msquic icon indicating copy to clipboard operation
msquic copied to clipboard
verified publisher icon microsoft

[CI - FAILURE] SEC_E_UNTRUSTED_ROOT on WS2025 Tests

Open nibanks opened this issue 1 year ago • 6 comments

Describe the bug

For some reason, a couple of the test are inconsistently failing with SEC_E_UNTRUSTED_ROOT:

D:\a\msquic\msquic\src\test\lib\TestConnection.cpp(982): error: Unexpected Certificate Validation Status, expected=0x0, actual=0x80090325

Not every run fails, which is weird. So, I suspect some timing issue.

Affected OS

  • [x] Windows
  • [ ] Linux
  • [ ] macOS
  • [ ] Other (specify below)

Additional OS information

It's only happening on the WS2025 runners (not preview builds).

MsQuic version

main

Steps taken to reproduce bug

Run CI

Expected behavior

All passes

Actual outcome

Failures

Additional details

No response

nibanks avatar Mar 18 '25 13:03 nibanks

Everything in prepare-machine.ps1 seems to pass and successfully install the certificates. The logs indicate the status comes from Schannel. I'm not sure what's going on at this point.

quic.log

nibanks avatar Mar 18 '25 13:03 nibanks

Decoding the Schannel traces doesn't provide much more info either. At this point, the test is validating schannel. We could modify the test to ignore the certificate validation result, or accept the UNTRUSTED_ROOT error.

anrossi avatar Apr 04 '25 02:04 anrossi

I have a few questions:

  1. Where is this test running (and passing) today?
  2. Assuming it's passing on some Windows+schannel system, what is different between this and that config?
  3. Are we sure there's no test bug that would be preventing this test from passing?

I don't think we should simply accept the untrusted root error. I thought this test was specifically trying to validate trust.

nibanks avatar Apr 04 '25 14:04 nibanks

  1. It's not running on OpenSSL (gated behind QUIC_TEST_FAILING_TEST_CERTIFICATES which is gated behind QUIC_TEST_OPENSSL_FLAGS and only on debug builds), not compiled on windows-2019, and compiled but skipped on windows-2022. The runtime on WinServerPrerelease is suspiciously low (same runtime as the skip on windows-2022) so I wonder if it doesn't run there either. When it runs and succeeds, it's running on windows-2025.

anrossi avatar Apr 11 '25 05:04 anrossi

As a first step, we should re-enable the test. If it repros, move to next iteration.

guhetier avatar Sep 30 '25 18:09 guhetier

PR #5042 has changes to re-enable this test and collect extra logging if it fails

anrossi avatar Oct 30 '25 17:10 anrossi