1613275 - TREES CLOSED - Expired PSM test certificates.

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[Alexandru Michis [:malexandru]]

At around 12:30 UTC we started seeing failures regarding expired certificates.

Comment 1

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

At least https://searchfox.org/mozilla-central/source/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der has expired.

Comment 2

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Is it possible to determine what certificates need to be updated to fix the issue and be able to reopen trees?

Comment 3

[Alexandru Michis [:malexandru]]

Example of failure logs:

• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=287517090&repo=autoland&lineNumber=1618
• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=287519699&repo=autoland&lineNumber=8848
• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=287517657&repo=autoland&lineNumber=1977
• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=287519864&repo=autoland&lineNumber=2512

Comment 4

[J.C. Jones [:jcj] (he/him)]

At least https://searchfox.org/mozilla-central/source/security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der has expired.

In bug 1607845 we regenerated all the .pem files, which is what we use generally across the board. .../missing-intermediate.pem was regenerated, but .../missing-intermediate.der is stale, it wasn't. I'm not even quite sure why it's in-use, will have to dig, and look for other .der files in-tree.

Comment 5

[J.C. Jones [:jcj] (he/him)]

Of course... ha

    // NB: missing-intermediate.der won't be regenerated when
    // missing-intermediate.pem is. Hopefully by that time we can just use
    // missing-intermediate.pem directly.

https://searchfox.org/mozilla-central/source/security/manager/ssl/tests/unit/test_missing_intermediate.js#56-58

The only .der files in our tests are:

• modules/libmar/tests/unit/data/mycert.der
• modules/libmar/tests/unit/data/mycert2.der
• modules/libmar/tests/unit/data/mycert3.der
  --> all three have 0 seconds of validity
• security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der
  --> needs regen
• security/manager/ssl/tests/unit/test_signed_apps/xpcshellTestRoot.der
  --> okay to 2035
• security/manager/ssl/tests/unit/tlsserver/default-ee.der
  --> not a real DER file

so I think all that got left behind is xpcshellTestRoot.der.

Comment 6

[J.C. Jones [:jcj] (he/him)]

Attachment: Bug 1613275 - Regenerate expired certs not handled by Bug 1607845

command:
openssl x509 -in security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.pem -outform der -out security/manager/ssl/tests/unit/test_missing_intermediate/missing-intermediate.der

Comment 7

[J.C. Jones [:jcj] (he/him)]

Other PEMs that expire in 2020:

./security/manager/ssl/tests/unit/test_cert_storage_direct/revoked-cert.pem
            Not After : May 21 12:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_intermediate_preloads/ee2.pem
            Not After : Feb  5 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_intermediate_preloads/int2.pem
            Not After : Feb  5 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_intermediate_preloads/int.pem
            Not After : Feb  5 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_intermediate_preloads/ee.pem
            Not After : Feb  5 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_cert_sha1/int-pre.pem
            Not After : Jan  1 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_certDB_import/emailEE.pem
            Not After : Feb  5 00:00:00 2020 GMT
--
./security/manager/ssl/tests/unit/test_certDB_import/importedCA.pem
            Not After : Feb  5 00:00:00 2020 GMT
--

Pretty confident the sha1 one doesn't matter, but I need to rundown what happened to the others, too. These must be the other test failures.

Comment 8

[J.C. Jones [:jcj] (he/him)]

test_cert_storage_direct and test_cert_sha1 should be fine. I have no idea why test_certDB_import and test_intermediate_preloads weren't regenerated with the rest, but I did them by hand. New patch and try push coming.

Comment 9

[J.C. Jones [:jcj] (he/him)]

certutil -d ./build/pgo/certs -L -n pgoserver

...
            Not After : Wed Feb 05 00:00:00 2020
...

okay, someday we need to figure out how to remember that this file exists and is important

Comment 10

[Pulsebot]

Pushed by dluca@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/2319a64a3cd8
Regenerate expired certs not handled by Bug 1607845 a=RyanVM CLOSED TREE

Comment 11

[Dorel Luca [:dluca]]

https://hg.mozilla.org/mozilla-central/rev/2319a64a3cd8

Comment 12

[Razvan Maries]

https://hg.mozilla.org/releases/mozilla-release/rev/bea2c03b1479

Comment 13

[Razvan Maries]

https://hg.mozilla.org/releases/mozilla-esr68/rev/9286836fedf0

Comment 14

[Andreea Pavel [:apavel]]

Update: the patch has been landed on integration and uplifted to release and esr68. Trees have been reopened.

Comment 15

[Firefox Bug Husbandry Bot]

Please specify a root cause for this bug. See :tmaity for more information.

Comment 16

[J.C. Jones [:jcj] (he/him)]

Root Cause is that there's A) no automated regeneration of these certificates, we did it manually in bug 1607845 and B) we didn't adequately test future dates to get advance notice of the tree-closing failure, when the manual operation in bug 1607845 missed certs.