[CI] HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA failures #72359

cbuescher · 2021-04-28T09:06:57Z

Build scan:

https://gradle-enterprise.elastic.co/s/wvug4gay35pvs

Repro line:

./gradlew ':x-pack:plugin:security:cli:test' --tests "org.elasticsearch.xpack.security.cli.HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA" \
  -Dtests.seed=24DD5274BC1DC313 \
  -Dtests.locale=ca-ES \
  -Dtests.timezone=Asia/Dacca \
  -Druntime.java=8

Reproduces locally?:

No

Applicable branches:

seen on 7.x, 7.13 and 7.12

Failure history:

Seems to have started failing yesteday

Failure excerpt:

java.security.KeyStoreException: Key protection  algorithm not found: java.security.UnrecoverableKeyException: Encrypt Private Key failed: unrecognized algorithm name: PBEWithSHA1AndDESede
	at __randomizedtesting.SeedInfo.seed([D57D4B272A0615B4:EBDD443599A99232]:0)
	at sun.security.pkcs12.PKCS12KeyStore.setKeyEntry(PKCS12KeyStore.java:694)
	at sun.security.pkcs12.PKCS12KeyStore.engineSetKeyEntry(PKCS12KeyStore.java:594)
	at java.security.KeyStore.setKeyEntry(KeyStore.java:1140)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.lambda$writePkcs12$5(CertificateTool.java:557)
	at org.elasticsearch.xpack.security.cli.CertificateTool.withPassword(CertificateTool.java:962)
	at org.elasticsearch.xpack.security.cli.CertificateTool.access$100(CertificateTool.java:86)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateCommand.writePkcs12(CertificateTool.java:555)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateAuthorityCommand.lambda$writeCertificateAuthority$1(CertificateTool.java:902)
	at org.elasticsearch.xpack.security.cli.CertificateTool.fullyWriteFile(CertificateTool.java:1020)
	at org.elasticsearch.xpack.security.cli.CertificateTool.access$500(CertificateTool.java:86)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateAuthorityCommand.writeCertificateAuthority(CertificateTool.java:901)
	at org.elasticsearch.xpack.security.cli.CertificateTool$CertificateAuthorityCommand.execute(CertificateTool.java:892)
	at org.elasticsearch.xpack.security.cli.CertificateToolTests.testCreateCaAndMultipleInstances(CertificateToolTests.java:601)

This seems to be limited to ES_RUNTIME_JAVA=zulu8 and only failed the matrix tests three times, so I'm leaving this unmuted for now.

The text was updated successfully, but these errors were encountered:

elasticmachine · 2021-04-28T09:06:59Z

Pinging @elastic/es-security (Team:Security)

albertzaharovits · 2021-04-29T12:12:22Z

Looks like a JDK 8 bug in the bleeding edge build:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8266261

From bcgit/bc-java#941 .

Other tests with the same issue:
HttpCertificateCommandTests.testGenerateSingleCertificateWithExistingCA
HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA
CertificateToolTests.testTrustBetweenPEMandPKCS12
CertificateToolTests.testCreateCaAndMultipleInstances

It appears like a racy bug that we can get around in tests. I'll take a closer look a bit later today.

martijnvg · 2021-04-30T07:48:32Z

@albertzaharovits It looks like the tests you mentioned failed about 6 times last night. Should these tests be muted until a fix has been pushed?

albertzaharovits · 2021-04-30T08:13:44Z

@martijnvg The suggested work-arounds don't work, but I hope this will be fixed soon.
I'm tempted to mute, but I will try to find a way to skip these for JDK8 runs only.

albertzaharovits · 2021-04-30T09:32:57Z

For the record, I was able to reproduce this consistently with 1.8 (AdoptOpenJDK 1.8.0_292 [OpenJDK 64-Bit Server VM 25.292-b10]) .

BigPandaToo · 2021-05-26T09:17:26Z

Seems also related test: testDefaultOptionsWithSigningAndMultipleEncryptionKeys
https://gradle-enterprise.elastic.co/s/igsydpmaug3gk/console-log?task=:x-pack:plugin:security:unitTest

…es() on Java 8 (#73586) This issue is tracked in #72639 which suffers the same JDK bug as #72359. This commit backport the mute 9a655b5 to 6.8

tlrx · 2021-06-01T12:13:37Z

I muted more tests in 6.8 with #73587 since it failed today on this branch:
https://gradle-enterprise.elastic.co/s/2hpywmv5dkhjo
https://gradle-enterprise.elastic.co/s/2hpywmv5dkhjo

…testTrustBetweenPEMandPKCS12 on Java 8 (#73587) Partial backport of #72529 for 6.8 Relates #72359

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: #75571, #75417, #75379, #72639, #72359

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359 Backport of: elastic#75718

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: #75571, #75417, #75379, #72639, #72359 Backport of: #75718

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359 Backport of: elastic#75718

* Mute some security tests on problematic JDK8 build This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: #75571, #75417, #75379, #72639, #72359 Backport of: #75718 * Fix import

This commit adds some `assumeFalse` (or modifies exising ones) to mute tests on JDK 1.8.0_292 due to JDK-8266279 On this JDK build, a race condition sometimes causes the PBEWithSHA1AndDESede algorithm to appear as though it is unavailable. Relates: #75571, #75417, #75379, #72639, #72359 Backport of: #75718

We had muted specifc tests that were hit by JDK-8266279, by not allowing the tests to run on Java 1.8.0_292. We have since upgraded our Java 8 version in CI to Java 1.8.0_301 so the muting is irrelevant and can be removed Resolves elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359, elastic#75952, elastic#75718

