admin block-key failed #7460

aarongable · 2024-04-30T16:26:37Z

Redacted logs below:

$ admin -config config.json block-key -private-key /path/to/key.pem
Debug server listening on :8000
Versions: admin=(7ee5b469) Golang=(go1.22.2) BuildHost=(...)
[AUDIT] admin tool executing a dry-run with the following arguments: "admin -config config.json block-key -private-key /path/to/key.pem"
[AUDIT] failed to block <...>: streaming serials from SA: rpc error: code = Unknown desc = reading db: reading db: failed to select keyHashToSerial: sql: converting argument $1 type: unsupported type []interface {}, a slice of interface
[AUDIT] admin tool has successfully completed executing a dry-run with the following arguments: "admin -config config.json block-key -private-key /path/to/key.pem"
Dry run complete. Pass -dry-run=false to mutate the database.

Two issues:

The SA's GetSerialsByKey gRPC method failed
The admin tool acted as though it had succeeded

The text was updated successfully, but these errors were encountered:

Correctly explode the params slice with Go's "..." notation so that gorp/go-sql-driver correctly receives each element of the params slice, rather than receiving the slice as a whole. Also use the SA's clock, rather than the DB's, to control which certs are selected -- in deployments this wouldn't make a difference but in test those clocks can be very different. Add two unit tests to ensure this query does not regress, and create a generic fake gRPC server stream for use in several SA tests including the new ones. Fixes #7460

…7466) While we don't want to halt the admin tool in the midst of its parallel processing, we can keep track of whether it has encountered any errors and raise one meta-error at the end of its execution. This will prevent the top-level admin code from claiming that execution succeeded, and ensure operators notice any previously-logged errors. As part of this, fix the SA's GetLintPrecertificate wrapper to actually call the SARO's GetLintPrecertificate, instead of incorrectly calling the SARO's GetCertificate. Fixes #7460

Correctly explode the params slice with Go's "..." notation so that gorp/go-sql-driver correctly receives each element of the params slice, rather than receiving the slice as a whole. Also use the SA's clock, rather than the DB's, to control which certs are selected -- in deployments this wouldn't make a difference but in test those clocks can be very different. Add two unit tests to ensure this query does not regress, and create a generic fake gRPC server stream for use in several SA tests including the new ones. Fixes letsencrypt#7460

…etsencrypt#7466) While we don't want to halt the admin tool in the midst of its parallel processing, we can keep track of whether it has encountered any errors and raise one meta-error at the end of its execution. This will prevent the top-level admin code from claiming that execution succeeded, and ensure operators notice any previously-logged errors. As part of this, fix the SA's GetLintPrecertificate wrapper to actually call the SARO's GetLintPrecertificate, instead of incorrectly calling the SARO's GetCertificate. Fixes letsencrypt#7460

aarongable mentioned this issue Apr 30, 2024

Issues with new admin tool #7351

Open

6 tasks

aarongable added this to the Sprint 2024-04-30 milestone Apr 30, 2024

aarongable self-assigned this Apr 30, 2024

This was referenced Apr 30, 2024

RA: fix GetSerialsByKey and GetSerialsByAccount #7465

Merged

admin: fail if any error is encountered during parallel processing #7466

Merged

aarongable closed this as completed in #7465 May 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

admin block-key failed #7460

admin block-key failed #7460

aarongable commented Apr 30, 2024 •

edited

Loading

admin block-key failed #7460

admin block-key failed #7460

Comments

aarongable commented Apr 30, 2024 • edited Loading

aarongable commented Apr 30, 2024 •

edited

Loading