Skip to content

Tests | Fix RemoteCertificateNameMismatchErrorTest (ActiveIssue 31754) #3059

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 24, 2025
Merged

Tests | Fix RemoteCertificateNameMismatchErrorTest (ActiveIssue 31754) #3059

merged 3 commits into from
Apr 24, 2025

Conversation

MichelZ
Copy link
Contributor

@MichelZ MichelZ commented Dec 4, 2024

This pull request includes significant changes to the configuration and testing of SQL Server certificates. The most important changes involve adding a PowerShell script to configure SQL Server certificates on Windows and updating tests to reflect these changes.

Configuration changes:

Test updates:

This is in addition to #3012 which activates other tests in this Class

@paulmedynski paulmedynski requested a review from a team March 18, 2025 14:41
@cheenamalhotra
Copy link
Member

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@codecov Codecov
Copy link

codecov bot commented Mar 19, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 68.18%. Comparing base (bb4c3b7) to head (88ad326).
Report is 97 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #3059      +/-   ##
==========================================
- Coverage   72.68%   68.18%   -4.50%     
==========================================
  Files         283      315      +32     
  Lines       58975    76136   +17161     
==========================================
+ Hits        42864    51911    +9047     
- Misses      16111    24225    +8114
Flag Coverage Δ
addons ?
netcore 70.14% <ø> (-5.35%) ⬇️
netfx 67.37% <ø> (-3.77%) ⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@paulmedynski paulmedynski self-assigned this Mar 21, 2025
@paulmedynski paulmedynski added this to the 6.1-preview1 milestone Apr 2, 2025
@mdaigle mdaigle self-assigned this Apr 2, 2025
@benrr101
Copy link
Contributor

/azp run

@azure-pipelines Azure Pipelines
Copy link

Azure Pipelines successfully started running 2 pipeline(s).

@benrr101
Copy link
Contributor

@edwardneal I know you were working on certificates and tests, can you give a bit of feedback on this one?

edwardneal
edwardneal reviewed Apr 23, 2025
View reviewed changes
eng/pipelines/common/templates/steps/configure-sql-server-win-step.yml
Comment on lines +222 to +229
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()

# Grant read access to Private Key for SQL Service Account
if ($($_.Name) -eq "MSSQLSERVER") {
icacls $machineKeyPath /grant "NT Service\MSSQLSERVER:R"
} else {
icacls $machineKeyPath /grant "NT Service\MSSQL`$$($_.Name):R"
}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
# Grant read access to Private Key for SQL Service Account
if ($($_.Name) -eq "MSSQLSERVER") {
icacls $machineKeyPath /grant "NT Service\MSSQLSERVER:R"
} else {
icacls $machineKeyPath /grant "NT Service\MSSQL`$$($_.Name):R"
}
$serviceAccount = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Services\$($_.Name)" -Name ObjectName).ObjectName
Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$($_.Value)\MSSQLServer\SuperSocketNetLib" -Name Certificate -Value $certificate.Thumbprint.ToLower()
# Grant read access to Private Key for SQL Service Account
icacls $machineKeyPath /grant "$serviceAccount:R"

This will handle the case where SQL Server runs under a non-default account (CONTOSO\srv-mssql, etc.)

It'd be a little more PowerShell-centric to use the built-in Get-Acl and Set-Acl rather than shelling out to icacls, but that doesn't do anything different - the approach is fine.

eng/pipelines/common/templates/steps/configure-sql-server-win-step.yml
Comment on lines +213 to +215
$store.open("MaxAllowed")
$store.add($certificate)
$store.close()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're going to add a new certificate to the Computer and to the Trusted Root Certificate Authorities certificate stores on every CI run. Depending how often the test agents are reprovisioned, we might bump into KB2801679.

Another approach might be to iterate over the list of instances, then lazily generate a computer certificate if one is missing, then add the certificate to the Root store, then to add permissions over its machine key path.

@benrr101 benrr101 merged commit 7663524 into dotnet:main Apr 24, 2025
264 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@edwardneal edwardneal edwardneal left review comments

@mdaigle mdaigle mdaigle approved these changes

@paulmedynski paulmedynski paulmedynski approved these changes

Assignees

@mdaigle mdaigle

@paulmedynski paulmedynski

Labels
None yet
Projects
None yet
Milestone
6.1-preview1
Development

Successfully merging this pull request may close these issues.
6 participants
@MichelZ @cheenamalhotra @benrr101 @mdaigle @paulmedynski @edwardneal
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy