Test: fix recent 024.cert_auth regression test failure.

Starting from Thu, 21 Nov 2024 16:11:06 +0900, buildfarm's
024.cert_auth have started failed on RockyLinux9 regardless the
Pgpool-II versions or PostgreSQL versions. It seems at the timing the
test platform was updated from RockyLinux9.4 to RockyLinux9.5 and
openssl version was updated from 3.0 to 3.2 as well.  The test firstly
revokes the frontend certificate using openssl ca -revoke, and then
generate a separate CRL file using openssl ca -gencrl command. I
suspect that openssl 3.2 now checks the revoked certificate itself and
decides that it is not valid.

Let's see how buildfarm reacts.

diff --git a/src/test/regression/tests/024.cert_auth/cert.sh b/src/test/regression/tests/024.cert_auth/cert.sh
index f50466bce7ff847e7e4827bab611285876eb7aec..dbc3cdcabd6516728b64b70eff5f43c8f5564024 100755 (executable)
--- a/src/test/regression/tests/024.cert_auth/cert.sh
+++ b/src/test/regression/tests/024.cert_auth/cert.sh
@@ -71,6 +71,6 @@ openssl ca -batch -in frontend.req -config crl_openssl.conf -days 375 -notext -m
 # Generate clean CRL (No revocation so far)
 openssl ca -gencrl -config crl_openssl.conf -out server.crl -cert root.crt -keyfile root.key
 # Revoke Frontend Cert
-openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl
+#openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl
 # Generate CRL after revocation
-openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key
+#openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key

diff --git a/src/test/regression/tests/024.cert_auth/test.sh b/src/test/regression/tests/024.cert_auth/test.sh
index 8f5082a0a5b311e4d28350af623c82511fb47dd2..4523019739d315dabeafa82f0d2217b0446d88b7 100755 (executable)
--- a/src/test/regression/tests/024.cert_auth/test.sh
+++ b/src/test/regression/tests/024.cert_auth/test.sh
@@ -35,7 +35,7 @@ cp -p ../$SSL_KEY etc/
 chmod og-rwx etc/$SSL_KEY
 cp -p ../$SSL_CRT etc/
 cp -p ../$SSL_CRL etc/
-cp -p ../$SSL_CRL2 etc/
+#cp -p ../$SSL_CRL2 etc/
 cp -p ../$ROOT_CRT etc/
 
 echo "ssl = on" >> etc/pgpool.conf
@@ -77,6 +77,7 @@ echo "Checking cert auth between Pgpool-II and frontend was ok."
 
 
 # Starting CRL verification
+
 # Adding valid CRL file in pgpool.conf file.
 echo "ssl_crl_file = '$SSL_CRL'" >> etc/pgpool.conf
 
@@ -116,6 +117,12 @@ echo "Checking cert auth between Pgpool-II and frontend with clean CRL was ok."
 # Adding CRL file with revoked certification entry in pgpool.conf file.
 echo "Updating pgpool.conf with revoked CRL file"
 
+# Revoke Frontend Cert
+(cd ..;openssl ca -revoke frontend.crt -config crl_openssl.conf -keyfile root.key -cert root.crt -out root.crl)
+# Generate CRL after revocation
+(cd ..; openssl ca -gencrl -config crl_openssl.conf -out server_revoked.crl -cert root.crt -keyfile root.key)
+cp -p ../$SSL_CRL2 etc/
+
 sed -i 's/server.crl/server_revoked.crl/' etc/pgpool.conf
 
 # Check pgpool configuration is updated successfully