diff --git a/.github/acme2certifier_cabundle.pem b/.github/acme2certifier_cabundle.pem index 0bb947d9..45f865f4 100644 --- a/.github/acme2certifier_cabundle.pem +++ b/.github/acme2certifier_cabundle.pem @@ -60,4 +60,5 @@ G8vEvt2p7QrjeZ3EAatx5JuYty/NKTHZwJWk51CgzEgzDwzE2JIiqeldtL5d0Sl6 eVuv0G04BEyuXxEWpgVVzBS4qEFIBSnTJzgu1PXmId3yLvg2Nr8NKvwyZmN5xKFp 0A9BWo15zW1PXDaD+l39oTYD7agjXkzTAjYIcfNJ7ATIYFD0xAvNAOf70s7aNupF fvkG2Q== ------END CERTIFICATE----- \ No newline at end of file +-----END CERTIFICATE----- + diff --git a/.github/actions/acme_clients/action.yml b/.github/actions/acme_clients/action.yml new file mode 100644 index 00000000..1784faec --- /dev/null +++ b/.github/actions/acme_clients/action.yml @@ -0,0 +1,451 @@ +name: "acme_clients" +description: "Test if acme.sh, certbot and lego can enroll, renew and certificates" +inputs: + ACME_SERVER: + description: "ACME server URL" + required: true + default: "acme-srv" + REVOCATION: + description: "Revocation method" + required: true + default: "true" + RENEWAL: + description: "Renewal method" + required: true + default: "true" + VERIFY_CERT: + description: "Verify certificate" + required: true + default: "true" + USE_CERTBOT: + description: "Use certbot" + required: true + default: "true" + USE_RSA: + description: "Use RSA" + required: true + default: "false" + HTTP_PORT: + description: "HTTP port" + required: true + default: "80" + HTTPS_PORT: + description: "HTTPS port" + required: true + default: "443" + HOSTNAME_SUFFIX: + description: "Hostname suffix" + required: true + NAME_SPACE: + description: "Namespace" + required: true + default: "acme" + +runs: + using: "composite" + steps: + + - name: "Create directories" + run: | + mkdir -p acme-sh/ + sudo mkdir -p certbot/ + sudo mkdir -p lego/ca + sudo cp .github/acme2certifier_cabundle.pem certbot/ + sudo cp .github/acme2certifier_cabundle.pem lego/ + if [ -f cert-2.pem ]; then + echo "delete cert-2.pem" + rm -f cert-2.pem + fi + if [ -f cert-1.pem ]; then + echo "delete cert-1.pem" + rm -f cert-1.pem + fi + ls -la + shell: bash + + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Test if http://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://$ACME_SERVER:$HTTP_PORT/directory + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$ACME_SERVER:$HTTPS_PORT/directory + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Enroll lego" + run: | + echo "##### HTTPS - Enroll lego #####" + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run + else + echo "use RSA" + docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run + fi + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Enroll acme.sh" + run: | + echo "##### HTTPS - Enroll acme.sh #####" + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure + ECC="_ecc" + else + echo "use RSA" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --keylength 2048 --debug 1 --output-insecure --insecure + fi + + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + echo "Multiple CA certs" + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + else + echo "Single Root ca" + openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Renew acme.sh" + if: ${{ inputs.RENEWAL == 'true' }} + run: | + echo "##### HTTPS - Renew acme.sh #####" + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + ECC="_ecc" + else + echo "use RSA" + fi + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --renew --server https://$ACME_SERVER:$HTTPS_PORT --force --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + echo "Multiple CA certs" + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + else + echo "Single Root ca" + openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Revoke HTTP-01 single domain acme.sh" + if: ${{ inputs.REVOCATION == 'true' }} + run: | + echo "##### HTTPS - Revoke HTTP-01 single domain acme.sh #####" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server https://$ACME_SERVER:$HTTPS_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure --insecure + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Decativate acme.sh #####" + run: | + echo "##### HTTPS - Decativate acme.sh" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server https://$ACME_SERVER:$HTTPS_PORT --debug 2 --output-insecure --insecure + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Enroll acme.sh" + run: | + echo "##### HTTP - Enroll acme.sh #####" + sudo rm -rf acme-sh/* + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server http://$ACME_SERVER:$HTTP_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 1 --output-insecure --insecure + ECC="_ecc" + else + echo "use RSA" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server http://$ACME_SERVER:$HTTP_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --keylength 2048 --debug 1 --output-insecure --insecure + fi + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + else + echo "single root ca" + openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Renew acme.sh" + if: ${{ inputs.RENEWAL == 'true' }} + run: | + echo "##### HTTP - Renew acme.sh #####" + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + ECC="_ecc" + else + echo "use RSA" + fi + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --renew --server http://$ACME_SERVER:$HTTP_PORT --force --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 1 --output-insecure --insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + else + echo "single root ca" + openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Revoke HTTP-01 single domain acme.sh" + if: ${{ inputs.REVOCATION == 'true' }} + run: | + echo "##### HTTP - Revoke HTTP-01 single domain acme.sh #####" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server http://$ACME_SERVER:$HTTP_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure --insecure + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Decativate acme.sh" + run: | + echo "##### HTTP - Decativate acme.sh #####" + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server http://$ACME_SERVER:$HTTP_PORT --debug 2 --output-insecure --insecure + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Enroll certbot" + if: ${{ inputs.USE_CERTBOT == 'true' }} + run: | + echo "##### HTTPS - Enroll certbot #####" + if [ "$USE_RSA" == "false" ]; then + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120 + else + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120 + fi + + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + else + echo "single root ca" + sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Revoke certbot" + if: ${{ (inputs.USE_CERTBOT == 'true') && (inputs.REVOCATION == 'true') }} + run: | + echo "##### HTTPS - Revoke certbot #####" + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server https://$ACME_SERVER:$HTTPS_PORT --no-verify-ssl --delete-after-revoke --cert-name certbot + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Enroll certbot #####" + if: ${{ inputs.USE_CERTBOT == 'true' }} + run: | + echo "##### HTTP - Enroll certbot #####" + if [ "$USE_RSA" == "false" ]; then + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://$ACME_SERVER:$HTTP_PORT --standalone --preferred-challenges http --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120 + else + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://$ACME_SERVER:$HTTP_PORT --standalone --preferred-challenges http --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120 + fi + + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + else + echo "single root ca" + sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Revoke certbot" + if: ${{ (inputs.USE_CERTBOT == 'true') && (inputs.REVOCATION == 'true') }} + run: | + echo "##### HTTP - Revoke certbot #####" + docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server http://$ACME_SERVER:$HTTP_PORT --delete-after-revoke --cert-name certbot + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Enroll lego" + run: | + echo "##### HTTPS - Enroll lego #####" + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run + else + echo "use RSA" + docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run + fi + + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt + else + echo "single root ca" + sudo openssl verify -CAfile cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTPS - Revoke lego" + if: ${{ inputs.REVOCATION == 'true' }} + run: | + echo "##### HTTPS - Revoke lego #####" + # docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Enroll lego" + run: | + echo "##### HTTP - Enroll lego #####" + sudo rm -rf lego/* + if [ "$USE_RSA" == "false" ]; then + echo "use ECC" + docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --http run + else + echo "use RSA" + docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --http run + fi + if [ "$VERIFY_CERT" == "true" ]; then + if [ -f cert-2.pem ]; then + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt + else + echo "single root ca" + sudo openssl verify -CAfile cert-1.pem lego/certificates/lego$HOSTNAME_SUFFIX.$NAME_SPACE.crt + fi + fi + shell: bash + env: + VERIFY_CERT: ${{ inputs.VERIFY_CERT }} + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + USE_RSA: ${{ inputs.USE_RSA }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "HTTP - Revoke lego" + if: ${{ inputs.REVOCATION == 'true' }} + run: | + echo "#### HTTP - Revoke lego" + docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke + shell: bash + env: + ACME_SERVER: ${{ inputs.ACME_SERVER }} + HTTP_PORT: ${{ inputs.HTTP_PORT }} + HTTPS_PORT: ${{ inputs.HTTPS_PORT }} + HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Delete acme-sh, letsencypt and lego folders" + run: | + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* + shell: bash \ No newline at end of file diff --git a/.github/actions/container_build/action.yml b/.github/actions/container_build/action.yml new file mode 100644 index 00000000..921ed6e2 --- /dev/null +++ b/.github/actions/container_build/action.yml @@ -0,0 +1,31 @@ +name: "container_build" +description: "Build Container" +inputs: + DB_HANDLER: + description: "Database handler" + required: true + default: "wsgi" + WEB_SRV: + description: "Web server" + required: true + default: "apache2" + DOCKER_COMPOSE_FILE_PATH: + description: "Path to the docker-compose file" + required: false + default: "examples/Docker/" + +runs: + using: "composite" + steps: + - name: "Build docker-compose (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})" + working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }} + run: | + sudo apt-get install -y docker-compose + sed -i "s/wsgi/$DB_HANDLER/g" .env + sed -i "s/apache2/$WEB_SRV/g" .env + # cat .env + docker-compose build + shell: bash + env: + WEB_SRV: ${{ inputs.WEB_SRV }} + DB_HANDLER: ${{ inputs.DB_HANDLER }} diff --git a/.github/actions/container_build_upload/action.yml b/.github/actions/container_build_upload/action.yml new file mode 100644 index 00000000..ea3c75d3 --- /dev/null +++ b/.github/actions/container_build_upload/action.yml @@ -0,0 +1,37 @@ +name: "container_build_upload" +description: "Build and Upload Container" +inputs: + DB_HANDLER: + description: "Database handler" + required: true + default: "wsgi" + WEB_SRV: + description: "Web server" + required: true + default: "apache2" + +runs: + using: "composite" + steps: + - name: "Build container" + uses: ./.github/actions/container_build + with: + DB_HANDLER: ${{ inputs.DB_HANDLER }} + WEB_SRV: ${{ inputs.WEB_SRV }} + + - name: "Save container" + run: | + docker images + mkdir -p /tmp/a2c + docker save acme2certifier/$DB_HANDLER > /tmp/a2c/a2c-${{ github.run_id }}.$WEB_SRV.$DB_HANDLER.tar + gzip /tmp/a2c/a2c-${{ github.run_id }}.$WEB_SRV.$DB_HANDLER.tar + shell: bash + env: + DB_HANDLER: ${{ inputs.DB_HANDLER }} + WEB_SRV: ${{ inputs.WEB_SRV }} + + - name: "Upload container package" + uses: actions/upload-artifact@master + with: + name: a2c-${{ github.run_id }}.${{ inputs.WEB_SRV }}.${{ inputs.DB_HANDLER }}.tar.gz + path: /tmp/a2c diff --git a/.github/actions/container_check/action.yml b/.github/actions/container_check/action.yml new file mode 100644 index 00000000..4bc12b2e --- /dev/null +++ b/.github/actions/container_check/action.yml @@ -0,0 +1,32 @@ +name: "container_check" +description: "Check container configuration" +inputs: + DB_HANDLER: + description: "Database handler" + required: true + default: "wsgi" + WEB_SRV: + description: "Web server" + required: true + default: "apache2" + DOCKER_COMPOSE_FILE_PATH: + description: "Path to the docker-compose file" + required: false + default: "examples/Docker/" + +runs: + using: "composite" + steps: + - name: "Logs" + working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }} + run: | + docker-compose logs | grep -i $WEB_SRV + if [ "$DB_HANDLER" == "django" ]; then + docker-compose logs | grep -i migrations + else + docker-compose logs | grep -i $DB_HANDLER + fi + env: + WEB_SRV: ${{ inputs.WEB_SRV }} + DB_HANDLER: ${{ inputs.DB_HANDLER }} + shell: bash \ No newline at end of file diff --git a/.github/actions/container_prep/action.yml b/.github/actions/container_prep/action.yml new file mode 100644 index 00000000..75a6f30a --- /dev/null +++ b/.github/actions/container_prep/action.yml @@ -0,0 +1,92 @@ +name: "container_prep" +description: "Prepare environment for container installation" +inputs: + DB_HANDLER: + description: "Database handler" + required: true + default: "wsgi" + WEB_SRV: + description: "Web server" + required: true + default: "apache2" + DJANGO_DB: + description: "Django database" + required: false + CONTAINER_BUILD: + description: "Build container" + required: true + default: "true" + NAME_SPACE: + description: "namespace" + required: true + default: "acme" + IPV6: + description: "IPv6" + required: true + default: "false" + +runs: + using: "composite" + steps: + - name: "Setup environment" + run: | + echo "IPv6 is $IPV6" + if [ "$IPV6" == "false" ]; then + echo "create v4 namespace" + docker network create $NAME_SPACE + else + echo "create v6 namespace" + docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + fi + sudo mkdir -p examples/Docker/data + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + if [ -z "$DJANGO_DB" ]; then + sudo cp .github/django_settings.py examples/Docker/data/settings.py + else + sudo cp .github/django_settings_$DJANGO_DB.py examples/Docker/data/settings.py + fi + env: + DJANGO_DB: ${{ inputs.DJANGO_DB }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + IPV6: ${{ inputs.IPV6 }} + shell: bash + + - name: "Build docker-compose (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})" + if: inputs.CONTAINER_BUILD == 'true' + uses: ./.github/actions/container_build + with: + WEB_SRV: ${{ inputs.WEB_SRV }} + DB_HANDLER: ${{ inputs.DB_HANDLER }} + + - name: "Prepare container environment file (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})" + if: inputs.CONTAINER_BUILD != 'true' + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/$DB_HANDLER/g" .env + sed -i "s/apache2/$WEB_SRV/g" .env + env: + WEB_SRV: ${{ inputs.WEB_SRV }} + DB_HANDLER: ${{ inputs.DB_HANDLER }} + shell: bash + + - name: "Spin-up a2c instance (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})" + if: inputs.CONTAINER_BUILD == 'true' + uses: ./.github/actions/container_up + with: + WEB_SRV: ${{ inputs.WEB_SRV }} + DB_HANDLER: ${{ inputs.DB_HANDLER }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Instanciate Mariadb" + if: inputs.DJANGO_DB == 'mariadb' + uses: ./.github/actions/mariadb_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Instanciate Postgres" + if: inputs.DJANGO_DB == 'psql' + uses: ./.github/actions/psql_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} \ No newline at end of file diff --git a/.github/actions/container_up/action.yml b/.github/actions/container_up/action.yml new file mode 100644 index 00000000..8be2dc9f --- /dev/null +++ b/.github/actions/container_up/action.yml @@ -0,0 +1,31 @@ +name: "container_up" +description: "instanciate a2c container" +inputs: + DB_HANDLER: + description: "Database handler" + required: true + default: "wsgi" + WEB_SRV: + description: "Web server" + required: true + default: "apache2" + DOCKER_COMPOSE_FILE_PATH: + description: "Path to the docker-compose file" + required: false + default: "examples/Docker/" + NAME_SPACE: + description: "namespace" + required: true + default: "acme" + +runs: + using: "composite" + steps: + - name: "Spin-up a2c instance (${{ inputs.WEB_SRV }}_${{ inputs.DB_HANDLER }})" + working-directory: ${{ inputs.DOCKER_COMPOSE_FILE_PATH }} + run: | + sed -i "s/name: acme/name: $NAME_SPACE/g" docker-compose.yml + docker-compose up -d --no-build + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + shell: bash \ No newline at end of file diff --git a/.github/actions/deb_build/action.yml b/.github/actions/deb_build/action.yml new file mode 100644 index 00000000..cb41df40 --- /dev/null +++ b/.github/actions/deb_build/action.yml @@ -0,0 +1,72 @@ +name: "deb_build" +description: "Build deb package" +outputs: + deb_file_name: + description: "Name of the debian package file" + value: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + +runs: + using: "composite" + steps: + + - name: Retrieve Version from version.py + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + shell: bash + + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + shell: bash + + - name: "Install Firefox from Mozilla" + run: | + sudo apt-get update + sudo install -d -m 0755 /etc/apt/keyrings + wget -q https://packages.mozilla.org/apt/repo-signing-key.gpg -O- | sudo tee /etc/apt/keyrings/packages.mozilla.org.asc > /dev/null + echo "deb [signed-by=/etc/apt/keyrings/packages.mozilla.org.asc] https://packages.mozilla.org/apt mozilla main" | sudo tee -a /etc/apt/sources.list.d/mozilla.list > /dev/null + echo ' + Package: * + Pin: origin packages.mozilla.org + Pin-Priority: 1000 + ' | sudo tee /etc/apt/preferences.d/mozilla + sudo apt update && sudo apt install -y firefox --allow-downgrades + shell: bash + + - name: "Prepare environment to build deb package" + run: | + sudo apt-get update && sudo apt-get -y upgrade + sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper --allow-downgrades + rm setup.py + rm -f examples/ngnix/acme2certifier.te + rm -f examples/nginx/supervisord.conf + rm -f examples/nginx/uwsgi.service + sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf + sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv_ssl.conf + sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini + sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini + echo "plugins=python3" >> examples/nginx/acme2certifier.ini + cat < examples/nginx/acme2certifier.service + [Unit] + Description=uWSGI instance to serve acme2certifier + After=network.target + + [Service] + User=www-data + Group=www-data + WorkingDirectory=/var/www/acme2certifier + Environment="PATH=/var/www/acme2certifier" + ExecStart=uwsgi --ini /var/www/acme2certifier/acme2certifier.ini + + [Install] + WantedBy=multi-user.target + EOT + cp -R examples/install_scripts/debian ./ + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog + cd ../ + tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ + shell: bash + + - name: "Build debian package" + run: | + dpkg-buildpackage -uc -us + dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + shell: bash diff --git a/.github/actions/deb_build_upload/action.yml b/.github/actions/deb_build_upload/action.yml new file mode 100644 index 00000000..5ffd4a7b --- /dev/null +++ b/.github/actions/deb_build_upload/action.yml @@ -0,0 +1,27 @@ +name: "rpm_build_upload" +description: "Build and Upload package" +outputs: + deb_file_name: + description: "Name of the RPM package file" + value: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + +runs: + using: "composite" + steps: + + - name: "Build deb package" + id: deb_build + uses: ./.github/actions/deb_build + + - name: "Rename deb package" + run: | + sudo mv ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb ./acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + shell: bash + + - name: "Upload deb package" + uses: actions/upload-artifact@v4 + with: + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + path: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + + diff --git a/.github/actions/deb_prep/action.yml b/.github/actions/deb_prep/action.yml new file mode 100644 index 00000000..e12aa39d --- /dev/null +++ b/.github/actions/deb_prep/action.yml @@ -0,0 +1,85 @@ +name: "deb_prep" +description: "Prepare environment for deb installation" +inputs: + GH_SBOM_USER: + description: "GIT user for SBOM repo" + required: true + GH_SBOM_TOKEN: + description: "GIT token for SBOM repo" + required: true + DJANGO_DB: + description: "Django database" + DEB_BUILD: + description: "Build DEB" + required: true + default: "true" + NAME_SPACE: + description: "Name space" + required: true + default: "acme" + IPV6: + description: "IPv6" + required: true + default: "false" + +runs: + using: "composite" + steps: + + - name: "Build deb package" + if: inputs.DEB_BUILD == 'true' + id: deb_build + uses: ./.github/actions/deb_build + + - name: "Setup environment for ubuntu installation" + run: | + echo "IPv6 is $IPV6" + if [ "$IPV6" == "false" ]; then + echo "create v4 namespace" + docker network create $NAME_SPACE + else + echo "create v6 namespace" + docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + fi + sudo mkdir -p data/volume/acme2certifier + sudo mkdir -p data/nginx + sudo chmod -R 777 data + sudo cp examples/Docker/ubuntu-systemd/deb_tester.sh data + sudo cp examples/Docker/ubuntu-systemd/django_tester.sh data + sudo cp .github/acme2certifier_cert.pem data/volume/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem