Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tests: regenerate recently-expired test TLS certs #4777

Merged
merged 3 commits into from
Jun 10, 2024

Conversation

trentm
Copy link
Contributor

@trentm trentm commented Jun 8, 2024

Tests started failing yesterday because the various TLS certs in
the repo used for TLS testing had expired

$ openssl x509 -noout -enddate -in experimental/packages/exporter-logs-otlp-grpc/test/certs/ca.crt
notAfter=Jun  7 16:44:23 2024 GMT

This change regenerates all the TLS certs used for testing and
examples/https. It also adds a test case in each relevant package
that will fail with an obvious message when these certs expire
next time (certs are generated with a 1y expiry).

This also adds a comment 'npm run main:regenerate-test-certs'
that can be used to run the maintenance task.

Tests started failing yesterday because the various TLS certs in
the repo used for TLS testing had expired

$ openssl x509 -noout -enddate -in experimental/packages/exporter-logs-otlp-grpc/test/certs/ca.crt
notAfter=Jun  7 16:44:23 2024 GMT

This change regenerates all the TLS certs used for testing and
examples/https. It also adds a test case in each relevant package
that will fail with an obvious message when these certs expire
next time (certs are generated with a 1y expiry).

This also adds a comment 'npm run main:regenerate-test-certs'
that can be used to run the maintenance task.
@trentm trentm self-assigned this Jun 8, 2024
@trentm trentm requested a review from a team June 8, 2024 19:24
Copy link

codecov bot commented Jun 8, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 91.04%. Comparing base (ecc88a3) to head (2afa946).
Report is 28 commits behind head on main.

Current head 2afa946 differs from pull request most recent head a901be8

Please upload reports for the commit a901be8 to get more accurate results.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #4777   +/-   ##
=======================================
  Coverage   91.04%   91.04%           
=======================================
  Files          89       89           
  Lines        1954     1954           
  Branches      416      416           
=======================================
  Hits         1779     1779           
  Misses        175      175           

@trentm
Copy link
Contributor Author

trentm commented Jun 8, 2024

https://github.com/open-telemetry/opentelemetry-js/actions/runs/9424584277/job/25965060703 shows failing tests. A failure example is:

  20 passing (2s)
  1 failing

  1) OTLPMetricExporter - node with TLS, without metadata, target https://localhost:1502
       export
         should export metrics:

      Uncaught AssertionError [ERR_ASSERTION]: resource does not exist
      + expected - actual

      -false
      +true
      
      at Timeout._onTimeout (test/OTLPMetricExporter.test.ts:225:18)
      at listOnTimeout (node:internal/timers:573:17)
      at processTimers (node:internal/timers:514:7)

I flailed for a while before I noticed that the failure was for TLS only and because the local TLS certs for testing had expired.

showing the expiry date of all the test certs

% git ls-files | rg '.crt$'
experimental/packages/exporter-logs-otlp-grpc/test/certs/ca.crt
experimental/packages/exporter-logs-otlp-grpc/test/certs/client.crt
experimental/packages/exporter-logs-otlp-grpc/test/certs/server.crt
experimental/packages/exporter-trace-otlp-grpc/test/certs/ca.crt
experimental/packages/exporter-trace-otlp-grpc/test/certs/client.crt
experimental/packages/exporter-trace-otlp-grpc/test/certs/server.crt
experimental/packages/opentelemetry-exporter-metrics-otlp-grpc/test/certs/ca.crt
experimental/packages/opentelemetry-exporter-metrics-otlp-grpc/test/certs/client.crt
experimental/packages/opentelemetry-exporter-metrics-otlp-grpc/test/certs/server.crt
experimental/packages/otlp-grpc-exporter-base/test/certs/ca.crt
experimental/packages/otlp-grpc-exporter-base/test/certs/client.crt
experimental/packages/otlp-grpc-exporter-base/test/certs/server.crt

% git ls-files | rg '.crt$' | xargs -n1 openssl x509 -noout -enddate -in
notAfter=Jun  7 16:44:23 2024 GMT
notAfter=Jun  7 16:44:26 2024 GMT
notAfter=Jun  7 16:44:24 2024 GMT
notAfter=Jun  7 16:44:23 2024 GMT
notAfter=Jun  7 16:44:26 2024 GMT
notAfter=Jun  7 16:44:24 2024 GMT
notAfter=Jun  7 16:44:23 2024 GMT
notAfter=Jun  7 16:44:26 2024 GMT
notAfter=Jun  7 16:44:24 2024 GMT
notAfter=Jun  7 16:44:23 2024 GMT
notAfter=Jun  7 16:44:26 2024 GMT
notAfter=Jun  7 16:44:24 2024 GMT

added test to explicitly check expiry of the test certs

Now when these expire it will look like this:

  1) OTLPMetricExporter - node with TLS, without metadata, target https://localhost:1502
       test certs are valid:

      AssertionError [ERR_ASSERTION]: TLS cert "./test/certs/ca.crt" is still valid: cert.validTo=Jun  7 16:44:23 2024 GMT (if this fails use 'npm run maint:regenerate-test-certs')
      + expected - actual

      -false
      +true

and hopefully the reader will see the suggestion to use npm run maint:regenerate-test-certs, which can be run from the top dir, or particular subdirs.

Copy link
Member

@pichlermarc pichlermarc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for taking care of that @trentm 🙂
testing that the certs are valid and the suggestion will be very helpful in the future. 👍

@pichlermarc pichlermarc added this pull request to the merge queue Jun 10, 2024
Merged via the queue into open-telemetry:main with commit 01664dd Jun 10, 2024
19 checks passed
@trentm trentm deleted the tm-regen-test-tls-certs branch June 10, 2024 16:46
Zirak pushed a commit to Zirak/opentelemetry-js that referenced this pull request Sep 14, 2024
* tests: regenerate recently-expired test TLS certs

Tests started failing yesterday because the various TLS certs in
the repo used for TLS testing had expired

$ openssl x509 -noout -enddate -in experimental/packages/exporter-logs-otlp-grpc/test/certs/ca.crt
notAfter=Jun  7 16:44:23 2024 GMT

This change regenerates all the TLS certs used for testing and
examples/https. It also adds a test case in each relevant package
that will fail with an obvious message when these certs expire
next time (certs are generated with a 1y expiry).

This also adds a comment 'npm run main:regenerate-test-certs'
that can be used to run the maintenance task.

* lint:fix, add changelog entry

* skip cert expiry test on node v14, because crypto.X509Certificate came in node v15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants