Issue #2539
closed
unit tests for repoauth are failing on Fedora 25
Status:
CLOSED - CURRENTRELEASE
Description
m2crypto 0.25 raises an exception when dealing with dates after 2050. The certificates we use for repoauth and oid_validation expire in 2116. As a result platform has 5 failing unit tests on Fedora 25.
So is the fix to regenerate certs that expire in 2049? I'm not familiar with these certs off the top of my head, where do they live?
- Status changed from NEW to ASSIGNED
- Assignee set to semyers
- Sprint/Milestone set to 32
- Version set to 2.12.0
- Groomed changed from No to Yes
- Sprint Candidate changed from No to Yes
With that, I'm happy to call this groomed, and I think I can take care of this.
- Triaged changed from No to Yes
I was able to regenerate most certs using basic openssl commands, which fixed repoauth, but oid_validation is still breaking. It looks like the contents of the various ssl keys/certs get embedded into the test file as strings, where the repoauth tests load them from the filesystem. Since the repoauth tests are working fine this way, and it's a lot easier to make copy/paste openssl commands to write files than it is to get it to put stuff into python files, I think I'm going to fix up the oid_validation test suite to load its keys and certs from the filesystem similar to how repoauth does it.
I've been keeping docs on how to do this, so when we have to re-discover how to create test CAs and certs (including entitlement certs), we can hopefully follow the guide here and not require an openssl expert to fix/update our test fixtures.
- Status changed from ASSIGNED to POST
- Status changed from POST to MODIFIED
- Platform Release set to 2.12.1
- Status changed from MODIFIED to CLOSED - CURRENTRELEASE
- Platform Release changed from 2.12.1 to master
- Sprint changed from Sprint 16 to Sprint 14
- Sprint/Milestone deleted (
32)
Also available in: Atom
PDF
Update testing certificates for oid_validation and repoauth
It looks worse than it is. m2crypto has started to reject any certificate with and expiration data past 2050, which was the case with our testing certificates here. Since I fully expect we'll want to bring the repoauth and oid validation features forward to Pulp 3, I thought it was worth scripting up the openssl-fu necessary to easily remake these certificates in the future.
I reorganized the test_oid_validation file significantly, but the only real functional change was conflating the ideas of "VALID_CA2" and "INVALID_CA". There was actually nothing invalid about INVALID_CA; the only thing invalid about it was that it wasn't VALID_CA. This was also true for VALID_CA2, so they got merged into "OTHER_CA", since (as far as I could tell) there was no test that wanted to use both INVALID_CA and VALID_CA2 at the same time. Most of the churn comes from loading these certs from the filesystem instead of embedding them as strings in the test module. The repoauth tests already worked this way, but don't have as many testing certs, so the regenerate script also does repoauth a solid and updates its certs while it's freshening everything up.
Finally, I renamed the contants to be a little more consistent within the test module, and removed constants aren't being used anywhere.