Bug 54194 – 4.4-7 to 4.4-8 Upgrade tests fail because old libssl version (1.0.2u-1~deb9u4) can't verify apache.org

Bug 54194 - 4.4-7 to 4.4-8 Upgrade tests fail because old libssl version (1.0.2u-1~deb9u4) can't verify apache.org


Summary:	4.4-7 to 4.4-8 Upgrade tests fail because old libssl version (1.0.2u-1~deb9u4...

Status:	RESOLVED DUPLICATE of bug 53751

Product:	UCS Test
Classification:	Unclassified
Component:	Mail
Version:	unspecified
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	---
Assigned To:	Mail maintainers
QA Contact:

URL:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-12-06 13:38 CET by Julia Bremer
Modified:	2023-03-18 15:56 CET (History)
CC List:	1 user (show)

See Also:	53909
What kind of report is it?:	Development Internal
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julia Bremer

2021-12-06 13:38:07 CET

Currently (since 3 days), our 4.4 upgrade tests get stuck at 4.4-7.
They can't upgrade, because spamassassin is not configured and sa-update needs to be called.
sa-update tries to download http://spamassassin.apache.org/updates/MIRRORED.BY .
This fails because curl deems the certificate to be expired. 
The same certificates are seen as fine by 4.4-8 systems.

Updating the libssl1.0.2 version to 1.0.2u-1~deb9u6 fixes this.

Comment 1 Julia Bremer

2021-12-10 09:56:40 CET

Another workaround is just downloading the MIRRORED.BY file manually without ssl check and running sa-update.

curl -s -k https://spamassassin.apache.org/updates/MIRRORED.BY -o /var/lib/spamassassin/3.004002/updates_spamassassin_org/MIRRORED.BY; sa-update

Comment 2 Philipp Hahn

2023-03-17 09:04:59 CET

This fix was missing for "scenarios/update-testing/update-from-2.4-start-4.4-7.cfg": It failed during the upgrade from 4.4-9 to 5.0-0 as `spamassassin.service` gets (re-)started during the upgrade and fails, as no rules where ever downloaded.

Bug #53751 has a more detailed analysis and probably a better fix to disable the expired "DST X3" root CA certificate.

[5.0-3] c862e676da fix(test/update-from-2.4): SA update v3
 test/utils/utils.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[5.0-3] 3550362c8a fix(test/update-from-2.4): SA update v2
 test/utils/utils.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

[5.0-3] 07151fe536 fix(test/update-from-2.4): SA update
 test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg | 3 ++-
 test/scenarios/update-testing/update-from-4.2-4.cfg           | 2 +-
 test/utils/utils.sh                                           | 5 -----
 3 files changed, 3 insertions(+), 7 deletions(-)

[5.0-3] 0a8476115f refactor(test/scenarios/update): code cleanup
 test/scenarios/appliance-testing/app-appliance-errata-test.cfg  |  3 +-
 test/scenarios/update-testing/update-from-1.2-backup2master.cfg |  1 -
 test/scenarios/update-testing/update-from-2.4-start-4.4-7.cfg   | 54 ++++++++++++-----------------
 test/scenarios/update-testing/update-from-4.2-4.cfg             |  1 -
 test/utils/utils.sh                                             |  8 ++---
 5 files changed, 28 insertions(+), 39 deletions(-)

*** This bug has been marked as a duplicate of bug 53751 ***