[wf] sleep in asa-handler workflow to avoid testing starts to early #1131
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Hooks Tests | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
- cron: '0 2 * * 6' | |
jobs: | |
container_build: | |
name: "container_build" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build container" | |
uses: ./.github/actions/container_build_upload | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
hooks_tests: | |
name: "hooks_tests" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "Setup openssl ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/hooks | |
sudo chmod -R 777 examples/Docker/data/hooks | |
sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/cn_dump_hooks.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "save_path: volume/hooks" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "$HOOKS_CHECKSUM" > examples/Docker/data/hooks/checksums.sha256 | |
# sudo cat examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
env: | |
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/sleep-action@v2.0.3 | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "Register certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
- name: "Enroll certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem | |
- name: "Prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "Register acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 | |
- name: "Enroll acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "Enroll lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run | |
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt | |
- name: "Compare checksums to validate hook file content" | |
working-directory: examples/Docker/data/hooks | |
run: | | |
sha256sum -c checksums.sha256 | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: hooks-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
hooks_exception_handling: | |
name: "hooks_exception_handling" | |
runs-on: ubuntu-latest | |
needs: container_build | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "create folders" | |
run: | | |
mkdir lego | |
mkdir acme-sh | |
mkdir certbot | |
- name: "Download container" | |
uses: actions/download-artifact@v4 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
path: /tmp | |
- name: "Import container" | |
run: | | |
sudo apt-get install -y docker-compose | |
gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar | |
docker images | |
- name: "Prepare container environment" | |
uses: ./.github/actions/container_prep | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
CONTAINER_BUILD: false | |
- name: "Bring up a2c container" | |
uses: ./.github/actions/container_up | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "setup openssl ca_handler" | |
run: | | |
sudo mkdir -p examples/Docker/data/hooks | |
sudo chmod -R 777 examples/Docker/data/hooks | |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/exception_test_hooks.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "raise_pre_hook_exception: False" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "raise_post_hook_exception: False" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "raise_success_hook_exception: False" >> examples/Docker/data/acme_srv.cfg | |
# sudo cat examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
docker-compose logs | |
env: | |
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} | |
- name: "Sleep for 10s" | |
uses: juliangruber/sleep-action@v2.0.3 | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 | |
- name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception " | |
run: | | |
sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)" | |
id: prehookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception " | |
if: steps.prehookfailure.outcome != 'failure' | |
run: | | |
echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}" | |
exit 1 | |
- name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures " | |
run: | | |
sudo echo "ignore_pre_hook_failure: True" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ ENROLL] acme.sh - ignore pre_hook_failures " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception " | |
run: | | |
sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) " | |
id: successhookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception " | |
if: steps.successhookfailure.outcome != 'failure' | |
run: | | |
echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}" | |
exit 1 | |
- name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures " | |
run: | | |
sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ ENROLL] acme.sh - ignore sucess_hook_failures " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception " | |
run: | | |
sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" examples/Docker/data/acme_srv.cfg | |
sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure a2c to detect success-hook failures " | |
run: | | |
sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) | |
docker-compose restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception " | |
id: posthookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception " | |
if: steps.posthookfailure.outcome != 'failure' | |
run: | | |
echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}" | |
exit 1 | |
- name: "Check container configuration" | |
uses: ./.github/actions/container_check | |
with: | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
WEB_SRV: ${{ matrix.websrv }} | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: hooks_exception_handling-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
cleanup: | |
name: "cleanup" | |
runs-on: ubuntu-latest | |
needs: [hooks_tests, hooks_exception_handling] | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- uses: geekyeggo/delete-artifact@v5 | |
with: | |
name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz | |
rpm_build_and_upload: | |
name: "rpm_build_and_upload" | |
runs-on: ubuntu-latest | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build rpm package" | |
id: rpm_build | |
uses: ./.github/actions/rpm_build_upload | |
hooks_test_rpm: | |
name: "hooks_test_rpm" | |
runs-on: ubuntu-latest | |
needs: rpm_build_and_upload | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "create letsencrypt and lego folder" | |
run: | | |
mkdir acme-sh | |
mkdir lego | |
- name: "prepare acme_srv.cfg with openssl_ca_handler" | |
run: | | |
sudo mkdir -p data/acme_ca/certs | |
sudo mkdir -p data/acme_ca/hooks | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo chmod -R 777 data/acme_ca/hooks | |
sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg | |
sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg | |
sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg | |
sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256 | |
env: | |
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} | |
- name: "[ RUN ] Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "[ REGISTER] certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
- name: "[ ENROLL ] HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem | |
- name: "prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 | |
- name: "[ ENROLL] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ ENROLL ] lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run | |
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt | |
- name: "[ CHECK ] compare checksums to validate hook file content" | |
working-directory: data/acme_ca/hooks | |
run: | | |
sha256sum -c checksums.sha256 | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
hooks_exception_handling_rpm: | |
name: "hooks_exception_handling_rpm" | |
runs-on: ubuntu-latest | |
needs: rpm_build_and_upload | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Prepare Alma environment" | |
uses: ./.github/actions/rpm_prep | |
with: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
RH_VERSION: ${{ matrix.rhversion }} | |
RPM_BUILD: false | |
- name: Download rpm package | |
uses: actions/download-artifact@v4 | |
with: | |
name: acme2certifier-${{ github.run_id }}.noarch.rpm | |
path: data/ | |
- name: "create letsencrypt and lego folder" | |
run: | | |
mkdir acme-sh | |
mkdir lego | |
- name: "prepare acme_srv.cfg with openssl_ca_handler" | |
run: | | |
sudo mkdir -p data/acme_ca/certs | |
sudo mkdir -p data/acme_ca/hooks | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo chmod -R 777 data/acme_ca/hooks | |
sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg | |
sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/exception_test_hooks.py" >> data/acme_srv.cfg | |
sudo echo "raise_pre_hook_exception: False" >> data/acme_srv.cfg | |
sudo echo "raise_post_hook_exception: False" >> data/acme_srv.cfg | |
sudo echo "raise_success_hook_exception: False" >> data/acme_srv.cfg | |
env: | |
HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} | |
- name: "[ RUN ] Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 | |
- name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception " | |
run: | | |
sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)" | |
id: prehookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception " | |
if: steps.prehookfailure.outcome != 'failure' | |
run: | | |
echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}" | |
exit 1 | |
- name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures " | |
run: | | |
sudo echo "ignore_pre_hook_failure: True" >> data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ ENROLL] acme.sh - ignore pre_hook_failures " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception " | |
run: | | |
sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" data/acme_srv.cfg | |
sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) " | |
id: successhookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception " | |
if: steps.successhookfailure.outcome != 'failure' | |
run: | | |
echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}" | |
exit 1 | |
- name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures " | |
run: | | |
sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ ENROLL] acme.sh - ignore sucess_hook_failures " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception " | |
run: | | |
sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" data/acme_srv.cfg | |
sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) " | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ PREPARE ] reconfigure a2c to detect success-hook failures " | |
run: | | |
sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" data/acme_srv.cfg | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
- name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception " | |
id: posthookfailure | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure | |
- name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception " | |
if: steps.posthookfailure.outcome != 'failure' | |
run: | | |
echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}" | |
exit 1 | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ |