-
Notifications
You must be signed in to change notification settings - Fork 101
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CI & tests #104
Fix CI & tests #104
Conversation
Signed-off-by: Albin Kerouanton <[email protected]>
The embedded Let's Encrypt cert expired on Sep 29 19:21:40 2021 GMT. The Amazon Root CA 1 expires on Jan 17 00:00:00 2038 GMT. Signed-off-by: Albin Kerouanton <[email protected]>
c54118d
to
19a46e6
Compare
@thaJeztah PTAL |
// This is the currently active Amazon Root CA 1 (CN=Amazon Root CA 1,O=Amazon,C=US), | ||
// downloaded from: https://www.amazontrust.com/repository/AmazonRootCA1.pem | ||
// It's valid since May 26 00:00:00 2015 GMT and expires on Jan 17 00:00:00 2038 GMT. | ||
// Download updated versions from https://www.amazontrust.com/repository/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Curious; couldn't we use an updated version of the letsencrypt cert? (letsencrypt seems a bit more "independent" than some vendor's root-ca)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Initially, I tried updating the intermediate Let's Encrypt R3 cert but it was failing with the error message I documented in commit tests: Skip tests failing on darwin.
I wrote a small reproducer to verify the validity of that cert in a Windows 11 VM and it was working properly. Then, I thought that system-wide cert bundle was not up-to-date on Windows and MacOS on GHA runners.
Although it was a dubious theory, I tried to replace that Let's Encrypt cert with the Amazon Root CA 1 cert, but to no avail. Out of laziness (honestly!), I chose to keep this cert but then realized it's valid for a much longer period:
$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/lets-encrypt-r3.pem | openssl pkcs7 -print_certs -text -noout
Not Before: Sep 4 00:00:00 2020 GMT
Not After : Sep 15 16:00:00 2025 GMT
$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/AmazonRootCA1.pem | openssl pkcs7 -print_certs -text -noout
Not Before: May 26 00:00:00 2015 GMT
Not After : Jan 17 00:00:00 2038 GMT
So I came to the conclusion it's better to keep it.
Also, Let's Encrypt "independence" doesn't mean much in this context. This cert is only used to make sure we can XOR system-wide cert pool and a custom pool.
tlsconfig/config_test.go
Outdated
if runtime.GOOS == "windows" || runtime.GOOS == "darwin" { | ||
// FIXME TestConfigServerExclusiveRootPools is failing on windows: | ||
// config_test.go:244: Unable to verify certificate 1: x509: certificate signed by unknown authority | ||
t.Skip("FIXME: failing on Windows") | ||
t.Skip("FIXME: failing on Windows and darwin") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We should probably look at these tests in a follow-up. I recall I disabled them as they were broken, but I'm not sure if they are expected to be failing (and if not; we should look "why")
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yup; here is what I wrote in the commit message:
TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools
are failing on darwin with the same error message as on Windows:Unable to verify certificate 1: x509: certificate signed by unknown authority
The
(*Certificate).Verify()
method fromcrypto/x509
special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.This should be further investigated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I should've created a tracking issue when I added that skip; perhaps you can create one? (we could add a link to it in the source code / as a comment, in case more details arrive on GitHub)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done (although #105 will need to be updated once this PR is merged).
TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools are failing on darwin with the same error message as on Windows: > Unable to verify certificate 1: x509: certificate signed by unknown authority The `(*Certificate).Verify()` method from `crypto/x509` special-case windows, darwin and ios GOOS to use a OS-specific verification process. This process seems to consider root CAs as invalid for some unknown reasons. This should be further investigated. Signed-off-by: Albin Kerouanton <[email protected]>
Signed-off-by: Albin Kerouanton <[email protected]>
Signed-off-by: Albin Kerouanton <[email protected]>
Windows lint job fails with the following error messages: > level=error msg="Running error: context loading failed: failed to load packages: timed out to load packages: context deadline exceeded" > level=error msg="Timeout exceeded: try increasing it by passing --timeout option" Signed-off-by: Albin Kerouanton <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
SGTM
What I did:
TestConfigServerExclusiveRootPools
andTestConfigClientExclusiveRootPools
on darwin as it's failing for unknown reason (it doesn't validate Amazon Root CA 1) ;