Skip to content

[feat] log enrollment config in various ca_handlers #1765

[feat] log enrollment config in various ca_handlers

[feat] log enrollment config in various ca_handlers #1765

Workflow file for this run

name: EAB Tests
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
eab_apache2_wsgi:
name: "eab_apache2_wsgi"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Create letsencrypt folder"
run: |
mkdir -p certbot
mkdir -p lego
mkdir -p acme-sh
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Fail - Register lego"
id: legofail
continue-on-error: true
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
- name: "Check lego result"
if: steps.legofail.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail.outcome }}"
exit 1
- name: "Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}'
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
- name: "Fail - Registercertbot without eab-credentials"
id: certbotfail
continue-on-error: true
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "check certbot result "
if: steps.certbotfail.outcome != 'failure'
run: |
echo "certbot outcome is ${{steps.certbotfail.outcome }}"
exit 1
- name: "Register certbot using eab-credentials"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
- name: "Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
- name: "Fail - Register acme.sh"
id: acmeshfail
continue-on-error: true
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --debug 3
- name: "Check acme.sh result "
if: steps.acmeshfail.outcome != 'failure'
run: |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}"
exit 1
- name: "Register acme.sh with eab-credentials"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: eab-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
eab_rpm:
name: "eab_rpm"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
execscript: ['rpm_tester.sh', 'django_tester.sh']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
- name: "Create letsencrypt and lego folder"
run: |
sudo mkdir -p acme-sh
sudo mkdir -p certbot
sudo mkdir -p lego
- name: "Prepare acme_srv.cfg for wsgi with openssl_ca_handler"
if: matrix.execscript == 'rpm_tester.sh'
run: |
sudo mkdir -p data/acme_ca/certs/
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/acme_srv.cfg
- name: "Prepare acme_srv.cfg for django with openssl_ca_handler"
if: matrix.execscript == 'django_tester.sh'
run: |
sudo mkdir -p data/volume/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg
sudo chmod 777 data/volume/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT
env:
EXEC_SCRIPT: ${{ matrix.execscript }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Fail - Register lego"
id: legofail
continue-on-error: true
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
- name: "Check lego result"
if: steps.legofail.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail.outcome }}"
exit 1
- name: "Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}'
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
- name: "Fail - Registercertbot without eab-credentials"
id: certbotfail
continue-on-error: true
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "check certbot result "
if: steps.certbotfail.outcome != 'failure'
run: |
echo "certbot outcome is ${{steps.certbotfail.outcome }}"
exit 1
- name: "Register certbot using eab-credentials"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM
- name: "Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
- name: "Fail - Register acme.sh"
id: acmeshfail
continue-on-error: true
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --debug 3
- name: "Check acme.sh result "
if: steps.acmeshfail.outcome != 'failure'
run: |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}"
exit 1
- name: "Register acme.sh with eab-credentials"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: eab-rpm-{{ matrix.execscript }}-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/