data/volume/acme2certifier_key.pem + sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem + + if [ -z "$DJANGO_DB" ]; then + sudo cp .github/django_settings.py data/volume/acme2certifier/settings.py + else + sudo cp .github/django_settings_$DJANGO_DB.py data/volume/acme2certifier/settings.py + fi + env: + DJANGO_DB: ${{ inputs.DJANGO_DB }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + IPV6: ${{ inputs.IPV6 }} + shell: bash + + - name: "Instanciate Ubuntu 22.04" + run: | + docker run -d --name acme-srv --network $NAME_SPACE --privileged -v /sys/fs/cgroup:/sys/fs/cgroup:rw --cgroupns=host -v "$(pwd)/data":/tmp/acme2certifier jrei/systemd-ubuntu:22.04 + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Instanciate Mariadb" + if: inputs.DJANGO_DB == 'mariadb' + uses: ./.github/actions/mariadb_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Instanciate Postgres" + if: inputs.DJANGO_DB == 'psql' + uses: ./.github/actions/psql_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + + + diff --git a/.github/actions/mariadb_prep/action.yml b/.github/actions/mariadb_prep/action.yml new file mode 100644 index 00000000..95cba61b --- /dev/null +++ b/.github/actions/mariadb_prep/action.yml @@ -0,0 +1,36 @@ +name: "maria_prep" +description: "bring up and configure mariadb instance" +inputs: + NAME_SPACE: + description: "Name space" + required: true + default: "acme" + +runs: + using: "composite" + steps: + - name: "Instanciate Mariadb" + run: | + # sudo mkdir -p data/mysql + docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Configure mariadb" + working-directory: examples/Docker/ + run: | + docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" + docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" + docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" + shell: bash + + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s \ No newline at end of file diff --git a/.github/actions/psql_prep/action.yml b/.github/actions/psql_prep/action.yml new file mode 100644 index 00000000..573cc29b --- /dev/null +++ b/.github/actions/psql_prep/action.yml @@ -0,0 +1,45 @@ +name: "psql_prep" +description: "bring up and configure psql instance" +inputs: + NAME_SPACE: + description: "Name space" + required: true + default: "acme" + +runs: + using: "composite" + steps: + + - name: "postgres environment" + run: | + sudo mkdir -p /tmp/data/pgsql + sudo cp .github/a2c.psql /tmp/data/pgsql/a2c.psql + sudo cp .github/pgpass /tmp//data/pgsql/pgpass + sudo chmod 600 /tmp/data/pgsql/pgpass + shell: bash + + - name: "Install postgres" + working-directory: /tmp + run: | + docker run --name postgresdbsrv --network $NAME_SPACE -e POSTGRES_PASSWORD=foobar -d postgres + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Configure postgres" + working-directory: /tmp + run: | + docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network $NAME_SPACE postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s \ No newline at end of file diff --git a/.github/actions/rpm_build/action.yml b/.github/actions/rpm_build/action.yml new file mode 100644 index 00000000..05777323 --- /dev/null +++ b/.github/actions/rpm_build/action.yml @@ -0,0 +1,41 @@ +name: "rpm_build" +description: "Build RPM package" +outputs: + rpm_dir_path: + description: "Path to the directory containing the RPM package" + value: ${{ steps.rpm.outputs.rpm_dir_path }} + rpm_file_name: + description: "Name of the RPM package file" + value: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm + +runs: + using: "composite" + steps: + + - name: "Retrieve Version from version.py" + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + shell: bash + + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + shell: bash + + - name: "Update version number in spec file and path in nginx ssl config" + run: | + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec + sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf + git config --global user.email "grindelsack@gmail.com" + git config --global user.name "rpm update" + git add examples/nginx + git commit -a -m "rpm update" + shell: bash + + - name: "Build RPM package" + id: rpm + uses: grindsa/rpmbuild@alma9 + with: + spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + + - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + shell: bash + diff --git a/.github/actions/rpm_build_upload/action.yml b/.github/actions/rpm_build_upload/action.yml new file mode 100644 index 00000000..4fee394f --- /dev/null +++ b/.github/actions/rpm_build_upload/action.yml @@ -0,0 +1,26 @@ +name: "rpm_build_upload" +description: "Build and Upload package" +outputs: + rpm_file_name: + description: "Name of the RPM package file" + value: acme2certifier-${{ github.run_id }}.noarch.rpm + +runs: + using: "composite" + steps: + + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build + + - name: "Rename rpm package" + run: | + sudo mv ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/acme2certifier-*.noarch.rpm ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/acme2certifier-${{ github.run_id }}.noarch.rpm + shell: bash + + - name: "Upload RPM package" + uses: actions/upload-artifact@master + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: ${{ steps.rpm_build.outputs.rpm_dir_path }}/noarch/ + diff --git a/.github/actions/rpm_prep/action.yml b/.github/actions/rpm_prep/action.yml new file mode 100644 index 00000000..2e9cd363 --- /dev/null +++ b/.github/actions/rpm_prep/action.yml @@ -0,0 +1,109 @@ +name: "rpm_prep" +description: "Prepare environment for RPM installation" +inputs: + GH_SBOM_USER: + description: "GIT user for SBOM repo" + required: true + GH_SBOM_TOKEN: + description: "GIT token for SBOM repo" + required: true + RH_VERSION: + description: "RHEL version" + required: true + DJANGO_DB: + description: "Django database" + RPM_BUILD: + description: "Build RPM" + required: true + default: "true" + NAME_SPACE: + description: "Name space" + required: true + default: "acme" + IPV6: + description: "IPv6" + required: true + default: "false" + +runs: + using: "composite" + steps: + + - name: "Build rpm package" + if: inputs.RPM_BUILD == 'true' + id: rpm_build + uses: ./.github/actions/rpm_build + + - name: "Setup environment for alma installation" + run: | + echo "IPv6 is $IPV6" + if [ "$IPV6" == "false" ]; then + echo "create v4 namespace" + docker network create $NAME_SPACE + else + echo "create v6 namespace" + docker network create $NAME_SPACE --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + fi + sudo mkdir -p data/volume + sudo mkdir -p data/acme2certifier + sudo mkdir -p data/nginx + sudo chmod -R 777 data + sudo cp examples/Docker/almalinux-systemd/django_tester.sh data + sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem + if [ -f ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm ]; then + echo "RPM exists" + sudo cp ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data + else + echo "RPM does not exist" + fi + if [ -z "$DJANGO_DB" ]; then + sudo cp .github/django_settings.py data/acme2certifier/settings.py + else + sudo cp .github/django_settings_$DJANGO_DB.py data/acme2certifier/settings.py + fi + sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py + sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py + env: + DJANGO_DB: ${{ inputs.DJANGO_DB }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + IPV6: ${{ inputs.IPV6 }} + + shell: bash + + - run: echo "RH_VERSION is ${{ inputs.RH_VERSION }}" + shell: bash + + - name: "Retrieve rpms from SBOM repo" + run: | + git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom + cp /tmp/sbom/rpm-repo/RPMs/rhel$RH_VERSION/*.rpm data + env: + GH_SBOM_USER: ${{ inputs.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ inputs.GH_SBOM_TOKEN }} + RH_VERSION: ${{ inputs.RH_VERSION }} + shell: bash + + - name: "Spin-up alma instance" + run: | + sudo cp examples/Docker/almalinux-systemd/Dockerfile data + sudo sed -i "s/FROM almalinux:9/FROM almalinux:$RH_VERSION/g" data/Dockerfile + cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache + docker run -d -id --privileged --network $NAME_SPACE -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + env: + RH_VERSION: ${{ inputs.RH_VERSION }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + shell: bash + + - name: "Instanciate Mariadb" + if: inputs.DJANGO_DB == 'mariadb' + uses: ./.github/actions/mariadb_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Instanciate Postgres" + if: inputs.DJANGO_DB == 'psql' + uses: ./.github/actions/psql_prep + with: + NAME_SPACE: ${{ inputs.NAME_SPACE }} \ No newline at end of file diff --git a/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml b/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml new file mode 100644 index 00000000..279d89f5 --- /dev/null +++ b/.github/actions/wf_specific/acme_ca_handler/enrollment_profiling/action.yml @@ -0,0 +1,150 @@ +name: "enrollment_profiling" +description: "le-enrollment_profiling" + +runs: + using: "composite" + steps: + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB - 01 - Enroll acme.sh without acme_url" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca + shell: bash + + - name: "EAB - 01 - Enroll lego without acme_url" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://foo.bar -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://acme-le-sim-1.acme -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://foo.bar -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://acme-le-sim-1.acme -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca + shell: bash + + - name: "EAB - 03 - Enroll acme with a acme_url and key taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca + shell: bash + + - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + id: acmefail02 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh. --standalone --keylength 2048 --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 04 - check result " + if: steps.acmefail02.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 04a - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i sub-ca + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml b/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml new file mode 100644 index 00000000..a207b839 --- /dev/null +++ b/.github/actions/wf_specific/acme_ca_handler/le-sim_prep/action.yml @@ -0,0 +1,53 @@ +name: "le-sim_prep" +description: "le-sim_prep" +inputs: + LESIM_NAME: + description: "Name of the le-sim" + required: true + default: "le-sim" + NAME_SPACE: + description: "Name space of the le-sim" + required: true + default: "acme" + SECTIGO_SIM: + description: "Sectigo sim" + required: true + default: "false" + +runs: + using: "composite" + steps: + + - name: "Setup le-sim" + run: | + sudo mkdir -p ${{ inputs.LESIM_NAME }}/acme_ca/certs + sudo cp examples/ca_handler/openssl_ca_handler.py ${{ inputs.LESIM_NAME }}/ca_handler.py + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem ${{ inputs.LESIM_NAME }}/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg ${{ inputs.LESIM_NAME }}/acme_srv.cfg + sudo chmod 777 ${{ inputs.LESIM_NAME }}/acme_srv.cfg + if [ "${{ inputs.SECTIGO_SIM }}" == "true" ]; then + echo "Sectigo sim enabled" + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True\nsectigo_sim: True/g" ${{ inputs.LESIM_NAME }}/acme_srv.cfg + fi + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" ${{ inputs.LESIM_NAME }}/acme_srv.cfg + docker run -d --rm -id --network ${{ inputs.NAME_SPACE }} --name=${{ inputs.LESIM_NAME }} -v "$(pwd)/${{ inputs.LESIM_NAME }}":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + cat ${{ inputs.LESIM_NAME }}/acme_srv.cfg + shell: bash + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-le-sim/directory is accessible" + run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl -f http://${{ inputs.LESIM_NAME }}/directory + shell: bash + + - name: "Enroll from le-sim" + run: | + mkdir -p acme-sh/ + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http:///${{ inputs.LESIM_NAME }} --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + sudo rm -rf acme-sh/* + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml b/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml new file mode 100644 index 00000000..c614973b --- /dev/null +++ b/.github/actions/wf_specific/acme_ca_handler/smallstep_prep/action.yml @@ -0,0 +1,49 @@ +name: "smallstep_prep" +description: "smallstep_prep" + +runs: + using: "composite" + steps: + + - name: "Setup smallstep" + run: | + sudo mkdir -p step + sudo chmod -R 777 step + docker run -d -v "$(pwd)/step":/home/step \ + -p 9000:9000 -p 443:443 \ + --network acme \ + --name step-ca \ + -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ + -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ + smallstep/step-ca + shell: bash + + - name: "Sleep for 20s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 20s + + - name: "Configure smallstep" + run: | + docker ps + docker exec -i step-ca step ca provisioner add acme --type ACME + docker exec -i step-ca step ca provisioner update acme --remove-challenge=tls-alpn-01 + docker exec -i step-ca step ca provisioner update acme --remove-challenge=dns-01 + docker restart step-ca + shell: bash + + - name: "Sleep for 20s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 20s + + - name: "Test https://step-ca.acme/acme/acme/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f https://step-ca:9000/acme/acme/directory --insecure + shell: bash + + - name: "Enroll from smallstep using acme-sh" + run: | + mkdir -p acme-sh + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server https://step-ca:9000/acme/acme/directory --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --insecure --output-insecure --force + sudo rm -rf acme-sh/* + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml new file mode 100644 index 00000000..bb0c6bf6 --- /dev/null +++ b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo/action.yml @@ -0,0 +1,206 @@ +name: "enroll_w_headerinfo" +description: "enroll_w_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "EAB with headerinfo - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB with headerinfo - 01 - Enroll lego without profile_name" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + id: acmefail021 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 04 - check result " + if: steps.acmefail021.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail021.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail021 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 04a - check result " + if: steps.legofail021.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail021.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" + shell: bash + + - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" + id: acmefail03 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 06 - check result " + if: steps.acmefail03.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail03.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 06 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml new file mode 100644 index 00000000..96956930 --- /dev/null +++ b/.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo/action.yml @@ -0,0 +1,143 @@ +name: "enroll_wo_headerinfo" +description: "enroll_wo_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "EAB without headerinfo - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB without headerinfo - 01 - Enroll lego without profile_name" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash + + - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" + shell: bash + + - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME2 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" + shell: bash + + - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + id: acmefail02 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + shell: bash + + - name: "EAB without headerinfo - 04 - check result " + if: steps.acmefail02.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run + shell: bash + + - name: "EAB without headerinfo - 04a - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ inputs.ASA_CA_NAME1 }}" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml new file mode 100644 index 00000000..d5c6e75a --- /dev/null +++ b/.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo/action.yml @@ -0,0 +1,63 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" +inputs: + ASA_PROFILE1: + description: "ASA Profile 1" + required: true + ASA_PROFILE2: + description: "ASA Profile 2" + required: true + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Header-info - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Header-info - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Header-info - 01 - Enroll acme.sh with Profile 1" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ inputs.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "Header-info - 01 - Enroll lego with Profile 1" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ inputs.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "Header-info - 02 - Enroll acme.sh with Profile 2" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ inputs.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash + + - name: "Header-info - 02 - Enroll lego with Profile 2" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ inputs.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml new file mode 100644 index 00000000..456c5a71 --- /dev/null +++ b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_1/action.yml @@ -0,0 +1,61 @@ +name: "enroll_profile_1" +description: "wf enroll_profile_1" +runs: + using: "composite" + steps: + - name: "Profile 1 - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Profile 1 - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Profile 1 - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Profile 1 - Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" + shell: bash + + - name: "Profile 1 - Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "Profile 1 - Register certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Profile 1 - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048 + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature" + # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout + shell: bash + + - name: "Profile 1 - Revoke HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "Profile 1 - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" + # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "Profile 1 - revoke HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash diff --git a/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml new file mode 100644 index 00000000..ad08ac92 --- /dev/null +++ b/.github/actions/wf_specific/asa_ca_handler/enroll_profile_2/action.yml @@ -0,0 +1,59 @@ +name: "enroll_2_profile" +description: "wf enrollment 2 profile" + +runs: + using: "composite" + steps: + - name: "Profile 2 - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Profile 2 - create letsencrypt and lego folder" + run: | + sudo rm -rf certbot/* + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + shell: bash + + - name: "Profile 2 - Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash + + - name: "Profile 2 - Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "Profile 2 - Register certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Profile 2 - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048 + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash + + - name: "Profile 2 - Revoke HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "Profile 2 - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + shell: bash + + - name: "Profile 2 - Revoke HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml new file mode 100644 index 00000000..69cc9627 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile/action.yml @@ -0,0 +1,61 @@ +name: "enroll_101_profile" +description: "wf enrollment 101 profile" + +runs: + using: "composite" + steps: + - name: "Profile 101 - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Profile 101 - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Profile 101 - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Profile 101 - Enroll acme.sh" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + shell: bash + + - name: "Profile 101 - Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "Profile 101 - Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Profile 101 - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + + - name: "Profile 101 - Revoke HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "Profile 101 - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + + - name: "Profile 101 - Revoke HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml new file mode 100644 index 00000000..9362a05f --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile/action.yml @@ -0,0 +1,61 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" + +runs: + using: "composite" + steps: + - name: "Profile 102 - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Profile 102 - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Profile 102 - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Profile 102 - Enroll acme.sh" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + shell: bash + + - name: "Profile 102 - Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "Profile 102 - Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Profile 102 - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + + - name: "Profile 102 - Revoke HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "Profile 102 - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + + - name: "Profile 102 - Revoke HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml new file mode 100644 index 00000000..45f98fa9 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo/action.yml @@ -0,0 +1,219 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" +inputs: + RECONFIGURE: + description: "Reconfigure the workflow" + required: true + default: "false" + +runs: + using: "composite" + steps: + - name: "EAB with headerinfo - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" + shell: bash + + - name: "EAB with headerinfo - 01 - Enroll lego without profile_id" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication" + shell: bash + + - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 02a - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication" + shell: bash + + - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" + shell: bash + + - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + if: ${{ inputs.RECONFIGURE == 'false' }} + id: acmefail02 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 04 - check result " + if: ${{ (inputs.RECONFIGURE == 'false') && (steps.acmefail02.outcome != 'failure') }} + run: | + echo "acmefail outcome is ${{steps.acmefail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll acme with a allowed fqdn after reconfiguration" + if: ${{ inputs.RECONFIGURE == 'true' }} + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + if: ${{ inputs.RECONFIGURE == 'false' }} + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 04a - check result" + if: ${{ (inputs.RECONFIGURE == 'false') && (steps.legofail02.outcome != 'failure') }} + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 04 - Enroll legowith a allowed fqdn after reconfiguration" + if: ${{ inputs.RECONFIGURE == 'true' }} + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" + shell: bash + + - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" + shell: bash + + - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" + id: acmefail03 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB with headerinfo - 06 - check result " + if: steps.acmefail03.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail03.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run + shell: bash + + - name: "EAB with headerinfo - 06 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml new file mode 100644 index 00000000..3c4554c9 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo/action.yml @@ -0,0 +1,134 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" + +runs: + using: "composite" + steps: + - name: "EAB without headerinfo - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - Enroll acme.sh without profile_id" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - Enroll lego without profile_id" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" + shell: bash + + - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + id: acmefail021 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB without headerinfo - 04 - check result " + if: steps.acmefail021.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail021.outcome }}" + exit 1 + shell: bash + + - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail021 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run + shell: bash + + - name: "EAB without headerinfo - 04a - check result " + if: steps.legofail021.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail021.outcome }}" + exit 1 + shell: bash + + - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" + shell: bash + + - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" + shell: bash diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml new file mode 100644 index 00000000..bca8e196 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo/action.yml @@ -0,0 +1,51 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Header-info - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Header-info - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Header-info - 01 - Enroll acme.sh with profile_id 101" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + + - name: "Header-info - 01 - Enroll lego with profile_id 101" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=101 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + + - name: "Header-info - 02 - Enroll acme.sh with profile_id 102" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + + - name: "Header-info - 02 - Enroll lego with profile_id 102" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=102 -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml b/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml new file mode 100644 index 00000000..50a30fc4 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile/action.yml @@ -0,0 +1,65 @@ +name: "enroll_no_profile" +description: "wf enrollment without profile" + +runs: + using: "composite" + steps: + + - name: "Create folders" + run: | + sudo mkdir -p lego + sudo mkdir -p acme-sh + sudo mkdir -p certbot + shell: bash + + - name: "No profile - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "No profile - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "No profile - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "No profile - Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + shell: bash + + - name: "No profile - Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "No profile - Register certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "No profile - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + shell: bash + + - name: "No profile - Revoke HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "No profile - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + shell: bash + + - name: "No profile - Revoke HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml b/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml new file mode 100644 index 00000000..c84961b4 --- /dev/null +++ b/.github/actions/wf_specific/certifier_ca_handler/tunnel_setup/action.yml @@ -0,0 +1,71 @@ +name: "tunnel_setup" +description: "tunnel_setup" +inputs: + WCCE_SSH_ACCESS_KEY: + description: "SSH access key" + required: true + WCCE_SSH_KNOWN_HOSTS: + description: "SSH known hosts" + required: true + WCCE_SSH_USER: + description: "SSH user" + required: true + WCCE_SSH_HOST: + description: "SSH host" + required: true + WCCE_SSH_PORT: + description: "SSH port" + required: true + NAME_SPACE: + description: "namespace" + required: true + default: "acme" + NCM_API_HOST: + description: "NCM API host" + required: true + NCM_API_USER: + description: "NCM API user" + required: true + NCM_API_PASSWORD: + description: "NCM API password" + required: true +runs: + using: "composite" + steps: + - name: "Prepare ssh environment on ramdisk " + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ inputs.