6 - bogus TA XML without mandatory element # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_elem_missing.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'err_multi_ta.keys': doesn't exist, bootstrapping ok 7 - bogus TA XML with multiple TAs # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/err_multi_ta.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'unsupp_nonroot.keys': doesn't exist, bootstrapping ok 8 - unsupported TA XML for non-root zone # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/unsupp_nonroot.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'unsupp_xml_v11.keys': doesn't exist, bootstrapping ok 9 - unsupported TA XML with XML v1.1 # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/unsupp_xml_v11.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile 'ok0_badtimes.keys': doesn't exist, bootstrapping ok 10 - TA XML with no valid keys # Got this error: "/usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok0_badtimes.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec"; [ ta ] keyfile '@/tmp/autopkgtest.UnFhsC/build.Co6/src/tests/config/test.cfg:23 /usr/lib/knot-resolver/trust_anchors.lua:503: [ ta ] fetch of "https://localhost:8080/ok1_expired1.xml"; failed: certificate verify failed [ ta ] Failed to bootstrap root trust anchors; see: https://knot-resolver.readthedocs.io/en/latest/daemon.html#enabling-dnssec ok1_expired1.keys': doesn't exist, bootstrapping Expected return code '0' got '2'. make: *** [tests/config/test_config.mk:22: daemon/lua/trust_anchors.test/bootstrap.test.lua] Error 1 [scope] This is fixed upstream with commit https://gitlab.labs.nic.cz/knot/knot-resolver/commit/ae4808ab2329bdf190dcfd80b198ce0791a9b4f7 This is needed in Eoan and Focal, which use the test certs that expired. Bionic and earlier do not contain the expired test certs and do not need this patch (in addition, the Bionic autopkgtests have never worked) [test case] check autopkgtest output, e.g.: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-eoan/eoan/amd64/k/knot-resolver/20200204_001858_d45dd@/log.gz [regression potential] continued autopkgtest failures and/or incorrect failures or incorrect passes + + [other info] + + this was hacked around in Focal by using 'datefudge' to fake the date + during the testcase run; this reverts that hack since it's not needed + with the proper fix. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861924 Title: 'command1' autopkgtest fails due to expired test certs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/knot-resolver/+bug/1861924/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
