Skip to content

[feat] log enrollment config in various ca_handlers #1126

[feat] log enrollment config in various ca_handlers

[feat] log enrollment config in various ca_handlers #1126

Workflow file for this run

name: Hooks Tests
on:
push:
pull_request:
branches: [ devel ]
schedule:
- cron: '0 2 * * 6'
jobs:
container_build:
name: "container_build"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build container"
uses: ./.github/actions/container_build_upload
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
hooks_tests:
name: "hooks_tests"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/hooks
sudo chmod -R 777 examples/Docker/data/hooks
sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
sudo mkdir -p examples/Docker/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg
sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/cn_dump_hooks.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "save_path: volume/hooks" >> examples/Docker/data/acme_srv.cfg
sudo echo "$HOOKS_CHECKSUM" > examples/Docker/data/hooks/checksums.sha256
# sudo cat examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Enroll certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
- name: "Prepare acme.sh container"
run: |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "Register acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3
- name: "Enroll acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt
- name: "Compare checksums to validate hook file content"
working-directory: examples/Docker/data/hooks
run: |
sha256sum -c checksums.sha256
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: hooks-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
hooks_exception_handling:
name: "hooks_exception_handling"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/hooks
sudo chmod -R 777 examples/Docker/data/hooks
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
sudo mkdir -p examples/Docker/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg
sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/exception_test_hooks.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "raise_pre_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
sudo echo "raise_post_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
sudo echo "raise_success_hook_exception: False" >> examples/Docker/data/acme_srv.cfg
# sudo cat examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "prepare acme.sh container"
run: |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "[ REGISTER] acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3
- name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception "
run: |
sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)"
id: prehookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception "
if: steps.prehookfailure.outcome != 'failure'
run: |
echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}"
exit 1
- name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures "
run: |
sudo echo "ignore_pre_hook_failure: True" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ ENROLL] acme.sh - ignore pre_hook_failures "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception "
run: |
sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) "
id: successhookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception "
if: steps.successhookfailure.outcome != 'failure'
run: |
echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}"
exit 1
- name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures "
run: |
sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ ENROLL] acme.sh - ignore sucess_hook_failures "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception "
run: |
sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure a2c to detect success-hook failures "
run: |
sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1)
docker-compose restart
- name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception "
id: posthookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception "
if: steps.posthookfailure.outcome != 'failure'
run: |
echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}"
exit 1
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: hooks_exception_handling-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
cleanup:
name: "cleanup"
runs-on: ubuntu-latest
needs: [hooks_tests, hooks_exception_handling]
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- uses: geekyeggo/delete-artifact@v5
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
rpm_build_and_upload:
name: "rpm_build_and_upload"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build rpm package"
id: rpm_build
uses: ./.github/actions/rpm_build_upload
hooks_test_rpm:
name: "hooks_test_rpm"
runs-on: ubuntu-latest
needs: rpm_build_and_upload
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "create letsencrypt and lego folder"
run: |
mkdir acme-sh
mkdir lego
- name: "prepare acme_srv.cfg with openssl_ca_handler"
run: |
sudo mkdir -p data/acme_ca/certs
sudo mkdir -p data/acme_ca/hooks
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo chmod -R 777 data/acme_ca/hooks
sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg
sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg
sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg
sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256
env:
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
- name: "[ RUN ] Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "[ REGISTER] certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "[ ENROLL ] HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
- name: "prepare acme.sh container"
run: |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "[ REGISTER] acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3
- name: "[ ENROLL] acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ ENROLL ] lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt
- name: "[ CHECK ] compare checksums to validate hook file content"
working-directory: data/acme_ca/hooks
run: |
sha256sum -c checksums.sha256
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
hooks_exception_handling_rpm:
name: "hooks_exception_handling_rpm"
runs-on: ubuntu-latest
needs: rpm_build_and_upload
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "create letsencrypt and lego folder"
run: |
mkdir acme-sh
mkdir lego
- name: "prepare acme_srv.cfg with openssl_ca_handler"
run: |
sudo mkdir -p data/acme_ca/certs
sudo mkdir -p data/acme_ca/hooks
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo chmod -R 777 data/acme_ca/hooks
sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg
sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/exception_test_hooks.py" >> data/acme_srv.cfg
sudo echo "raise_pre_hook_exception: False" >> data/acme_srv.cfg
sudo echo "raise_post_hook_exception: False" >> data/acme_srv.cfg
sudo echo "raise_success_hook_exception: False" >> data/acme_srv.cfg
env:
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }}
- name: "[ RUN ] Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "prepare acme.sh container"
run: |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "[ REGISTER] acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3
- name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception "
run: |
sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)"
id: prehookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception "
if: steps.prehookfailure.outcome != 'failure'
run: |
echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}"
exit 1
- name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures "
run: |
sudo echo "ignore_pre_hook_failure: True" >> data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ ENROLL] acme.sh - ignore pre_hook_failures "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception "
run: |
sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" data/acme_srv.cfg
sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) "
id: successhookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception "
if: steps.successhookfailure.outcome != 'failure'
run: |
echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}"
exit 1
- name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures "
run: |
sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ ENROLL] acme.sh - ignore sucess_hook_failures "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception "
run: |
sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" data/acme_srv.cfg
sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) "
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ PREPARE ] reconfigure a2c to detect success-hook failures "
run: |
sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" data/acme_srv.cfg
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception "
id: posthookfailure
continue-on-error: true
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure
- name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception "
if: steps.posthookfailure.outcome != 'failure'
run: |
echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}"
exit 1
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/