[feat] log enrollment config in various ca_handlers #1504
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Proxy tests | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
proxy_tests: | |
name: "proxy_tests" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Build container" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "test dns resulution" | |
run: | | |
host $WES_HOST 127.0.0.1 | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "proxy container" | |
run: | | |
docker pull mosajjal/pproxy:latest | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Setup openssl ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/proxy.acme:8080\", \"acme-sh.\$\": \"http\:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Openssl - Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Openssl - Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "Openssl - Enroll acme.sh - http challenge validation" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker logs proxy | grep http | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Openssl - Enroll acme.sh - alpn challenge validation" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker logs proxy | grep http | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Setup certifier ca_handler for proxy usage" | |
run: | | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "Sleep for 5s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 5s | |
- name: "Certifier - Enroll via certifier ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Certifier - Revoke via certifier ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Setup using http-basic-auth for proxy usage" | |
run: | | |
sudo mkdir -p examples/Docker/data/est | |
sudo chmod -R 777 examples/Docker/data/est | |
sudo touch $HOME/.rnd | |
sudo openssl ecparam -genkey -name prime256v1 -out examples/Docker/data/est/est_client_key.pem | |
sudo openssl req -new -key examples/Docker/data/est/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' | |
sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem | |
sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem | |
sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/ca_bundle.pem | |
sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr | |
sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "Sleep for 5s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 5s | |
- name: "EST - Enroll via EST using http-basic-auth" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
#- name: "setup nclm ca_handler for proxy usage" | |
# run: | | |
# sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py | |
# sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
# sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
# sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
# sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg | |
# sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg | |
# sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg | |
# sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg | |
# sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg | |
# sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg | |
# sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg | |
# cd examples/Docker/ | |
# docker-compose restart | |
# docker-compose logs | |
#- name: "Sleep for 5s" | |
# uses: juliangruber/[email protected] | |
# with: | |
# time: 5s | |
#- name: "Enroll via nclm ca_handler" | |
# run: | | |
# docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
# # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
#- name: "Check proxy logs" | |
# run: | | |
# docker logs proxy | grep http | grep -- "->" | |
# docker stop proxy | |
# docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Setup msca ca_handler for proxy usage" | |
run: | | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "host: ${{ secrets.WES_HOST }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "user: ${{ secrets.WES_USER }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "password: ${{ secrets.WES_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "auth_method: ${{ secrets.WES_AUTHMETHOD }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "template: ${{ secrets.WES_TEMPLATE }}" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "Prepare ssh environment on ramdisk " | |
run: | | |
sudo mkdir -p /tmp/rd | |
sudo mount -t tmpfs -o size=5M none /tmp/rd | |
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp | |
sudo chmod 600 /tmp/rd/ak.tmp | |
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts | |
env: | |
SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
- name: "Setup ssh forwarder" | |
run: | | |
docker run -d --rm --network acme --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev | |
env: | |
SSH_USER: ${{ secrets.WCCE_SSH_USER }} | |
SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} | |
SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} | |
WCCE_HOST: ${{ secrets.WCCE_HOST }} | |
WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "MScertsrv - Enroll via msca ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
# openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Stop proxy container" | |
run: | | |
docker stop proxy | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: proxy-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
proxy_tests_rpm: | |
name: "proxy_tests_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
max-parallel: 1 | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
- name: "Install dnsmasq" | |
run: | | |
sudo apt-get update | |
sudo apt-get install -y dnsmasq | |
sudo systemctl disable systemd-resolved | |
sudo systemctl stop systemd-resolved | |
sudo mkdir -p dnsmasq | |
sudo cp .github/dnsmasq.conf dnsmasq/ | |
sudo chmod -R 777 dnsmasq/dnsmasq.conf | |
sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf | |
sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf | |
cat dnsmasq/dnsmasq.conf | |
sudo cp dnsmasq/dnsmasq.conf /etc/ | |
sudo systemctl enable dnsmasq | |
sudo systemctl start dnsmasq | |
env: | |
RUNNER_IP: ${{ env.RUNNER_IP }} | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "test dns resulution" | |
run: | | |
host $WES_HOST 127.0.0.1 | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
- name: "proxy container" | |
run: | | |
docker pull mosajjal/pproxy:latest | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: Retrieve proxy-ip | |
run: | | |
echo PROXY_IP=$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' proxy) >> $GITHUB_ENV | |
