dt: Fix up CRL tests

* Updated certs to use cRLSign extension * Updated RFC test to start node with TLS enabled * Updated error condition searchs for OpenSSL responses Signed-off-by: Michael Boquard <michael@redpanda.com>
redpanda-data · Jun 12, 2024 · 8f7f50f · 8f7f50f
1 parent e171a21
commit 8f7f50f
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 9 deletions.
diff --git a/tests/rptest/services/tls.py b/tests/rptest/services/tls.py
@@ -42,7 +42,7 @@
 commonName       = Redpanda Test CA
 
 [ extensions ]
-keyUsage         = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign
+keyUsage         = critical,digitalSignature,nonRepudiation,keyEncipherment,keyCertSign,cRLSign
 basicConstraints = critical,CA:true,pathlen:1
 
 # Common policy for nodes and users.
@@ -52,12 +52,12 @@
 
 # Used to sign node certificates.
 [ signing_node_req ]
-keyUsage         = critical,digitalSignature,keyEncipherment
+keyUsage         = critical,digitalSignature,keyEncipherment,cRLSign
 extendedKeyUsage = serverAuth,clientAuth
 
 # Used to sign client certificates.
 [ signing_client_req ]
-keyUsage         = critical,digitalSignature,keyEncipherment
+keyUsage         = critical,digitalSignature,keyEncipherment,cRLSign
 extendedKeyUsage = clientAuth
 """
 

diff --git a/tests/rptest/tests/crl_test.py b/tests/rptest/tests/crl_test.py
@@ -20,7 +20,7 @@
 
 from rptest.services.admin import Admin
 from rptest.services.redpanda import RedpandaService
-from rptest.clients.rpk import RpkTool, ClusterAuthorizationError, RpkException
+from rptest.clients.rpk import RpkTool, RpkException
 from rptest.services.redpanda import (SecurityConfig, TLSProvider,
                                       SchemaRegistryConfig, PandaproxyConfig)
 from rptest.services import tls
@@ -185,14 +185,14 @@ def get_topics(node: ClusterNode):
         self.tls.revoke_cert(self.user_cert)
         self.redpanda.write_crl_file(node, self.tls.ca)
 
-        with expect_exception(requests.exceptions.ConnectionError,
-                              lambda e: "Connection aborted" in str(e)):
+        with expect_exception(requests.exceptions.SSLError,
+                              lambda e: "certificate revoked" in str(e)):
             get_topics(node)
 
         with get_topics(self.redpanda.nodes[1]) as res:
             assert res.status_code == 200, f"Bad status: {res.status_code}"
 
-    @cluster(num_nodes=3)
+    @cluster(num_nodes=3, log_allow_list=["certificate revoked"])
     def test_rpc(self):
         node = self.redpanda.nodes[0]
 
@@ -242,9 +242,12 @@ def cluster_health(node: ClusterNode,
         assert node.account.hostname in broker_cert.crt, f"Cert order mismatch: {broker_cert.crt}"
 
         self.tls.revoke_cert(broker_cert)
-        self.redpanda.write_crl_file(node, self.tls.ca)
 
-        self.redpanda.restart_nodes([node])
+        self.redpanda.write_crl_file(self.redpanda.nodes[1], self.tls.ca)
+        self.redpanda.write_crl_file(self.redpanda.nodes[2], self.tls.ca)
+
+        self.redpanda.restart_nodes(
+            [node], override_cfg_params={"rpc_server_tls": RPC_TLS_CONFIG})
         other_node = self.redpanda.nodes[1]
 
         self.logger.debug(