Wednesday, June 8, 2016

[389-devel] Re: Ticket 48798 - CI and lib389 tests fail

Note: Resent due to earlier technical issues. 

On Wed, 2016-06-08 at 17:52 +0200, Simon Pichugin wrote:
>
> Hi William,
>
> I troubleshoot failures at the tickets.
> And both tickets/ticket48798_test.py and lib389/tests/nss_ssl_test.py
> fail because of the same problem. 
> As I understand this is because of class design issue (lib389/nss_ssl.py).
>
> Can you please take a look? May be you've already faced that issue and
> can help me with the problem, so it would resolve faster. :)
>
> Please, find the log output in the attachment.
>
> Thanks,
> Simon
I haven't seen this issue before. "works for me" right, so it's not a bug? ;) 

Joking aside, looking at that trace, the assert failing is that the CA failed to validate post create. 

        # Check if ca exists. Should be false.
        assert(topology.standalone.nss_ssl._rsa_ca_exists() is False)
        # Create it. Should work.
        assert(topology.standalone.nss_ssl.create_rsa_ca() is True)
        # Check if ca exists. Should be true
>
>        assert(topology.standalone.nss_ssl._rsa_ca_exists() is True)
E       assert <bound method NssSsl._rsa_ca_exists of <lib389.nss_ssl.NssSsl object at 0x7f13b4de3ed0>>() is True
E        +  where <bound method NssSsl._rsa_ca_exists of <lib389.nss_ssl.NssSsl object at 0x7f13b4de3ed0>> =
<lib389.nss_ssl.NssSsl object at 0x7f13b4de3ed0>._rsa_ca_exists
E        +    where <lib389.nss_ssl.NssSsl object at 0x7f13b4de3ed0> = <lib389.DirSrv instance at 0x7f13b553dbd8>.nss_ssl
E        +      where <lib389.DirSrv instance at 0x7f13b553dbd8> = <lib389.tests.nss_ssl_test.TopologyStandalone object at
0x7f13b4df8210>.standalone

lib389/tests/nss_ssl_test.py:71: AssertionError


I would think the error is occuring in:

        assert(topology.standalone.nss_ssl.create_rsa_ca() is True)

This may erroneously be returning True.

It would be worth preventing the instance from being removed, and checking the output of the ssl directory.

Have a look at say (depending on your install prefix ...):

cd [/opt/dirsrv]/etc/dirsrv/slapd-standalone
certutil -L -d . 

You could also dump the result of the check call, or even the command line string it uses and run it by hand. Look at line 147
of nss_ssl.py. Maybe we could add some better logging in / around these parts for future if we have this error again?

The reason I think the error is in create_rsa_ca, is because in _rsa_ca_exists(), there is basically no error checking. It's
designed to "fail fast", in the cast there is no CA or DB. Because it's returning a "False", which triggers the assert, it means
the CA check is probably working, and telling the truth.


Does that help? If you need anything else, let me know,



--
Sincerely,

William Brown
Software Engineer
Red Hat, Brisbane
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)