[feat] log enrollment config in various ca_handlers #984
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Manual Installation tests | |
| on: | |
| push: | |
| pull_request: | |
| branches: [ devel ] | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 2 * * 6' | |
| jobs: | |
| apache2_wsgi: | |
| name: "apache2_wsgi" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Get runner ip" | |
| run: | | |
| echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
| echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
| - run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
| - name: Branch name | |
| run: echo running on branch ${GITHUB_REF##*/} | |
| - name: "Run install script" | |
| run: | | |
| sudo mkdir -p data | |
| chmod a+rx examples/install_scripts/a2c-ubuntu22-apache2.sh | |
| examples/install_scripts/a2c-ubuntu22-apache2.sh ${GITHUB_REF##*/} | |
| - name: "Local modification to get a2c running" | |
| run: | | |
| sudo chmod a+w /etc/hosts | |
| sudo echo ${{ env.RUNNER_IP }} acme-srv >> /etc/hosts | |
| sudo apt-get install -y socat | |
| sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf | |
| sudo sed -i "s/Listen 443/Listen 1443/g" /etc/apache2/ports.conf | |
| sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf | |
| sudo sed -i "s/*:443/*:1443/g" /etc/apache2/sites-available/acme2certifier_ssl.conf | |
| sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo service apache2 restart | |
| - name: "Create Namespace" | |
| run: docker network create acme | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| with: | |
| ACME_SERVER: acme-srv | |
| HTTP_PORT: 8080 | |
| HTTPS_PORT: 1443 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: apache.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| nginx_wsgi: | |
| name: "nginx_wsgi" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Get runner ip" | |
| run: | | |
| echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
| echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
| - run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
| - name: Branch name | |
| run: echo running on branch ${GITHUB_REF##*/} | |
| - name: "Run install script" | |
| run: | | |
| sudo mkdir -p data | |
| sh examples/install_scripts/a2c-ubuntu22-nginx.sh | |
| - name: "Local modification to get a2c running" | |
| run: | | |
| sudo chmod a+w /etc/hosts | |
| sudo echo ${{ env.RUNNER_IP }} acme-srv >> /etc/hosts | |
| sudo apt-get install -y socat | |
| sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf | |
| sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf | |
| sudo sed -i "s/listen 443/listen 1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf | |
| sudo sed -i "s/listen [::]:443/listen [::]:1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf | |
| sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo service nginx restart | |
| - name: "Create Namespace" | |
| run: docker network create acme | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| with: | |
| ACME_SERVER: acme-srv | |
| HTTP_PORT: 8080 | |
| HTTPS_PORT: 1443 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: nginx.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| alma_nginx_wsgi: | |
| name: "alma_nginx_wsgi" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Get runner ip" | |
| run: | | |
| echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
| echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
| - run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
| - name: Branch name | |
| run: echo running on branch ${GITHUB_REF##*/} | |
| - name: "Prepare environment" | |
| run: | | |
| docker network create acme | |
| mkdir -p acme-sh | |
| echo "exit 0" >> examples/install_scripts/a2c-centos9-nginx.sh | |
| - name: "Almalinux instance" | |
| run: | | |
| cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
| docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd | |
| - name: "Execute install scipt" | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme-srv.log acme-sh | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: alma_nginx_wsgi.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| alma_nginx_wsgi_rpm: | |
| name: "alma_nginx_wsgi_rpm" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| rhversion: [8, 9] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: Branch name | |
| run: echo running on branch ${GITHUB_REF##*/} | |
| - name: "Prepare Alma environment" | |
| uses: ./.github/actions/rpm_prep | |
| with: | |
| GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
| GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
| RH_VERSION: ${{ matrix.rhversion }} | |
| - name: "Prepare acme_srv.cfg with openssl_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo mkdir -p examples/Docker/data/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
| - name: "Execute install scipt" | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: alma_nginx_wsgi_rpm.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| deb_build: | |
| name: "deb_build" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "deb build and upload" | |
| uses: ./.github/actions/deb_build_upload | |
| deb_apache2: | |
| name: "deb_apache2" | |
| runs-on: ubuntu-latest | |
| needs: deb_build | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Get runner ip" | |
| run: | | |
| echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
| - run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
| - name: "Retrieve Version from version.py" | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - name: Download debian package | |
| uses: actions/download-artifact@v4 | |
| continue-on-error: true | |
| with: | |
| name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb | |
| path: /tmp | |
