Skip to content

[wf] sleep in asa-handler workflow to avoid testing starts to early #1234

[wf] sleep in asa-handler workflow to avoid testing starts to early

[wf] sleep in asa-handler workflow to avoid testing starts to early #1234

name: CA handler tests - ACME
on:
push:
pull_request:
branches: [ devel ]
schedule:
- cron: '0 2 * * 6'
jobs:
container_build:
name: "container_build"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build container"
uses: ./.github/actions/container_build_upload
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
acme_ca_handler_test:
name: "acme_ca_handler_test"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Setup le-sim"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
- name: "Setup acme ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "Check acme account found in keyfile"
run: |
cd examples/Docker
docker-compose logs | grep -i "found in keyfile"
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
cd examples/Docker
docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
acme_ca_handler_sectigo_test:
name: "acme_ca_handler_sectigo_test"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Setup le-sim"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
SECTIGO_SIM: true
- name: "Setup openssl ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
cd examples/Docker
docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_sectigo_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
acme_ca_handler_profiling_test:
name: "acme_ca_handler_profiling_test"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Setup acme-le-sim-1"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
LESIM_NAME: acme-le-sim-1
- name: "Setup acme-le-sim-2"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
LESIM_NAME: acme-le-sim-2
- name: "Reconfigure acme-le-sim-2"
run: |
docker stop acme-le-sim-2
sudo mkdir acme-le-sim-2/xca
sudo chmod -R 777 acme-le-sim-2/xca
sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME
sudo chmod 777 acme-le-sim-2/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg
sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg
sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg
sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg
sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg
# sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg
sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg
docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi
env:
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }}
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }}
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }}
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }}
- name: "Sleep for 10s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 10s
- name: "Test http://acme-le-sim2/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory
- name: "Enroll from acme-le-sim-2"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-2 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca
sudo rm -rf acme-sh/*
- name: "Setup acme ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_keypath: volume/acme/" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_url: http://acme-le-sim-1" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"acme_url\"\: \[\"http:\/\/acme-le-sim-2.acme\", \"http:\/\/acme-le-sim-1.acme\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"acme_url\"\: \"http:\/\/acme-le-sim-2.acme\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"acme_keyfile\": \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"/" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"acme_keyfile\": \[\"\/var\/www\/acme2certifier\/volume\/acme-le-sim-1.json\", \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Profiling - enrollment"
uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/data/acme-sh/
sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/
sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
docker logs acme-le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log
docker logs acme-le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim-1.log acme-le-sim-2.log
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_profiling_test-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
acme_ca_handler_smallstep_test:
name: "acme_ca_handler_smallstep_test"
runs-on: ubuntu-latest
needs: container_build
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Download container"
uses: actions/download-artifact@v4
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
path: /tmp
- name: "Import container"
run: |
sudo apt-get install -y docker-compose
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar
docker images
- name: "Prepare container environment"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
CONTAINER_BUILD: false
- name: "Instanciate smallstep"
uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep
- name: "Setup acme ca_handler"
run: |
sudo mkdir -p examples/Docker/data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_url: https://step-ca.acme:9000/acme/acme" >> examples/Docker/data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg
sudo echo "account_path: /" >> examples/Docker/data/acme_srv.cfg
sudo echo "ssl_verify: False" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg
- name: "Bring up a2c container"
uses: ./.github/actions/container_up
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Enroll via acme_ca_handler 1st attempt"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force
- name: "Enroll via acme_ca_handler 2nd attempt"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force
- name: "Check acme account found in keyfile"
run: |
cd examples/Docker
docker-compose logs | grep -i "found in keyfile"
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test data"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
cd examples/Docker
docker logs step-ca > ${{ github.workspace }}/artifact/step-ca.log
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log step-ca.log
- name: "[ * ] uploading artifacts"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
cleanup:
name: "cleanup"
runs-on: ubuntu-latest
needs: [acme_ca_handler_test, acme_ca_handler_sectigo_test, acme_ca_handler_profiling_test, acme_ca_handler_smallstep_test]
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- uses: geekyeggo/delete-artifact@v5
with:
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz
rpm_build_and_upload:
name: "rpm_build_and_upload"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Build rpm package"
id: rpm_build
uses: ./.github/actions/rpm_build_upload
rpm_acme_ca_handler_test:
name: "rpm_acme_ca_handler_test"
runs-on: ubuntu-latest
needs: [rpm_build_and_upload]
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Setup le-sim"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
- name: "Prepare setup acme_ca_handler"
run: |
sudo mkdir -p data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg
sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
- name: "Run Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "Check acme account found in keyfile"
run: |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
docker logs le-sim > ${{ github.workspace }}/artifact/le-sim.log
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_acme_ca_handler_sectigo_test:
name: "rpm_acme_ca_handler_sectigo_test"
runs-on: ubuntu-latest
needs: [rpm_build_and_upload]
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Setup le-sim"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
SECTIGO_SIM: true
- name: "Prepare setup acme_ca_handler"
run: |
sudo mkdir -p data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg
sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
- name: "Run Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
- name: "Check acme account found in keyfile"
run: |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
docker logs acme-le-sim
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: acme_ca_handler_sectigo_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_acme_ca_handler_profiling_test:
name: "rpm_acme_ca_handler_profiling_test"
runs-on: ubuntu-latest
needs: [rpm_build_and_upload]
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Setup acme-le-sim-1"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
LESIM_NAME: acme-le-sim-1
- name: "Setup acme-le-sim-2"
uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep
with:
LESIM_NAME: acme-le-sim-2
- name: "Reconfigure acme-le-sim-2"
run: |
docker stop acme-le-sim-2
sudo mkdir acme-le-sim-2/xca
sudo chmod -R 777 acme-le-sim-2/xca
sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME
sudo chmod 777 acme-le-sim-2/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg
sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg
sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg
sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg
sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg
# sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg
sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg
docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi
env:
XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }}
XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }}
XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }}
XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }}
- name: "Sleep for 10s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 10s
- name: "Test http://acme-le-sim2/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory
- name: "Enroll from acme-le-sim-2"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-2 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca
- name: "Prepare setup acme_ca_handler"
run: |
sudo mkdir -p data/acme_ca
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg
sudo echo "acme_keyfile: /opt/acme2certifier/volume/acme_ca/le_staging_private_key.json" >> data/acme_srv.cfg
sudo echo "acme_keypath: /opt/acme2certifier/volume/acme_ca/" >> data/acme_srv.cfg
sudo echo "acme_url: http://acme-le-sim-1" >> data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"acme_url\"\: \[\"http:\/\/acme-le-sim-2.acme\", \"http:\/\/acme-le-sim-1.acme\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"acme_url\"\: \"http:\/\/acme-le-sim-2.acme\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"acme_keyfile\": \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"/" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"acme_keyfile\": \[\"\/var\/www\/acme2certifier\/volume\/acme-le-sim-1.json\", \"\/var\/www\/acme2certifier\/volume\/acme-le-sim-2.json\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
- name: "Run Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Sleep for 10s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Profiling - enrollment"
uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/
sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
docker logs le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log
docker logs le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh acme-le-sim-1.log acme-le-sim-2.log
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_acme_ca_handler_profiling_test-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_acme_ca_handler_smallstep_test:
name: "rpm_acme_ca_handler_smallstep_test"
runs-on: ubuntu-latest
needs: [rpm_build_and_upload]
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
RPM_BUILD: false
- name: Download rpm package
uses: actions/download-artifact@v4
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm
path: data/
- name: "Instanciate smallstep"
uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep
- name: "Prepare setup acme_ca_handler"
run: |
sudo mkdir -p data/acme
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg
sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg
sudo echo "acme_url: https://step-ca.acme:9000/acme/acme" >> data/acme_srv.cfg
sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg
sudo echo "account_path: /" >> data/acme_srv.cfg
sudo echo "ssl_verify: False" >> data/acme_srv.cfg
sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg
- name: "Run Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Enroll via acme_ca_handler 1st attempt"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force
- name: "Enroll via acme_ca_handler 2nd attempt"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force
- name: "Check acme account found in keyfile"
run: |
docker exec acme-srv grep -i "found in keyfile" /var/log/messages
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_acme_ca_handler_smallstep_test_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_cleanup:
name: "rpm_cleanup"
runs-on: ubuntu-latest
needs: [rpm_acme_ca_handler_test, rpm_acme_ca_handler_sectigo_test, rpm_acme_ca_handler_profiling_test, rpm_acme_ca_handler_smallstep_test]
steps:
- name: "Delete artifact"
uses: geekyeggo/delete-artifact@v5
with:
name: acme2certifier-${{ github.run_id }}.noarch.rpm