crypto/x509: TestHybridPool failures on Windows with x509: certificate signed by unknown authority
#51599
Comments
bcmills
added
NeedsInvestigation
|
|
|
Change https://go.dev/cl/397694 mentions this issue: |
bcmills
changed the title
x509: certificate signed by unknown authorityx509: certificate signed by unknown authority
|
Change https://go.dev/cl/405914 mentions this issue: |
In TestHybridPool attempt to prime to the windows root pool before the real test actually happens. This is a bit of a band-aid, with a better long term solution discussed in #52108. Updates #51599 Change-Id: I406add8d9cd9e3fae37bfc20b97f5479c10a52c2 Reviewed-on: https://go-review.googlesource.com/c/go/+/405914 Reviewed-by: Bryan Mills <[email protected]> TryBot-Result: Gopher Robot <[email protected]> Run-TryBot: Roland Shoemaker <[email protected]>
|
Due to #52591 the Marking WaitingForInfo to remind us to recheck the fix after more test runs have completed. |
bcmills
added
the
WaitingForInfo
|
There was a rash of failures yesterday — again all on Windows — but the failure mode is slightly different. 🤔
|
bcmills
removed
the
WaitingForInfo
|
I think the above failures may have been due to a misconfiguration of the I wonder if the Windows root store ended up pulling in one of the |
|
@rolandshoemaker This is currently blocking beta 1. Any updates and do you expect it's safe to resolve after beta 1? |
|
Sorry for the lag. I think this is reasonable to resolve after beta 1. This failure isn't due to new behavior, it's simply surfacing behavior that always existed but was never tested. Any resolution (likely) requires changes to builders, which seems unlikely to happen before the beta. If we just want to remove this flake until we re-open the tree for 1.20, it would probably be reasonable to just skip this test until the tree re-opens. |
heschi
added
the
okay-after-beta1
|
@rolandshoemaker It seems like there's some confusion about whether this is a bug in the test, or a bug in |
|
There are two different failure modes described here, the first is the failures in For the first issue, after landing CL 405914 I don't think we've seen these failures again, but they could still plausibly happen (if the builders are, for whatever reason, being incredibly slow). For the second, you are right that we are entirely reliant on badssl.com being properly configured, and they could realistically break us by doing something bad. I opened #52108 to solve both of these issues, but the solution is... complicated, and seems unlikely to happen before the final release. If we want to make sure these tests don't block the release, I think it's reasonable to just add skips until the release and then fix #52108 in the 1.20 cycle (this behavior has been included since 1.18, so we're relatively confident it's not horribly broken.) |
|
IMO it's up to you if you want to add the skips; you're the one who has perspective on how valuable the tests are. Unless we have reason to expect |
|
I think it's fine to close this out, if it pops back up we can revisit. |
greplogs --dashboard -md -l -e 'FAIL: TestHybridPool'2022-03-10T16:06:29-1cf6770/windows-amd64-longtest
(attn @golang/security for triage)
The text was updated successfully, but these errors were encountered: