Skip to content

[wf] sleep in asa-handler workflow to avoid testing starts to early #736

[wf] sleep in asa-handler workflow to avoid testing starts to early

[wf] sleep in asa-handler workflow to avoid testing starts to early #736

name: CA handler tests - OpenXPKI handler
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote the string
- cron: '0 2 * * 6'
jobs:
ejb_ca_tests:
name: "openxpki_hander_handler_tests docker image"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Instanciate OpenXPKI server"
uses: ./.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep
with:
RUNNER_IP: ${{ env.RUNNER_IP }}
WORKING_DIR: ${{ github.workspace }}/examples/Docker
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Setup a2c with est_ca_handler"
run: |
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
sudo echo "est_client_cert: volume/acme_ca/client_crt.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "est_client_key: volume/acme_ca/client_key.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
REVOCATION: "false"
USE_CERTBOT: "false"
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
sudo rm -rf certbot/*
- name: "Setup a2c with est_ca_handler using pksc12"
run: |
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
sudo echo "est_client_cert: volume/acme_ca/client_crt.p12" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
REVOCATION: "false"
USE_CERTBOT: "false"
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
sudo rm -rf certbot/*
- name: "Setup a2c with openxpki_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
# sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
sudo echo "client_cert: volume/acme_ca/client_crt.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "client_key: volume/acme_ca/client_key.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg
sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg
sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
sudo rm -rf certbot/*
- name: "Reconfigure a2c (pkcs12 support)"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
# sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
sudo echo "client_cert: volume/acme_ca/client_crt.p12" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg
sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg
sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
cd examples/Docker
docker-compose logs | grep "allowed_domainlist" | grep -i "either CN or SANs are not allowed by configuration"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
docker logs openxpki-docker_openxpki-server_1 > ${{ github.workspace }}/artifact/openxpki.log
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz openxpki.log a2c.log data acme-sh certbot lego
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: openxpki-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
path: ${{ github.workspace }}/artifact/upload/
openxpki_ca_handler_tests_rpm:
name: " openxpki_ca_handler_tests_rpm"
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Instanciate OpenXPKI server"
uses: ./.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep
with:
RUNNER_IP: ${{ env.RUNNER_IP }}
WORKING_DIR: ${{ github.workspace }}
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: ${{ matrix.rhversion }}
- name: "Setup a2c with est_ca_handler"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg
sudo echo "est_host: https://openxpki:8443" >> data/acme_srv.cfg
# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
sudo echo "est_client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.pem" >> data/acme_srv.cfg
sudo echo "est_client_key: /opt/acme2certifier/volume/acme_ca/client_key.pem" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
REVOCATION: "false"
USE_CERTBOT: "false"
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "Setup a2c with est_ca_handler (pkcs12)"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg
sudo echo "est_host: https://openxpki:8443" >> data/acme_srv.cfg
sudo echo "est_client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.p12" >> data/acme_srv.cfg
sudo echo "cert_passphrase: Test1234" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Reconfigure a2c"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
REVOCATION: "false"
USE_CERTBOT: "false"
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "Setup a2c with openxpki_ca_handler"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/openxpki_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: https://openxpki:8443" >> data/acme_srv.cfg
# sudo echo "host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
sudo echo "client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.pem" >> data/acme_srv.cfg
sudo echo "client_key: /opt/acme2certifier/volume/acme_ca/client_key.pem" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "cert_profile_name: tls-server" >> data/acme_srv.cfg
sudo echo "endpoint_name: enroll" >> data/acme_srv.cfg
sudo echo "polling_timeout: 60" >> data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "Reconfigure a2c (pkcs12 support)"
run: |
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/openxpki_ca_handler.py" >> data/acme_srv.cfg
sudo echo "host: https://openxpki:8443" >> data/acme_srv.cfg
# sudo echo "host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
sudo echo "client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.p12" >> data/acme_srv.cfg
sudo echo "cert_passphrase: Test1234" >> data/acme_srv.cfg
sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "cert_profile_name: tls-server" >> data/acme_srv.cfg
sudo echo "endpoint_name: enroll" >> data/acme_srv.cfg
sudo echo "polling_timeout: 60" >> data/acme_srv.cfg
sudo echo "allowed_domainlist: [\"bar.local\", \"*.acme\"]" >> data/acme_srv.cfg
env:
OPENXPKI_IP: ${{ env.RUNNER_IP }}
- name: "Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "Test enrollment"
uses: ./.github/actions/acme_clients
with:
TEST_ADL: "true"
- name: "Verify allowed_domainlist error"
run: |
docker exec acme-srv grep -i "either CN or SANs are not allowed by configuration" /var/log/messages
- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
docker logs openxpki-docker_openxpki-server_1 > ${{ github.workspace }}/artifact/openxpki_server.log
docker logs openxpki-docker_openxpki-client_1 > ${{ github.workspace }}/artifact/openxpki_client.log
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data openxpki_server.log openxpki_client.log acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: openxpki_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/