- run: echo "Latest tag is ${{ env.PROXY_IP }}" | |
- name: "setup openssl ca_handler" | |
run: | | |
sudo mkdir -p data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/${{ env.PROXY_IP }}:8080\", \"acme-sh.\$\": \"http\:\/\/${{ env.PROXY_IP }}:8080\"}/g" data/acme_srv.cfg | |
- name: "Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test if http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "Enroll acme.sh - http challenge validation" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker logs proxy | grep http | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Enroll acme.sh - alpn challenge validation" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker logs proxy | grep http | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "Prepare acme_srv.cfg with certifier_ca_handler and proxy usage" | |
run: | | |
mkdir -p data/acme_ca | |
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg | |
env: | |
NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
- name: "[ PREPARE ] reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ ENROLL] via certifier_ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure & | |
sleep 45 | |
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ REVOKE ] via certifier ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "setup esthandler using http-basic-auth" | |
run: | | |
sudo mkdir -p data/acme_ca | |
sudo chmod -R 777 data/acme_ca | |
sudo touch $HOME/.rnd | |
sudo openssl ecparam -genkey -name prime256v1 -out data/acme_ca/est_client_key.pem | |
sudo chmod a+rx data/acme_ca/est_client_key.pem | |
sudo openssl req -new -key data/acme_ca/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' | |
sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem | |
sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem | |
sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/ca_bundle.pem | |
sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr | |
sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/est_client_cert.pem | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "est_host: https://testrfc7030.com:8443" >> data/acme_srv.cfg | |
sudo echo "est_user: estuser" >> data/acme_srv.cfg | |
sudo echo "est_password: estpwd" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: False" >> data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg | |
- name: "[ PREPARE ] reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "Enroll via EST using http-basic-auth" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
#- name: "Prepare acme_srv.cfg with nclm_ca_handler" | |
# run: | | |
# mkdir -p data/acme_ca | |
# sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
# sudo touch data/acme_srv.cfg | |
# sudo chmod 777 data/acme_srv.cfg | |
# sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
# sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg | |
# sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg | |
# sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg | |
# sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg | |
# sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg | |
# sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg | |
# sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg | |
# sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg | |
# sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg | |
# env: | |
# NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} | |
# NCLM_API_USER: ${{ secrets.NCLM_API_USER }} | |
# NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} | |
# NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} | |
# NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} | |
# NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} | |
#- name: "[ PREPARE ] reconfigure a2c " | |
# run: | | |
# docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
#- name: "Enroll via nclm_ca_handler" | |
# run: | | |
# docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force & | |
# docker stop proxy | |
# docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
#- name: "Check proxy logs" | |
# run: | | |
# docker logs proxy | grep socks5 | grep -- "->" | |
- name: "ssh environment on ramdisk" | |
run: | | |
sudo mkdir -p /tmp/rd | |
sudo mount -t tmpfs -o size=5M none /tmp/rd | |
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp | |
sudo chmod 600 /tmp/rd/ak.tmp | |
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts | |
env: | |
SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} | |
KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} | |
- name: "establish SSH connection" | |
run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 443:$WES_IP:443 -g ping -c 180 $WES_IP & | |
env: | |
SSH_USER: ${{ secrets.CMP_SSH_USER }} | |
SSH_HOST: ${{ secrets.CMP_SSH_HOST }} | |
SSH_PORT: ${{ secrets.CMP_SSH_PORT }} | |
WES_IP: ${{ secrets.WES_IP }} | |
- name: "Sleep for 5s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 5s | |
- name: "setup msca ca_handler for proxy usage" | |
run: | | |
mkdir -p data/acme_ca | |
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
sudo touch data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "host: $WES_HOST" >> data/acme_srv.cfg | |
sudo echo "user: $WES_USER" >> data/acme_srv.cfg | |
sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg | |
sudo echo "auth_method: $WES_AUTHMETHOD" >> data/acme_srv.cfg | |
sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg | |
sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg | |
sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg | |
env: | |
WES_HOST: ${{ secrets.WES_HOST }} | |
WES_USER: ${{ secrets.WES_USER }} | |
WES_PASSWORD: ${{ secrets.WES_PASSWORD }} | |
WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} | |
WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} | |
- name: "[ PREPARE ] reconfigure a2c " | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "Enroll via msca ca_handler" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force & | |
# sleep 45 | |
# openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Check proxy logs" | |
run: | | |
docker logs proxy | grep socks5 | grep -- "->" | |
docker stop proxy | |
docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
docker logs proxy > ${{ github.workspace }}/artifact/proxy.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data proxy.log acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: proxy-rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ |