mirror of
https://salsa.debian.org/freeipa-team/freeipa.git
synced 2024-12-23 23:50:03 -06:00
Uninstall without starting the CA in cert expiration test
Some certificates may have started renewal so returning to present time can bind the server up with trying to renew. certmonger fires off helpers when it's time to renew certificates. This scenario puts the time within the renewal window. If certmonger notices while the test is running it will kick off renewal for all 12 certificates. A lock is used to serialize things. The CA was shut down prior to changing time so there is no chance of issuing new certs. A fixture was used to ensure that things restarted when the test was over. This was for chronyd and the CA. By restarting the CA we allow the chance that it will be able to do some work, versus returning a connection error and letting certmonger just error out (CA_UNREACHABLE). During uninstallation we call certmonger remove_request over DBus (the equivalent to stop-tracking). As part of this certmonger waits for any child (helper) processes to go away. This used to do it via SIGKILL but that caused other problems so it was changed to waitpid(). We know that it isn't going to return for a while because the CA isn't up. DBus has a hardcoded 25 second timeout. So we're guaranteed to get a DBus timeout. We *could* try to play with it and change the timeout, or retry a bunch of times, but it isn't worth the hassle. This is a contrived scenario that uninstalls immediately after tweaking time forward. So rather than trying to make this succesful, uninstall at the future time with the CA stopped so that helpers won't be hanging around and certmonger can remove the certs. This is the last test so also the last time we need the replica so to avoid replication bogging things down remove that prior to executing the test. It's one less moving part during the uninstall phase. https://pagure.io/freeipa/issue/8506 Signed-off-by: Rob Crittenden <rcritten@redhat.com> Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
parent
34af8099e6
commit
fb58b76a80
@ -1336,6 +1336,10 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
else:
|
||||
assert check["kw"]["days"] == 10
|
||||
|
||||
# Remove the replica now since it will be out of sync with the
|
||||
# updated certificates and replication will break.
|
||||
tasks.uninstall_replica(self.master, self.replicas[0])
|
||||
|
||||
# Store the current date to restore at the end of the test
|
||||
now = datetime.utcnow()
|
||||
now_str = datetime.strftime(now, "%Y-%m-%d %H:%M:%S Z")
|
||||
@ -1345,8 +1349,14 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
cert = x509.load_certificate_list(certfile)
|
||||
cert_expiry = cert[0].not_valid_after
|
||||
|
||||
for service in ('chronyd', 'pki_tomcatd',):
|
||||
restart_service(self.master, service)
|
||||
# Stop chronyd so it doesn't freak out with time so off
|
||||
restart_service(self.master, 'chronyd')
|
||||
|
||||
# Stop pki_tomcatd so certs are not renewable. Don't restart
|
||||
# it because by the time the test is done the server is gone.
|
||||
self.master.run_command(
|
||||
["systemctl", "stop", "pki-tomcatd@pki-tomcat"]
|
||||
)
|
||||
|
||||
try:
|
||||
# move date to the grace period
|
||||
@ -1361,6 +1371,10 @@ class TestIpaHealthCheck(IntegrationTest):
|
||||
execute_nsscheck_cert_expiring(check)
|
||||
|
||||
finally:
|
||||
# Uninstall the master here so that the certs don't try
|
||||
# to renew after the CA is running again.
|
||||
tasks.uninstall_master(self.master)
|
||||
|
||||
# After restarting chronyd, the date may need some time to get
|
||||
# synced. Help chrony by resetting the date
|
||||
self.master.run_command(['date', '-s', now_str])
|
||||
|
Loading…
Reference in New Issue
Block a user