Skip to content

[doc] openxpi handler #1363

[doc] openxpi handler

[doc] openxpi handler #1363

name: Asynchronous enrollment and certificate re-usage
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
async_enrollment_cert_reusage:
name: async_enrollment_cert_reusage
runs-on: ubuntu-latest
strategy:
# max-parallel: 1
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
DJANGO_DB: psql
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
sudo chmod 777 examples/Docker/data/ca_handler.py
sudo sed -i "s/import uuid/import uuid\\nimport time/g" examples/Docker/data/ca_handler.py
sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(30)/g" examples/Docker/data/ca_handler.py
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 300/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
- name: "Enrollment"
uses: ./.github/actions/wf_specific/enrollment_timeout/enroll
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: async_enrollment_cert_reusage-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_wsgi_async_enrollment_cert_reusage:
name: "rpm_wsgi_async_enrollment_cert_reusage"
runs-on: ubuntu-latest
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p data/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg
sudo cp examples/ca_handler/openssl_ca_handler.py data/acme_ca/ca_handler.py
sudo chmod 777 data/acme_ca/ca_handler.py
sudo sed -i "s/import uuid/import uuid\\nimport time/g" data/acme_ca/ca_handler.py
sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(22)\\n self.logger.debug('CAhandler.enroll(): timeout done')/g" data/acme_ca/ca_handler.py
sudo chmod 777 data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 1800\\nenrollment_timeout: 15/g" data/acme_srv.cfg
# sudo sed -i "s/retry_after_timeout: 15/retry_after_timeout: 30\\nenrollment_timeout: 15/g" data/acme_srv.cfg
sudo sed -i "s/handler_file: examples\/ca_handler\/openssl_ca_handler.py/handler_file: \/opt\/acme2certifier\/volume\/acme_ca\/ca_handler.py/g" data/acme_srv.cfg
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Enrollment"
uses: ./.github/actions/wf_specific/enrollment_timeout/enroll
with:
DEPLOYMENT_TYPE: "rpm"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_wsgi_async_enrollment_cert_reusage-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_django_async_enrollment_cert_reusage:
name: "rpm_django_async_enrollment_cert_reusage"
runs-on: ubuntu-latest
strategy:
# max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
DJANGO_DB: psql
- name: "Setup openssl ca_handler"
run: |
mkdir -p data/volume/acme_ca/certs
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/
sudo cp examples/ca_handler/openssl_ca_handler.py data/volume/acme_ca/ca_handler.py
sudo chmod 777 data/volume/acme_ca/ca_handler.py
sudo sed -i "s/import uuid/import uuid\\nimport time/g" data/volume/acme_ca/ca_handler.py
# sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(15)/g" data/volume/acme_ca/ca_handler.py
sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n self.logger.debug('CAhandler.enroll(): timeout start')\\n time.sleep(30)\\n self.logger.debug('CAhandler.enroll(): timeout done')/g" data/volume/acme_ca/ca_handler.py
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg
sudo chmod 777 data/volume/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 1800\\nenrollment_timeout: 15/g" data/volume/acme_srv.cfg
# sudo sed -i "s/retry_after_timeout: 15/retry_after_timeout: 30\\nenrollment_timeout: 15/g" data/volume/acme_srv.cfg
sudo sed -i "s/handler_file: examples\/ca_handler\/openssl_ca_handler.py/handler_file: \/opt\/acme2certifier\/volume\/acme_ca\/ca_handler.py/g" data/volume/acme_srv.cfg
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh
- name: "Enrollment"
uses: ./.github/actions/wf_specific/enrollment_timeout/enroll
with:
DEPLOYMENT_TYPE: "rpm"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec postgresdbsrv pg_dump -U postgres acme2certifier > data/acme2certifier.sql
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_django_async_enrollment_cert_reusage-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/