test: fix flaky force_renew test (detect renewal by serial)#1269
Merged
buchdag merged 2 commits intoJun 18, 2026
Conversation
The force_renew test polled for the certificate's expiration date (notAfter) to increase after a forced renewal. This is unreliable: the Pebble test config defines several certificate profiles with different validity periods, so a renewed cert can be issued under a different profile and end up with an EARLIER expiration than the original even though the renewal succeeded — making the test fail intermittently (maintainers had to re-run it). Detect the renewal by the certificate serial number instead, which changes on every (re-)issuance regardless of profile/validity/timing. Add a get_cert_serial test helper and capture the force_renew output so a failure is diagnosable. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
buchdag
reviewed
Jun 18, 2026
buchdag
reviewed
Jun 18, 2026
buchdag
changed the title
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
buchdag
approved these changes
Jun 18, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Make the
force_renewintegration test reliable. It has been failing intermittently in CI (maintainers have had to re-run it to get a green build).Why
The test forced a renewal and then polled for the certificate's expiration date (
notAfter) to increase. That signal is unreliable:test/setup/pebble/pebble-config.jsondefines several certificate profiles with different validity periods (5y default, 1y, 6-day), and a renewed certificate can be issued under a different profile than the original — giving it an earliernotAftereven though the renewal succeeded. The poll then never seesnotAfterincrease and the test fails after 30s.Example from a failed run:
The two issuances were only ~13s apart (so the renewal did happen), but the renewed cert got a shorter validity, so
notAfterwent backwards.How
Detect the renewal by the certificate serial number, which changes on every (re-)issuance regardless of profile, validity period or timing:
test/tests/test-functions.sh— add aget_cert_serialhelper.test/tests/force_renew/run.sh— compare the serial before/after the forced renewal instead of the expiration date, and capture theforce_renewoutput so a genuine failure is diagnosable (it was previously discarded to/dev/null).Test-only change; no product code is affected.
🤖 Generated with Claude Code