New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/acme: fix subjectAltName in test snakeoil certs #96149
Conversation
Hmm, this still seems to fail for me:
|
@flokli that's very odd... that's a new error i haven't seen before. It passes for me on arch or nixos and on ofborg |
@flokli your test run has a different store path to mine ( |
(actually weirdly mine doesn't match ofborg... not sure how that happens, we're on the same commit) |
I wonder if there could be a race condition or transient failure where these lines:
Are producing the wrong output? curl doesn't have --fail so potentially they could be 404s or something |
Is anyone else able to reproduce this? Or @flokli are you able to investigate? |
I've started encountering the same issue as above in #91121, despite my wait_for_unit trick and also using As explained here, a SIGHUP will cause the master process to delegate restarts of the worker processes. My bet is that this certainly takes longer than the time it takes the test scripts to go from reload -> run curl. Apachectl also sends signals, so it will not accurately block until the service is actually reloaded. I'm not sure what the best solution is here. Adding a simple sleep would certainly solve the problem, but other than that I can only think of things like watching file descriptors on sockets or waiting for PIDs to change, which I don't know how to do cleanly. |
I came up with a solution for the above problem in the other PR if anyone here is interested :) |
Can we merge this for now and fix the nondeterminism later? |
Sounds good to me
…On Mon, Aug 31, 2020, 11:26 Jamie ***@***.***> wrote:
Can we merge this for now and fix the nondeterminism later?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#96149 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEZNI7Z3YBKZNWDEDRYWCLSDNUDLANCNFSM4QJGZGJQ>
.
|
Yeah grand. All the more pressure on people to merge #91121 too 😉 |
Motivation for this change
nixosTests.acme
has been broken since the bump to Go 1.15, as go's https client now requires subjectAltName in servers' certificates, and the snakeoil cert we were generating only had a CN, thanks to openssl's command linefootguninterface. The generator script has been fixed and the certs regenerated.Additionally, lego's passthru.tests has been set, since it was lacking before :)
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)