[feat] log enrollment config in various ca_handlers #1765
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: EAB Tests | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
eab_apache2_wsgi: | |
name: "eab_apache2_wsgi" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build container" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Create letsencrypt folder" | |
run: | | |
mkdir -p certbot | |
mkdir -p lego | |
mkdir -p acme-sh | |
- name: "Setup openssl ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Fail - Register lego" | |
id: legofail | |
continue-on-error: true | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
- name: "Check lego result" | |
if: steps.legofail.outcome != 'failure' | |
run: | | |
echo "legofail outcome is ${{steps.legofail.outcome }}" | |
exit 1 | |
- name: "Enroll lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
- name: "Fail - Registercertbot without eab-credentials" | |
id: certbotfail | |
continue-on-error: true | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
- name: "check certbot result " | |
if: steps.certbotfail.outcome != 'failure' | |
run: | | |
echo "certbot outcome is ${{steps.certbotfail.outcome }}" | |
exit 1 | |
- name: "Register certbot using eab-credentials" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM | |
- name: "Enroll HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
- name: "Fail - Register acme.sh" | |
id: acmeshfail | |
continue-on-error: true | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --debug 3 | |
- name: "Check acme.sh result " | |
if: steps.acmeshfail.outcome != 'failure' | |
run: | | |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" | |
exit 1 | |
- name: "Register acme.sh with eab-credentials" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
- name: "Enroll acme.sh" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: eab-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
eab_rpm: | |
name: "eab_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
execscript: ['rpm_tester.sh', 'django_tester.sh'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
- name: "Create letsencrypt and lego folder" | |
run: | | |
sudo mkdir -p acme-sh | |
sudo mkdir -p certbot | |
sudo mkdir -p lego | |
- name: "Prepare acme_srv.cfg for wsgi with openssl_ca_handler" | |
if: matrix.execscript == 'rpm_tester.sh' | |
run: | | |
sudo mkdir -p data/acme_ca/certs/ | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/acme_srv.cfg | |
- name: "Prepare acme_srv.cfg for django with openssl_ca_handler" | |
if: matrix.execscript == 'django_tester.sh' | |
run: | | |
sudo mkdir -p data/volume/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg | |
sudo chmod 777 data/volume/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg | |
- name: "Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT | |
env: | |
EXEC_SCRIPT: ${{ matrix.execscript }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Fail - Register lego" | |
id: legofail | |
continue-on-error: true | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
- name: "Check lego result" | |
if: steps.legofail.outcome != 'failure' | |
run: | | |
echo "legofail outcome is ${{steps.legofail.outcome }}" | |
exit 1 | |
- name: "Enroll lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
- name: "Fail - Registercertbot without eab-credentials" | |
id: certbotfail | |
continue-on-error: true | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
- name: "check certbot result " | |
if: steps.certbotfail.outcome != 'failure' | |
run: | | |
echo "certbot outcome is ${{steps.certbotfail.outcome }}" | |
exit 1 | |
- name: "Register certbot using eab-credentials" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM | |
- name: "Enroll HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
- name: "Fail - Register acme.sh" | |
id: acmeshfail | |
continue-on-error: true | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --debug 3 | |
- name: "Check acme.sh result " | |
if: steps.acmeshfail.outcome != 'failure' | |
run: | | |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" | |
exit 1 | |
- name: "Register acme.sh with eab-credentials" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
- name: "Enroll acme.sh" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: eab-rpm-{{ matrix.execscript }}-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |