[wf] sleep in asa-handler workflow to avoid testing starts to early #1234
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CA handler tests - ACME | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
- cron: '0 2 * * 6' | |
jobs: | |
container_build: | |
name: "container_build" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build container" | |
uses: ./.github/actions/container_build_upload | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
acme_ca_handler_test: | |
name: "acme_ca_handler_test" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Setup le-sim" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
- name: "Setup acme ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
with: | |
TEST_ADL: "true" | |
- name: "Verify allowed_domainlist error" | |
run: | | |
cd examples/Docker | |
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration" | |
- name: "Check acme account found in keyfile" | |
run: | | |
cd examples/Docker | |
docker-compose logs | grep -i "found in keyfile" | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test data" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
cd examples/Docker | |
docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log | |
- name: "[ * ] uploading artifacts" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
acme_ca_handler_sectigo_test: | |
name: "acme_ca_handler_sectigo_test" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Setup le-sim" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
SECTIGO_SIM: true | |
- name: "Setup openssl ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test data" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
cd examples/Docker | |
docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log | |
- name: "[ * ] uploading artifacts" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_sectigo_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
acme_ca_handler_profiling_test: | |
name: "acme_ca_handler_profiling_test" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Setup acme-le-sim-1" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
LESIM_NAME: acme-le-sim-1 | |
- name: "Setup acme-le-sim-2" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
LESIM_NAME: acme-le-sim-2 | |
- name: "Reconfigure acme-le-sim-2" | |
run: | | |
docker stop acme-le-sim-2 | |
sudo mkdir acme-le-sim-2/xca | |
sudo chmod -R 777 acme-le-sim-2/xca | |
sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME | |
sudo chmod 777 acme-le-sim-2/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg | |
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg | |
# sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg | |
docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi | |
env: | |
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} | |
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} | |
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} | |
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/sleep-action@v2.0.3 | |
with: | |
time: 10s | |
- name: "Test http://acme-le-sim2/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory | |
- name: "Enroll from acme-le-sim-2" | |
run: | | |
sudo rm -rf acme-sh/* | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-2 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca | |
sudo rm -rf acme-sh/* | |
- name: "Setup acme ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_keypath: volume/acme/" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_url: http://acme-le-sim-1" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"acme_url\"\: \[\"http:\/\/acme-le-sim-2.acme\", \"http:\/\/acme-le-sim-1.acme\"\]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"acme_url\"\: \"http:\/\/acme-le-sim-2.acme\"/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"acme_keyfile\": \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"/" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"acme_keyfile\": \[\"\/var\/www\/acme2certifier\/volume\/acme-le-sim-1.json\", \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"\]/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Profiling - enrollment" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test data" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/data/acme-sh/ | |
sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ | |
sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
docker logs acme-le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log | |
docker logs acme-le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim-1.log acme-le-sim-2.log | |
- name: "[ * ] uploading artifacts" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_profiling_test-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
acme_ca_handler_smallstep_test: | |
name: "acme_ca_handler_smallstep_test" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Instanciate smallstep" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep | |
- name: "Setup acme ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_url: https://step-ca.acme:9000/acme/acme" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "account_path: /" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "ssl_verify: False" >> examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Enroll via acme_ca_handler 1st attempt" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force | |
- name: "Enroll via acme_ca_handler 2nd attempt" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force | |
- name: "Check acme account found in keyfile" | |
run: | | |
cd examples/Docker | |
docker-compose logs | grep -i "found in keyfile" | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test data" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
cd examples/Docker | |
docker logs step-ca > ${{ github.workspace }}/artifact/step-ca.log | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log step-ca.log | |
- name: "[ * ] uploading artifacts" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
cleanup: | |
name: "cleanup" | |
runs-on: ubuntu-latest | |
needs: [acme_ca_handler_test, acme_ca_handler_sectigo_test, acme_ca_handler_profiling_test, acme_ca_handler_smallstep_test] | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
rpm_build_and_upload: | |
name: "rpm_build_and_upload" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build rpm package" | |
id: rpm_build | |
uses: ./.github/actions/rpm_build_upload | |
rpm_acme_ca_handler_test: | |
name: "rpm_acme_ca_handler_test" | |
runs-on: ubuntu-latest | |
needs: [rpm_build_and_upload] | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Setup le-sim" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
