action #138998
closed[qe-core] test fails in ca_certificates_mozilla
100%
Description
Observation¶
openQA test in scenario sle-12-SP5-Server-DVD-Updates-x86_64-mau-extratests2@64bit fails in
ca_certificates_mozilla
Test suite description¶
Testsuite maintained at https://gitlab.suse.de/qa-maintenance/qam-openqa-yml. Run console tests against aggregated test repo
Reproducible¶
Fails since (at least) Build 20231101-1 (current job)
Expected result¶
Last good: 20231031-1 (or more recent)
Further details¶
Always latest result in this scenario: latest
Notes¶
The TLSv1.2 certificate returned from static.opensuse.org has CN=atlas.infra.opensuse.org
Subject Alternative Names: atlas1.infra.opensuse.org, atlas2.infra.opensuse.org, atlas.infra.opensuse.org, proxy-prg2.infra.opensuse.org
susetest:~ # cat /etc/os-release
NAME="SLES"
VERSION="12-SP5"
VERSION_ID="12.5"
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP5"
ID="sles"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:12:sp5"
susetest:~ # echo x | openssl s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=1 O = Heroes internal CA, CN = Heroes internal CA Intermediate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
0 s:/CN=atlas.infra.opensuse.org
i:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
1 s:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
i:/O=Heroes internal CA/CN=Heroes internal CA Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICmzCCAkKgAwIBAgIRAP6kAuKep6UJk3DRXM5OtLYwCgYIKoZIzj0EAwIwSjEb
MBkGA1UEChMSSGVyb2VzIGludGVybmFsIENBMSswKQYDVQQDEyJIZXJvZXMgaW50
ZXJuYWwgQ0EgSW50ZXJtZWRpYXRlIENBMB4XDTIzMTAzMTIyMzAxM1oXDTI0MTAz
MDIyMzAxMVowIzEhMB8GA1UEAxMYYXRsYXMuaW5mcmEub3BlbnN1c2Uub3JnMIGb
MBAGByqGSM49AgEGBSuBBAAjA4GGAAQA4YNbVCWsyO8jr/jUE/tMrERoaRo2NmlH
D2MbaoEv8xIn6isL3u4a/kH7Pp51DJSBTpUZhziumE5QQL9n3X0cuioACDH5B/P4
bwntLjsemGKUHoJX/jB10n/JggUN0YvMIaJVCF74rRCiv9GM8AQCIlU7KdzRkF0v
BSs/rR3ogjD0lKijgewwgekwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUwS5Ag0KyQI03/X0AiIG7GhC6fycw
HwYDVR0jBBgwFoAU6nbAOLNZKEWtchF/2j1cLSmoZmQweAYDVR0RBHEwb4IZYXRs
YXMxLmluZnJhLm9wZW5zdXNlLm9yZ4IZYXRsYXMyLmluZnJhLm9wZW5zdXNlLm9y
Z4IYYXRsYXMuaW5mcmEub3BlbnN1c2Uub3Jngh1wcm94eS1wcmcyLmluZnJhLm9w
ZW5zdXNlLm9yZzAKBggqhkjOPQQDAgNHADBEAiALTWEAqAKzUhVea209k69IzUOq
41/6UPXvl+TP6yPfuAIgFqt9tQfCADd3agQwsLyi5YoCernea3oZIl1JESdz7h0=
-----END CERTIFICATE-----
subject=/CN=atlas.infra.opensuse.org
issuer=/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1565 bytes and written 419 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-ECDSA-AES128-GCM-SHA256
Session-ID: 003337E12C44A4DD94BDBC0BB189BF197A2F180D4448B794690A85F99AAFE407
Session-ID-ctx:
Master-Key: A82916E268A7A882E7A6CEFE5FD3AF10D97E555673ED096326261CFDF472D2E7BF24C61E19ACDCE4636B592841805840
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1698912738
Timeout : 300 (sec)
Verify return code: 20 (unable to get local issuer certificate)
---
DONE
Updated by dzedro about 1 year ago
Updated by msmeissn about 1 year ago
I think you seem to either reach some internal interface of static.opensuse.org , the external has different certs as far as I see.
marcus@jenny:~/Downloads> openssl s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = static.opensuse.org
verify return:1¶
Certificate chain
0 s:CN = static.opensuse.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 25 09:16:23 2023 GMT; NotAfter: Jan 23 09:16:22 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256
v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT¶
Updated by amanzini about 1 year ago
@msmeissn I reproduced the different behaviour running 2 VM from my local pc, so it seems the same network routing.
On 12SP5 (the QCOW2 image downloaded from OSD test assets) the certificate returned CN is different, can be an infra setup issue ?
Updated by msmeissn about 1 year ago
Can also confirm on SLES 12 SP5 which TLS 1.2 it seems not to reach the right server side.
or better, openssl 1.0.x seems to fail, but openssl 1.1.x and openssl 3 seem to work.
I think it still might be a server side issue at static.o.o, will reach out to admin@o.o.
Updated by msmeissn about 1 year ago
It works if you do:
openssl s_client -connect static.opensuse.org:443 -servername static.opensuse.org
so basically passing in -servername
this does not seem to be necessary in newer openssl
Updated by amanzini about 1 year ago
- Tags changed from infra to infra, bugbusters
- Subject changed from test fails in ca_certificates_mozilla to [qe-core] test fails in ca_certificates_mozilla
thanks @msmeissn ! Looks like we can adjust the test for this specific case.
Updated by amanzini about 1 year ago
- Status changed from New to Feedback
Updated by amanzini about 1 year ago
- Status changed from Feedback to Resolved
- % Done changed from 0 to 100