swarmkit
swarmkit copied to clipboard
moby
update CI to test against go1.19
FWIW; I saw some failures locally when running some tests. No problems were found in Moby CI, so it could be just a badly written test, or it's a code-path that's not used in Moby.
Same failure in CI;
--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.00s)
config_test.go:645:
Error Trace: /home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:645
Error: Received unexpected error:
x509: certificate signed by unknown authority
error while validating signing CA certificate against roots and intermediates
github.com/moby/swarmkit/v2/ca.newLocalSigner
/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:632
github.com/moby/swarmkit/v2/ca.NewRootCA
/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/certificates.go:493
github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
/home/circleci/.go_workspace/src/github.com/docker/swarmkit/ca/config_test.go:644
testing.tRunner
/usr/local/go/src/testing/testing.go:1446
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1594
Test: TestRenewTLSConfigUpdatesRootOnUnknownAuthError
--- FAIL: TestRenewTLSConfigUpdatesRootOnUnknownAuthError (0.01s)
config_test.go:655: CA0 :
-----BEGIN CERTIFICATE-----
MIIBXzCCAQagAwIBAgIUfpRA9wL7mdWauik6D1TBidXUy0owCgYIKoZIzj0EAwIw
DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
DjEMMAoGA1UEAxMDQ0EwMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEz+8tuTkm
UjTjBwsdgJnGss5ox5k1tN1UBKFg4Q0LRmmNzzhxIJ9aMtDJMU9mt/dqW9vuH4xE
Rw3ynOR2+AqnFqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFJdKDRuYLizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQC
IBeRctrhgZWooKGJLTp1UdzF9HHvSkFXhCkYn8rWSRWmAiA5FjrxMHXf01szAYm5
IQzgJhfe9V16n0gLgR+gQZ2fyw==
-----END CERTIFICATE-----
config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000726ba0 Version:3 SerialNumber:+722639006653195417041125068417418380177491413834 Issuer:CN=CA0 Subject:CN=CA0 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
config_test.go:655: CA1 :
-----BEGIN CERTIFICATE-----
MIIBYDCCAQagAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
DjEMMAoGA1UEAxMDQ0ExMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
AzP9A37th2H5MqNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMAoGCCqGSM49BAMCA0gAMEUC
IEnEm/ROxx8K4vvEJupb+kiWuWPpkxj2ZkG9XffE6QOiAiEAltKAsxsJQx+/voG7
Mkjv4bqqkRdm5irq5Ky0POqLJrk=
-----END CERTIFICATE-----
config_test.go:656: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000727a20 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA1 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
config_test.go:665: Intermediate1 :
-----BEGIN CERTIFICATE-----
MIIBgDCCASegAwIBAgIUXYVjRTRwVvukRhpmHUnS0Y51JZwwCgYIKoZIzj0EAwIw
DjEMMAoGA1UEAxMDQ0EwMB4XDTIzMDcyOTA3NTUwMFoXDTQzMDcyNDA3NTUwMFow
DjEMMAoGA1UEAxMDQ0ExMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE26KDC4MP
LxBjKCGFkV+QsS/ZGYCkxfccV+XFoG6GBFnGGiKxybcFKQ/V45N2zkUKe8MXl3q+
AzP9A37th2H5MqNjMGEwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8w
HQYDVR0OBBYEFA4dz9RtrKoYAJyjdQkPbAqkqcmTMB8GA1UdIwQYMBaAFJdKDRuY
LizWXelbEz+Kt1ZTQ7u/MAoGCCqGSM49BAMCA0cAMEQCIFFC+06WHHDksLIF0R44
vkc1W3dzxrWXg6slY11O1lOBAiB90yNENKPK58notn3OtLC0z+frbVefbQ0TXfnI
TRZB1g==
-----END CERTIFICATE-----
config_test.go:666: &{Raw:[] RawTBSCertificate:[] RawSubjectPublicKeyInfo:[] RawSubject:[] RawIssuer:[] Signature:[] SignatureAlgorithm:ECDSA-SHA256 PublicKeyAlgorithm:ECDSA PublicKey:0xc000424040 Version:3 SerialNumber:+533910788463515367693985148197052179646950745500 Issuer:CN=CA0 Subject:CN=CA1 NotBefore:2023-07-29 07:55:00 +0000 UTC NotAfter:2043-07-24 07:55:00 +0000 UTC KeyUsage:96 Extensions:[{Id:2.5.29.15 Critical:true Value:[3 2 1 6]} {Id:2.5.29.19 Critical:true Value:[48 3 1 1 255]} {Id:2.5.29.14 Critical:false Value:[4 20 14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147]} {Id:2.5.29.35 Critical:false Value:[48 22 128 20 151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191]}] ExtraExtensions:[] UnhandledCriticalExtensions:[] ExtKeyUsage:[] UnknownExtKeyUsage:[] BasicConstraintsValid:true IsCA:true MaxPathLen:-1 MaxPathLenZero:false SubjectKeyId:[14 29 207 212 109 172 170 24 0 156 163 117 9 15 108 10 164 169 201 147] AuthorityKeyId:[151 74 13 27 152 46 44 214 93 233 91 19 63 138 183 86 83 67 187 191] OCSPServer:[] IssuingCertificateURL:[] DNSNames:[] EmailAddresses:[] IPAddresses:[] URIs:[] PermittedDNSDomainsCritical:false PermittedDNSDomains:[] ExcludedDNSDomains:[] PermittedIPRanges:[] ExcludedIPRanges:[] PermittedEmailAddresses:[] ExcludedEmailAddresses:[] PermittedURIDomains:[] ExcludedURIDomains:[] CRLDistributionPoints:[] PolicyIdentifiers:[]}
config_test.go:668:
Error Trace: /go/src/github.com/docker/swarmkit/ca/config_test.go:668
Error: Received unexpected error:
x509: certificate signed by unknown authority
error while validating signing CA certificate against roots and intermediates
github.com/moby/swarmkit/v2/ca.newLocalSigner
/go/src/github.com/docker/swarmkit/ca/certificates.go:632
github.com/moby/swarmkit/v2/ca.NewRootCA
/go/src/github.com/docker/swarmkit/ca/certificates.go:493
github.com/moby/swarmkit/v2/ca_test.TestRenewTLSConfigUpdatesRootOnUnknownAuthError
/go/src/github.com/docker/swarmkit/ca/config_test.go:667
testing.tRunner
/usr/local/go/src/testing/testing.go:1446
runtime.goexit
/usr/local/go/src/runtime/asm_amd64.s:1594
Test: TestRenewTLSConfigUpdatesRootOnUnknownAuthError
Suggestion from Cory; try with
GODEBUG=x509sha1=1
Studying the debug output more closely, and the swarmkit source, I now see that won't do anything.
config_test.go:663: rootCert:
config_test.go:663: Subject: CN=CA0
config_test.go:663: Issuer: CN=CA0
config_test.go:663: ----------------
config_test.go:664: signCert:
config_test.go:664: Subject: CN=CA1
config_test.go:664: Issuer: CN=CA1
config_test.go:664: ----------------
config_test.go:665: crossSigneds:
config_test.go:665: Subject: CN=CA1
config_test.go:665: Issuer: CN=CA0
NewRootCA() asserts that signCert can chain up to rootCert with crossSigneds as the intermediate. signCert is self-signed, so go#58792 is the reason the test is failing on Go 1.19 and above.
To be clear, the behaviour change in Go is a bugfix, not a regression. The test is broken and always has been.
Also, the cross-signed certs have the same serial number as the template cert. While not the cause of the test failures, it's not kosher either to have more than one cert with the same subject and serial.