Project

General

Profile

Actions

action #138998

closed

[qe-core] test fails in ca_certificates_mozilla

Added by amanzini about 1 year ago. Updated about 1 year ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
Bugs in existing tests
Target version:
Start date:
2023-11-02
Due date:
% Done:

100%

Estimated time:
Difficulty:

Description

Observation

openQA test in scenario sle-12-SP5-Server-DVD-Updates-x86_64-mau-extratests2@64bit fails in
ca_certificates_mozilla

Test suite description

Testsuite maintained at https://gitlab.suse.de/qa-maintenance/qam-openqa-yml. Run console tests against aggregated test repo

Reproducible

Fails since (at least) Build 20231101-1 (current job)

Expected result

Last good: 20231031-1 (or more recent)

Further details

Always latest result in this scenario: latest

Notes

The TLSv1.2 certificate returned from static.opensuse.org has CN=atlas.infra.opensuse.org
Subject Alternative Names: atlas1.infra.opensuse.org, atlas2.infra.opensuse.org, atlas.infra.opensuse.org, proxy-prg2.infra.opensuse.org

susetest:~ # cat /etc/os-release 
NAME="SLES"
VERSION="12-SP5"
VERSION_ID="12.5"
PRETTY_NAME="SUSE Linux Enterprise Server 12 SP5"
ID="sles"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:12:sp5"
susetest:~ # echo x | openssl s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=1 O = Heroes internal CA, CN = Heroes internal CA Intermediate CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:/CN=atlas.infra.opensuse.org
   i:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
 1 s:/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
   i:/O=Heroes internal CA/CN=Heroes internal CA Root CA
---
Server certificate
-----BEGIN CERTIFICATE-----
MIICmzCCAkKgAwIBAgIRAP6kAuKep6UJk3DRXM5OtLYwCgYIKoZIzj0EAwIwSjEb
MBkGA1UEChMSSGVyb2VzIGludGVybmFsIENBMSswKQYDVQQDEyJIZXJvZXMgaW50
ZXJuYWwgQ0EgSW50ZXJtZWRpYXRlIENBMB4XDTIzMTAzMTIyMzAxM1oXDTI0MTAz
MDIyMzAxMVowIzEhMB8GA1UEAxMYYXRsYXMuaW5mcmEub3BlbnN1c2Uub3JnMIGb
MBAGByqGSM49AgEGBSuBBAAjA4GGAAQA4YNbVCWsyO8jr/jUE/tMrERoaRo2NmlH
D2MbaoEv8xIn6isL3u4a/kH7Pp51DJSBTpUZhziumE5QQL9n3X0cuioACDH5B/P4
bwntLjsemGKUHoJX/jB10n/JggUN0YvMIaJVCF74rRCiv9GM8AQCIlU7KdzRkF0v
BSs/rR3ogjD0lKijgewwgekwDgYDVR0PAQH/BAQDAgeAMB0GA1UdJQQWMBQGCCsG
AQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUwS5Ag0KyQI03/X0AiIG7GhC6fycw
HwYDVR0jBBgwFoAU6nbAOLNZKEWtchF/2j1cLSmoZmQweAYDVR0RBHEwb4IZYXRs
YXMxLmluZnJhLm9wZW5zdXNlLm9yZ4IZYXRsYXMyLmluZnJhLm9wZW5zdXNlLm9y
Z4IYYXRsYXMuaW5mcmEub3BlbnN1c2Uub3Jngh1wcm94eS1wcmcyLmluZnJhLm9w
ZW5zdXNlLm9yZzAKBggqhkjOPQQDAgNHADBEAiALTWEAqAKzUhVea209k69IzUOq
41/6UPXvl+TP6yPfuAIgFqt9tQfCADd3agQwsLyi5YoCernea3oZIl1JESdz7h0=
-----END CERTIFICATE-----
subject=/CN=atlas.infra.opensuse.org
issuer=/O=Heroes internal CA/CN=Heroes internal CA Intermediate CA
---
No client certificate CA names sent
Peer signing digest: SHA256
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 1565 bytes and written 419 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES128-GCM-SHA256
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-ECDSA-AES128-GCM-SHA256
    Session-ID: 003337E12C44A4DD94BDBC0BB189BF197A2F180D4448B794690A85F99AAFE407
    Session-ID-ctx: 
    Master-Key: A82916E268A7A882E7A6CEFE5FD3AF10D97E555673ED096326261CFDF472D2E7BF24C61E19ACDCE4636B592841805840
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1698912738
    Timeout   : 300 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---
DONE
Actions #2

Updated by msmeissn about 1 year ago

I think you seem to either reach some internal interface of static.opensuse.org , the external has different certs as far as I see.

marcus@jenny:~/Downloads> openssl s_client -connect static.opensuse.org:443
CONNECTED(00000003)
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = static.opensuse.org

verify return:1

Certificate chain
0 s:CN = static.opensuse.org
i:C = US, O = Let's Encrypt, CN = R3
a:PKEY: id-ecPublicKey, 384 (bit); sigalg: RSA-SHA256
v:NotBefore: Oct 25 09:16:23 2023 GMT; NotAfter: Jan 23 09:16:22 2024 GMT
1 s:C = US, O = Let's Encrypt, CN = R3
i:C = US, O = Internet Security Research Group, CN = ISRG Root X1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 4 00:00:00 2020 GMT; NotAfter: Sep 15 16:00:00 2025 GMT
2 s:C = US, O = Internet Security Research Group, CN = ISRG Root X1
i:O = Digital Signature Trust Co., CN = DST Root CA X3
a:PKEY: rsaEncryption, 4096 (bit); sigalg: RSA-SHA256

v:NotBefore: Jan 20 19:14:03 2021 GMT; NotAfter: Sep 30 18:14:03 2024 GMT

Actions #3

Updated by amanzini about 1 year ago

@msmeissn I reproduced the different behaviour running 2 VM from my local pc, so it seems the same network routing.
On 12SP5 (the QCOW2 image downloaded from OSD test assets) the certificate returned CN is different, can be an infra setup issue ?

Actions #4

Updated by msmeissn about 1 year ago

Can also confirm on SLES 12 SP5 which TLS 1.2 it seems not to reach the right server side.

or better, openssl 1.0.x seems to fail, but openssl 1.1.x and openssl 3 seem to work.

I think it still might be a server side issue at static.o.o, will reach out to admin@o.o.

Actions #5

Updated by msmeissn about 1 year ago

It works if you do:

openssl s_client -connect static.opensuse.org:443 -servername static.opensuse.org

so basically passing in -servername

this does not seem to be necessary in newer openssl

Actions #6

Updated by amanzini about 1 year ago

  • Tags changed from infra to infra, bugbusters
  • Subject changed from test fails in ca_certificates_mozilla to [qe-core] test fails in ca_certificates_mozilla

thanks @msmeissn ! Looks like we can adjust the test for this specific case.

Actions #7

Updated by amanzini about 1 year ago

  • Assignee set to amanzini
Actions #8

Updated by amanzini about 1 year ago

  • Status changed from New to Feedback
Actions #9

Updated by amanzini about 1 year ago

  • Status changed from Feedback to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF