Fix CI & tests #104
Fix CI & tests #104
Conversation
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
The embedded Let's Encrypt cert expired on Sep 29 19:21:40 2021 GMT. The Amazon Root CA 1 expires on Jan 17 00:00:00 2038 GMT. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
akerouanton
force-pushed
the
fix-ci
branch
6 times, most recently
from
c54118d to
19a46e6
Compare
|
@thaJeztah PTAL |
| // This is the currently active Amazon Root CA 1 (CN=Amazon Root CA 1,O=Amazon,C=US), | ||
| // downloaded from: https://www.amazontrust.com/repository/AmazonRootCA1.pem | ||
| // It's valid since May 26 00:00:00 2015 GMT and expires on Jan 17 00:00:00 2038 GMT. | ||
| // Download updated versions from https://www.amazontrust.com/repository/ |
There was a problem hiding this comment.
Curious; couldn't we use an updated version of the letsencrypt cert? (letsencrypt seems a bit more "independent" than some vendor's root-ca)
There was a problem hiding this comment.
Initially, I tried updating the intermediate Let's Encrypt R3 cert but it was failing with the error message I documented in commit tests: Skip tests failing on darwin.
I wrote a small reproducer to verify the validity of that cert in a Windows 11 VM and it was working properly. Then, I thought that system-wide cert bundle was not up-to-date on Windows and MacOS on GHA runners.
Although it was a dubious theory, I tried to replace that Let's Encrypt cert with the Amazon Root CA 1 cert, but to no avail. Out of laziness (honestly!), I chose to keep this cert but then realized it's valid for a much longer period:
$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/lets-encrypt-r3.pem | openssl pkcs7 -print_certs -text -noout
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/AmazonRootCA1.pem | openssl pkcs7 -print_certs -text -noout
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
So I came to the conclusion it's better to keep it.
Also, Let's Encrypt "independence" doesn't mean much in this context. This cert is only used to make sure we can XOR system-wide cert pool and a custom pool.
tlsconfig/config_test.go
Outdated
| if runtime.GOOS == "windows" || runtime.GOOS == "darwin" { | ||
| // FIXME TestConfigServerExclusiveRootPools is failing on windows: | ||
| // config_test.go:244: Unable to verify certificate 1: x509: certificate signed by unknown authority | ||
| t.Skip("FIXME: failing on Windows") | ||
| t.Skip("FIXME: failing on Windows and darwin") |
There was a problem hiding this comment.
We should probably look at these tests in a follow-up. I recall I disabled them as they were broken, but I'm not sure if they are expected to be failing (and if not; we should look "why")
There was a problem hiding this comment.
Yup; here is what I wrote in the commit message:
TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools
are failing on darwin with the same error message as on Windows:Unable to verify certificate 1: x509: certificate signed by unknown authority
The
(*Certificate).Verify()method fromcrypto/x509special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.This should be further investigated.
There was a problem hiding this comment.
Yeah, I should've created a tracking issue when I added that skip; perhaps you can create one? (we could add a link to it in the source code / as a comment, in case more details arrive on GitHub)
There was a problem hiding this comment.
Done (although #105 will need to be updated once this PR is merged).
TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools are failing on darwin with the same error message as on Windows: > Unable to verify certificate 1: x509: certificate signed by unknown authority The `(*Certificate).Verify()` method from `crypto/x509` special-case windows, darwin and ios GOOS to use a OS-specific verification process. This process seems to consider root CAs as invalid for some unknown reasons. This should be further investigated. Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Signed-off-by: Albin Kerouanton <albinker@gmail.com>
Windows lint job fails with the following error messages: > level=error msg="Running error: context loading failed: failed to load packages: timed out to load packages: context deadline exceeded" > level=error msg="Timeout exceeded: try increasing it by passing --timeout option" Signed-off-by: Albin Kerouanton <albinker@gmail.com>
What I did:
TestConfigServerExclusiveRootPoolsandTestConfigClientExclusiveRootPoolson darwin as it's failing for unknown reason (it doesn't validate Amazon Root CA 1) ;