| - name: Install apache2 and acme2certifier packages" | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 | |
| sudo apt-get install -y /tmp/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb | |
| - name: "configure a2c" | |
| run: | | |
| sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf | |
| sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf | |
| sudo a2enmod ssl | |
| sudo a2ensite acme2certifier | |
| sudo a2ensite acme2certifier_ssl | |
| sudo mkdir -p /var/www/acme2certifier/volume/ | |
| sudo cp .github/acme2certifier.pem /var/www/acme2certifier/volume/ | |
| sudo rm /etc/apache2/sites-enabled/000-default.conf | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo mkdir -p /var/www/acme2certifier/volume/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /var/www/acme2certifier/volume/acme_ca/ | |
| sudo chown -R www-data.www-data /var/www/acme2certifier/volume | |
| sudo systemctl start apache2 | |
| - name: "Modfiy configuration to allow certifiate enrollment" | |
| run: | | |
| sudo chmod a+w /etc/hosts | |
| sudo echo ${{ env.RUNNER_IP }} acme-srv >> /etc/hosts | |
| # sudo apt-get install -y socat | |
| sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf | |
| sudo sed -i "s/Listen 443/Listen 1443/g" /etc/apache2/ports.conf | |
| sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf | |
| sudo sed -i "s/*:443/*:1443/g" /etc/apache2/sites-available/acme2certifier_ssl.conf | |
| sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo systemctl restart apache2 | |
| - name: "Create Namespace" | |
| run: docker network create acme | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| with: | |
| ACME_SERVER: acme-srv | |
| HTTP_PORT: 8080 | |
| HTTPS_PORT: 1443 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: deb_apache.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| deb_nginx: | |
| name: "deb_nginx" | |
| runs-on: ubuntu-latest | |
| needs: deb_build | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Get runner ip" | |
| run: | | |
| echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
| - run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
| - name: "Retrieve Version from version.py" | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - name: Download debian package | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb | |
| path: /tmp | |
| - name: "Install nginx and acme2certifier packages" | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 | |
| sudo apt-get install -y /tmp/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb | |
| - name: "Prepare local modification to get a2c running" | |
| run: | | |
| sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf | |
| sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv_ssl.conf | |
| sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf | |
| sudo cp examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/sites-available/acme_srv_ssl.conf | |
| sudo rm /etc/nginx/sites-enabled/default | |
| sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf | |
| sudo ln -s /etc/nginx/sites-available/acme_srv_ssl.conf /etc/nginx/sites-enabled/acme_srv_ssl.conf | |
| sudo mkdir -p /var/www/acme2certifier/volume/ | |
| sudo cp .github/acme2certifier_cert.pem /var/www/acme2certifier/volume/ | |
| sudo cp .github/acme2certifier_key.pem /var/www/acme2certifier/volume/ | |
| sudo chown -R www-data.www-data /var/www/acme2certifier/ | |
| sudo systemctl start nginx | |
| - name: "Modify uwsgi configuration file" | |
| run: | | |
| sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini | |
| sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini | |
| echo "plugins=python3" >> examples/nginx/acme2certifier.ini | |
| sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier | |
| - name: "Create a2c service" | |
| run: | | |
| cat <<EOT > acme2certifier.service | |
| [Unit] | |
| Description=uWSGI instance to serve acme2certifier | |
| After=network.target | |
| [Service] | |
| User=www-data | |
| Group=www-data | |
| WorkingDirectory=/var/www/acme2certifier | |
| Environment="PATH=/var/www/acme2certifier" | |
| ExecStart=uwsgi --ini acme2certifier.ini | |
| [Install] | |
| WantedBy=multi-user.target | |
| EOT | |
| sudo cp acme2certifier.service /etc/systemd/system/acme2certifier.service | |
| sudo systemctl start acme2certifier | |
| sudo systemctl enable acme2certifier | |
| - name: "Test http://acme-srv/directory is accessible" | |
| run: curl -f http://127.0.0.1/directory | |
| - name: "Configure ca_handler" | |
| run: | | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo mkdir -p /var/www/acme2certifier/volume/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /var/www/acme2certifier/volume/acme_ca/ | |
| sudo chown -R www-data.www-data /var/www/acme2certifier/volume | |
| - name: "Modfiy configuration to allow certifiate enrollment" | |
| run: | | |
| sudo chmod a+w /etc/hosts | |
| sudo echo ${{ env.RUNNER_IP }} acme-srv >> /etc/hosts | |
| sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf | |
| sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf | |
| sudo sed -i "s/listen 443/listen 1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf | |
| sudo sed -i "s/listen [::]:443/listen [::]:1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf | |
| sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg | |
| sudo systemctl restart nginx | |
| - name: "Create Namespace" | |
| run: docker network create acme | |
| - name: "Test enrollment" | |
| uses: ./.github/actions/acme_clients | |
| with: | |
| ACME_SERVER: acme-srv | |
| HTTP_PORT: 8080 | |
| HTTPS_PORT: 1443 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp /var/log/nginx ${{ github.workspace }}/artifact/data/ | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: deb_nginx.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |