Uninstall without starting the CA in cert expiration test

Some certificates may have started renewal so returning to
present time can bind the server up with trying to renew.

certmonger fires off helpers when it's time to renew
certificates. This scenario puts the time within the renewal
window. If certmonger notices while the test is running it
will kick off renewal for all 12 certificates.

A lock is used to serialize things. The CA was shut down prior
to changing time so there is no chance of issuing new certs.

A fixture was used to ensure that things restarted when
the test was over. This was for chronyd and the CA. By restarting
the CA we allow the chance that it will be able to do some
work, versus returning a connection error and letting
certmonger just error out (CA_UNREACHABLE).

During uninstallation we call certmonger remove_request over
DBus (the equivalent to stop-tracking). As part of this
certmonger waits for any child (helper) processes to go away.
This used to do it via SIGKILL but that caused other problems
so it was changed to waitpid(). We know that it isn't going to
return for a while because the CA isn't up. DBus has a
hardcoded 25 second timeout. So we're guaranteed to get a
DBus timeout. We *could* try to play with it and change the
timeout, or retry a bunch of times, but it isn't worth the
hassle.

This is a contrived scenario that uninstalls immediately after
tweaking time forward. So rather than trying to make this
succesful, uninstall at the future time with the CA stopped
so that helpers won't be hanging around and certmonger can
remove the certs.

This is the last test so also the last time we need the replica
so to avoid replication bogging things down remove that prior
to executing the test. It's one less moving part during the
uninstall phase.

https://pagure.io/freeipa/issue/8506

Signed-off-by: Rob Crittenden <rcritten@redhat.com>
Reviewed-By: Florence Blanc-Renaud <flo@redhat.com>
This commit is contained in:
Rob Crittenden 2021-03-18 11:04:27 -04:00 committed by Florence Blanc-Renaud
parent 34af8099e6
commit fb58b76a80

View File

@ -1336,6 +1336,10 @@ class TestIpaHealthCheck(IntegrationTest):
else: else:
assert check["kw"]["days"] == 10 assert check["kw"]["days"] == 10
# Remove the replica now since it will be out of sync with the
# updated certificates and replication will break.
tasks.uninstall_replica(self.master, self.replicas[0])
# Store the current date to restore at the end of the test # Store the current date to restore at the end of the test
now = datetime.utcnow() now = datetime.utcnow()
now_str = datetime.strftime(now, "%Y-%m-%d %H:%M:%S Z") now_str = datetime.strftime(now, "%Y-%m-%d %H:%M:%S Z")
@ -1345,8 +1349,14 @@ class TestIpaHealthCheck(IntegrationTest):
cert = x509.load_certificate_list(certfile) cert = x509.load_certificate_list(certfile)
cert_expiry = cert[0].not_valid_after cert_expiry = cert[0].not_valid_after
for service in ('chronyd', 'pki_tomcatd',): # Stop chronyd so it doesn't freak out with time so off
restart_service(self.master, service) restart_service(self.master, 'chronyd')
# Stop pki_tomcatd so certs are not renewable. Don't restart
# it because by the time the test is done the server is gone.
self.master.run_command(
["systemctl", "stop", "pki-tomcatd@pki-tomcat"]
)
try: try:
# move date to the grace period # move date to the grace period
@ -1361,6 +1371,10 @@ class TestIpaHealthCheck(IntegrationTest):
execute_nsscheck_cert_expiring(check) execute_nsscheck_cert_expiring(check)
finally: finally:
# Uninstall the master here so that the certs don't try
# to renew after the CA is running again.
tasks.uninstall_master(self.master)
# After restarting chronyd, the date may need some time to get # After restarting chronyd, the date may need some time to get
# synced. Help chrony by resetting the date # synced. Help chrony by resetting the date
self.master.run_command(['date', '-s', now_str]) self.master.run_command(['date', '-s', now_str])