blueprint: fix CA cert testing #1096
Conversation
lzap
force-pushed
the
cacert-test
branch
5 times, most recently
from
bce10a4 to
5e96464
Compare
|
Finally it is passing, I figured out how to generalize the test. Ready for review. |
| echo "📗 Checking extracted CA cert file named '${cn}'" | ||
| if ! [ -e "/etc/pki/ca-trust/extracted/pem/directory-hash/${cn}.pem" ]; then | ||
| echo "Extracted CA file does not exist, directory contents:" | ||
| find /etc/pki/ca-trust/extracted/pem/directory-hash | ||
| exit 1 | ||
| fi | ||
| } |
There was a problem hiding this comment.
@achilleas-k fyi this test was introduced last week but it was broken (a typo in directory-hash path) and due to the config-map it was not executed properly so it sneaked into main. This fixes the map and the test.
|
The test seems to be failing on Fedora 39 and RHEL 9.4. Perhaps a different behaviour in older versions of the tool, @lzap? |
lzap
force-pushed
the
cacert-test
branch
2 times, most recently
from
120b43b to
def14bf
Compare
|
Ah that is right, amended a small change where I change the sed to |
lzap
force-pushed
the
cacert-test
branch
2 times, most recently
from
4cb039f to
3692a1f
Compare
|
Also I have found out that on some (older) systems the directory-hash directory does not exist, so I came with a better test case: it now searches for CN in the bundle PEM file which is concatenated list of all certs with CNs as comments: This should work also on older systems. |
|
Is green, let's put it on the queue @achilleas-k @thozza if you like the grep approach. Not rebasing, I think queue will do the job now. |
test/scripts/base-host-check.sh
Outdated
| echo "Extracted CA file does not exist, directory contents:" | ||
| find /etc/pki/ca-trust/extracted/pem |
There was a problem hiding this comment.
The grep-ing of tls-ca-bundle.pem makes me wonder if listing the content of /etc/pki/ca-trust/extracted/pem still makes sense? 🤔
There was a problem hiding this comment.
So, judging from https://github.com/osbuild/osbuild-composer/pull/4487/files#diff-a0a3d509a4e8903c0bede204d82662223fa270c20360d5bf2dcd2f1d2b68bbcdR264, it should be probably
grep '^#' /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pemThere was a problem hiding this comment.
Yeah, I am working on two very similar patches and as I go I improve every one bit by bit. This should put them on par now, rebased.
There was a problem hiding this comment.
Thank you for the change. Please also amend the comment above it.
|
Right, done. |
|
I do not see any comments by @achilleas-k the tests were fixed, adding to the merge queue. Thanks again for help with this, now I understand how tests do work in here a little bit better :-D |
SSIA @thozza @mvo5