We had muted specific tests that were hit by JDK-8266279, by not allowing the tests to run on Java 1.8.0_292. We have since upgraded our Java 8 version in CI to Java 1.8.0_301 so the muting is irrelevant and can be removed Resolves elastic#75571, elastic#75417, elastic#75379, elastic#72639, elastic#72359, elastic#75952, elastic#75718

jkakavas · 2022-02-16T06:17:09Z

Fixed in later jdk8 version

cbuescher added >test-failure Triaged test failures from CI :Security/Security Security issues without another label labels Apr 28, 2021

elasticmachine added the Team:Security Meta label for security team label Apr 28, 2021

cbuescher added v7.12.2 v7.13.1 v7.14.0 labels Apr 28, 2021

albertzaharovits mentioned this issue Apr 29, 2021

[CI] org.elasticsearch.common.settings.KeyStoreWrapperTests unrecognized algorithm name: PBEWithMD5AndDES #72466

Closed

albertzaharovits self-assigned this Apr 29, 2021

albertzaharovits mentioned this issue Apr 30, 2021

Tests mute impacted by JDK8 racy bug JDK-8266279 #72529

Merged

albertzaharovits added a commit that referenced this issue Apr 30, 2021

Tests mute impacted by JDK8 racy bug JDK-8266279 (#72359)

47d0699

albertzaharovits added a commit that referenced this issue Apr 30, 2021

Tests mute impacted by JDK8 racy bug JDK-8266279 (#72359)

e832522

albertzaharovits added a commit that referenced this issue Apr 30, 2021

Tests mute impacted by JDK8 racy bug JDK-8266279 (#72359)

84a4133

This was referenced May 6, 2021

[CI] CertificateGenerateToolTests testGeneratingSignedCertificates failing #72639

Closed

LdapSessionFactoryTests#testSslTrustIsReloaded failures #68995

Closed

williamrandolph mentioned this issue May 28, 2021

Mute flaky security that fail with "unrecognized algorithm name" #73537

Merged

tlrx mentioned this issue Jun 1, 2021

[6.8] Mute CertificateGenerateToolTest.testGeneratingSignedCertificates() on Java 8 #73586

Merged

tlrx added a commit that referenced this issue Jun 1, 2021

[6.8] Mute CertificateGenerateToolTest.testGeneratingSignedCertificat…

ce6ae09

…es() on Java 8 (#73586) This issue is tracked in #72639 which suffers the same JDK bug as #72359. This commit backport the mute 9a655b5 to 6.8

tlrx mentioned this issue Jun 1, 2021

[6.8] Mute CertificateToolTests.testCreateCaAndMultipleInstances and testTrustBetweenPEMandPKCS12 on Java 8 #73587

Merged

tlrx added a commit that referenced this issue Jun 1, 2021

[6.8] Mute CertificateToolTests.testCreateCaAndMultipleInstances and …

d366690

…testTrustBetweenPEMandPKCS12 on Java 8 (#73587) Partial backport of #72529 for 6.8 Relates #72359

csoulios added v7.13.2 and removed v7.13.1 labels Jun 2, 2021

danhermann added v7.13.3 and removed v7.13.2 labels Jun 14, 2021

mark-vieira added v7.15.0 and removed v7.14.0 labels Jun 30, 2021

joegallo removed v7.12.2 v7.13.3 labels Jun 30, 2021

tvernum mentioned this issue Jul 26, 2021

Security Certificate Tests fail in JDK 1.8.0_292 due to JDK bug #75571

Closed

tvernum mentioned this issue Jul 27, 2021

Mute some security tests on problematic JDK8 build #75718

Merged

tvernum mentioned this issue Jul 27, 2021

Mute some security tests on problematic JDK8 build #75720

Merged

tvernum mentioned this issue Jul 28, 2021

[Backport] Mute some security tests on problematic JDK8 build #75763

Merged

tvernum mentioned this issue Jul 28, 2021

[Backport] Mute some security tests on problematic JDK8 build #75770

Merged

joegallo added v7.16.0 and removed v7.15.0 labels Sep 22, 2021

danhermann added v8.1.0 and removed v7.16.0 labels Oct 27, 2021

mark-vieira added v8.2.0 and removed v8.1.0 labels Feb 2, 2022

jkakavas mentioned this issue Feb 15, 2022

Remove redundant mute for bug JDK-8266279 #83940

Closed

jkakavas mentioned this issue Feb 15, 2022

Remove redundant mute for bug JDK-8266279 #83941

Merged

jkakavas closed this as completed Feb 16, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[CI] HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA failures #72359

[CI] HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA failures #72359

cbuescher commented Apr 28, 2021

elasticmachine commented Apr 28, 2021

albertzaharovits commented Apr 29, 2021

martijnvg commented Apr 30, 2021

albertzaharovits commented Apr 30, 2021

albertzaharovits commented Apr 30, 2021

BigPandaToo commented May 26, 2021

tlrx commented Jun 1, 2021

jkakavas commented Feb 16, 2022

[CI] HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA failures #72359

[CI] HttpCertificateCommandTests.testGenerateMultipleCertificateWithNewCA failures #72359

Comments

cbuescher commented Apr 28, 2021

elasticmachine commented Apr 28, 2021

albertzaharovits commented Apr 29, 2021

martijnvg commented Apr 30, 2021

albertzaharovits commented Apr 30, 2021

albertzaharovits commented Apr 30, 2021

BigPandaToo commented May 26, 2021

tlrx commented Jun 1, 2021

jkakavas commented Feb 16, 2022