- name: "Prepare setup acme_ca_handler" | |
run: | | |
sudo mkdir -p data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg | |
sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg | |
- name: "Run Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
with: | |
TEST_ADL: "true" | |
- name: "Verify allowed_domainlist error" | |
run: | | |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages | |
- name: "Check acme account found in keyfile" | |
run: | | |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
docker logs le-sim > ${{ github.workspace }}/artifact/le-sim.log | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
rpm_acme_ca_handler_sectigo_test: | |
name: "rpm_acme_ca_handler_sectigo_test" | |
runs-on: ubuntu-latest | |
needs: [rpm_build_and_upload] | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Setup le-sim" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
SECTIGO_SIM: true | |
- name: "Prepare setup acme_ca_handler" | |
run: | | |
sudo mkdir -p data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg | |
sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
- name: "Run Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test enrollment" | |
uses: ./.github/actions/acme_clients | |
- name: "Check acme account found in keyfile" | |
run: | | |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
docker logs acme-le-sim | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: acme_ca_handler_sectigo_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
rpm_acme_ca_handler_profiling_test: | |
name: "rpm_acme_ca_handler_profiling_test" | |
runs-on: ubuntu-latest | |
needs: [rpm_build_and_upload] | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Setup acme-le-sim-1" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
LESIM_NAME: acme-le-sim-1 | |
- name: "Setup acme-le-sim-2" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep | |
with: | |
LESIM_NAME: acme-le-sim-2 | |
- name: "Reconfigure acme-le-sim-2" | |
run: | | |
docker stop acme-le-sim-2 | |
sudo mkdir acme-le-sim-2/xca | |
sudo chmod -R 777 acme-le-sim-2/xca | |
sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME | |
sudo chmod 777 acme-le-sim-2/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg | |
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg | |
# sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg | |
sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg | |
docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi | |
env: | |
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} | |
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} | |
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} | |
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/sleep-action@v2.0.3 | |
with: | |
time: 10s | |
- name: "Test http://acme-le-sim2/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory | |
- name: "Enroll from acme-le-sim-2" | |
run: | | |
sudo rm -rf acme-sh/* | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-2 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force | |
openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca | |
- name: "Prepare setup acme_ca_handler" | |
run: | | |
sudo mkdir -p data/acme_ca | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "acme_keyfile: /opt/acme2certifier/volume/acme_ca/le_staging_private_key.json" >> data/acme_srv.cfg | |
sudo echo "acme_keypath: /opt/acme2certifier/volume/acme_ca/" >> data/acme_srv.cfg | |
sudo echo "acme_url: http://acme-le-sim-1" >> data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
sudo chmod 777 data/acme_ca/kid_profiles.json | |
sudo chmod 777 examples/eab_handler/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"acme_url\"\: \[\"http:\/\/acme-le-sim-2.acme\", \"http:\/\/acme-le-sim-1.acme\"\]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"acme_url\"\: \"http:\/\/acme-le-sim-2.acme\"/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"acme_keyfile\": \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"/" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"acme_keyfile\": \[\"\/var\/www\/acme2certifier\/volume\/acme-le-sim-1.json\", \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"\]/g" data/acme_ca/kid_profiles.json | |
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
- name: "Run Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Sleep for 10s" | |
uses: juliangruber/sleep-action@v2.0.3 | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Profiling - enrollment" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ | |
sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
docker logs le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log | |
docker logs le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh acme-le-sim-1.log acme-le-sim-2.log | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: rpm_acme_ca_handler_profiling_test-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
rpm_acme_ca_handler_smallstep_test: | |
name: "rpm_acme_ca_handler_smallstep_test" | |
runs-on: ubuntu-latest | |
needs: [rpm_build_and_upload] | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "Instanciate smallstep" | |
uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep | |
- name: "Prepare setup acme_ca_handler" | |
run: | | |
sudo mkdir -p data/acme | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg | |
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg | |
sudo echo "acme_url: https://step-ca.acme:9000/acme/acme" >> data/acme_srv.cfg | |
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg | |
sudo echo "account_path: /" >> data/acme_srv.cfg | |
sudo echo "ssl_verify: False" >> data/acme_srv.cfg | |
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg | |
- name: "Run Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Enroll via acme_ca_handler 1st attempt" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force | |
- name: "Enroll via acme_ca_handler 2nd attempt" | |
run: | | |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force | |
- name: "Check acme account found in keyfile" | |
run: | | |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: rpm_acme_ca_handler_smallstep_test_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
rpm_cleanup: | |
name: "rpm_cleanup" | |
runs-on: ubuntu-latest | |
needs: [rpm_acme_ca_handler_test, rpm_acme_ca_handler_sectigo_test, rpm_acme_ca_handler_profiling_test, rpm_acme_ca_handler_smallstep_test] | |
steps: | |
- name: "Delete artifact" | |
uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm |