Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CI & tests #104

Merged
merged 6 commits into from
Oct 30, 2023
Merged

Fix CI & tests #104

merged 6 commits into from
Oct 30, 2023

Conversation

akerouanton
Copy link
Member

@akerouanton akerouanton commented Oct 27, 2023

What I did:

  • Update Go test matrix to go1.20 and go1.21 (instead of go1.15 and go1.16), but keep testing on go1.13 ;
  • Replace embedded Let's Encrypt cert with Amazon Root CA 1 (expires on Jan 17 00:00:00 2038 GMT) ;
  • Skip TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools on darwin as it's failing for unknown reason (it doesn't validate Amazon Root CA 1) ;
  • Bump golangci-lint version and increase its timeout to avoid failures on Windows ;

Signed-off-by: Albin Kerouanton <[email protected]>
The embedded Let's Encrypt cert expired on Sep 29 19:21:40 2021 GMT. The
Amazon Root CA 1 expires on Jan 17 00:00:00 2038 GMT.

Signed-off-by: Albin Kerouanton <[email protected]>
@akerouanton akerouanton force-pushed the fix-ci branch 6 times, most recently from c54118d to 19a46e6 Compare October 28, 2023 11:31
@akerouanton
Copy link
Member Author

@thaJeztah PTAL

Comment on lines +15 to +18
// This is the currently active Amazon Root CA 1 (CN=Amazon Root CA 1,O=Amazon,C=US),
// downloaded from: https://www.amazontrust.com/repository/AmazonRootCA1.pem
// It's valid since May 26 00:00:00 2015 GMT and expires on Jan 17 00:00:00 2038 GMT.
// Download updated versions from https://www.amazontrust.com/repository/
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious; couldn't we use an updated version of the letsencrypt cert? (letsencrypt seems a bit more "independent" than some vendor's root-ca)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Initially, I tried updating the intermediate Let's Encrypt R3 cert but it was failing with the error message I documented in commit tests: Skip tests failing on darwin.

I wrote a small reproducer to verify the validity of that cert in a Windows 11 VM and it was working properly. Then, I thought that system-wide cert bundle was not up-to-date on Windows and MacOS on GHA runners.

Although it was a dubious theory, I tried to replace that Let's Encrypt cert with the Amazon Root CA 1 cert, but to no avail. Out of laziness (honestly!), I chose to keep this cert but then realized it's valid for a much longer period:

$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/lets-encrypt-r3.pem | openssl pkcs7 -print_certs -text -noout
            Not Before: Sep  4 00:00:00 2020 GMT
            Not After : Sep 15 16:00:00 2025 GMT
$ openssl crl2pkcs7 -nocrl -certfile ~/Downloads/AmazonRootCA1.pem | openssl pkcs7 -print_certs -text -noout
            Not Before: May 26 00:00:00 2015 GMT
            Not After : Jan 17 00:00:00 2038 GMT

So I came to the conclusion it's better to keep it.

Also, Let's Encrypt "independence" doesn't mean much in this context. This cert is only used to make sure we can XOR system-wide cert pool and a custom pool.

Comment on lines 202 to 204
if runtime.GOOS == "windows" || runtime.GOOS == "darwin" {
// FIXME TestConfigServerExclusiveRootPools is failing on windows:
// config_test.go:244: Unable to verify certificate 1: x509: certificate signed by unknown authority
t.Skip("FIXME: failing on Windows")
t.Skip("FIXME: failing on Windows and darwin")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should probably look at these tests in a follow-up. I recall I disabled them as they were broken, but I'm not sure if they are expected to be failing (and if not; we should look "why")

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup; here is what I wrote in the commit message:

TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools
are failing on darwin with the same error message as on Windows:

Unable to verify certificate 1: x509: certificate signed by unknown authority

The (*Certificate).Verify() method from crypto/x509 special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.

This should be further investigated.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I should've created a tracking issue when I added that skip; perhaps you can create one? (we could add a link to it in the source code / as a comment, in case more details arrive on GitHub)

Copy link
Member Author

@akerouanton akerouanton Oct 30, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done (although #105 will need to be updated once this PR is merged).

TestConfigServerExclusiveRootPools and TestConfigClientExclusiveRootPools
are failing on darwin with the same error message as on Windows:

> Unable to verify certificate 1: x509: certificate signed by unknown authority

The `(*Certificate).Verify()` method from `crypto/x509` special-case
windows, darwin and ios GOOS to use a OS-specific verification process.
This process seems to consider root CAs as invalid for some unknown
reasons.

This should be further investigated.

Signed-off-by: Albin Kerouanton <[email protected]>
Signed-off-by: Albin Kerouanton <[email protected]>
Signed-off-by: Albin Kerouanton <[email protected]>
Windows lint job fails with the following error messages:

> level=error msg="Running error: context loading failed: failed to load packages: timed out to load packages: context deadline exceeded"
> level=error msg="Timeout exceeded: try increasing it by passing --timeout option"

Signed-off-by: Albin Kerouanton <[email protected]>
Copy link
Member

@thaJeztah thaJeztah left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link

@vvoland vvoland left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@thaJeztah thaJeztah merged commit 5cc4da5 into docker:master Oct 30, 2023
13 checks passed
@akerouanton akerouanton deleted the fix-ci branch October 30, 2023 12:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Certificate used in tlsconfig/config_test.go expired
4 participants