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ inputs.WCCE_SSH_KNOWN_HOSTS }} + shell: bash + + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network $NAME_SPACE --name=forwarder -e "MAPPINGS=8084:127.0.0.1:8084" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 8080:8084 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + env: + SSH_USER: ${{ inputs.WCCE_SSH_USER }} + SSH_HOST: ${{ inputs.WCCE_SSH_HOST }} + SSH_PORT: ${{ inputs.WCCE_SSH_PORT }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + NCM_API_HOST: ${{ inputs.NCM_API_HOST }} + shell: bash + + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Test conection to mscertsrv via ssh tunnel" + run: | + docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure https://$NCM_API_USER:$NCM_API_PASSWORD@forwarder.acme:8084 + env: + NCM_API_HOST: ${{ inputs.NCM_API_HOST }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + NCM_API_USER: ${{ inputs.NCM_API_USER }} + NCM_API_PASSWORD: ${{ inputs.NCM_API_PASSWORD }} + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml new file mode 100644 index 00000000..cc9e027c --- /dev/null +++ b/.github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml @@ -0,0 +1,98 @@ +name: "enroll_eab" +description: "enroll_eab" + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "EAB - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme.dynamop.de curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme.dynamop.de curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt + sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -text -noout + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke + shell: bash + + - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=unknown -d lego.acme.dynamop.de --http run + shell: bash + + - name: "EAB - 02a - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run + sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke + shell: bash + + - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme.dynamop.de --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke + shell: bash + + - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme1.dynamop.de --http run + shell: bash + + - name: "EAB - 04a - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme.dynamop.de --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke + shell: bash + + - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run + shell: bash + + - name: "EAB - 06 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml new file mode 100644 index 00000000..11799525 --- /dev/null +++ b/.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep/action.yml @@ -0,0 +1,100 @@ +name: "ejbca_prep" +description: "ejbca_prep" +inputs: + RUNNER_IP: + description: "Runner IP" + required: true + WORKING_DIR: + description: "Working directory" + required: true + default: ${{ github.workspace }} +outputs: + SAEC: + description: "Superadmin password" + value: ${{ env.SAEC }} + CAID: + description: "CAID of acmeca" + value: ${{ env.CAID }} + +runs: + using: "composite" + steps: + - name: "Prepare Environment" + working-directory: ${{ inputs.WORKING_DIR }} + run: | + mkdir -p data/acme_ca + sudo chmod -R 777 data/acme_ca + sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts" + env: + EJBCA_IP: ${{ inputs.RUNNER_IP }} + shell: bash + + - name: "Instanciate ejbca server" + run: | + docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data -v ${{ inputs.WORKING_DIR }}/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce + shell: bash + + - name: "Sleep for 180s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 180s + + - name: "Get randmonly generated Superadmin password for ejbca instance" + run: | + echo SAEC=$(docker logs ejbca | grep /opt/keyfactor/bin/start.sh | grep Password: | awk -F'Password: ' '{print $2}' | awk -F ' ' '{print $1}') >> $GITHUB_ENV + shell: bash + + - run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}" + shell: bash + + - run: sudo echo ${{ env.SAEC }} > ${{ inputs.WORKING_DIR }}/data/passphrase.txt + shell: bash + + - name: "Configure ejbca" + run: | + docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem + docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management" + docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2" + docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA + shell: bash + + - name: "Get CAID" + run: | + echo CAID=$(docker logs ejbca | grep "msg=CA with id" | grep "and name acmeca added" | awk -F'with id ' '{print $2}' | awk -F' and name' '{print $1}') >> $GITHUB_ENV + shell: bash + + - run: echo "CAID of acmeca is ${{ env.CAID }}" + shell: bash + + - name: "Create subca" + run: | + docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID + docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/ + env: + CAID: ${{ env.CAID }} + shell: bash + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Fetch superadmin certificate and key" + working-directory: ${{ inputs.WORKING_DIR }} + run: | + docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10 + docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC + docker exec -i ejbca bin/ejbca.sh batch + docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/acme_ca/ + env: + SAEC: ${{ env.SAEC }} + shell: bash + + - name: "Test superadmin certificate and key" + working-directory: ${{ inputs.WORKING_DIR }} + run: | + curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --insecure + curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem + env: + SAEC: ${{ env.SAEC }} + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml new file mode 100644 index 00000000..4ebcabe0 --- /dev/null +++ b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo/action.yml @@ -0,0 +1,109 @@ +name: "enroll_w_headerinfo" +description: "enroll_w_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB wit headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + shell: bash + + - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + shell: bash + + - name: EAB with headerinfo 01c - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB with headerinfo - 02 - profilinging ca and cert_profile" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run + shell: bash + + - name: EAB with headerinfo - 03 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash + + - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml new file mode 100644 index 00000000..bbf85f97 --- /dev/null +++ b/.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo/action.yml @@ -0,0 +1,79 @@ +name: "enroll_wo_headerinfo" +description: "enroll_wo_headerinfo" + + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB without headerinfo - 02 - profilinging ca and cert_profile" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + + - name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run + shell: bash + + - name: EAB without headerinfo - 03 - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml b/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml new file mode 100644 index 00000000..f490f1b1 --- /dev/null +++ b/.github/actions/wf_specific/enrollment_timeout/enroll/action.yml @@ -0,0 +1,88 @@ +name: "enroll_102_profile" +description: "wf enrollment 102 profile" +inputs: + DEPLOYMENT_TYPE: + description: "Deployment type" + required: true + default: "container" + +runs: + using: "composite" + steps: + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force + shell: bash + + - name: "Check timeout" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + docker exec acme-srv grep "Certificate.enroll_and_store() ended with: None:timeout" /var/log/messages + fi + shell: bash + + - name: "Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force + shell: bash + + - name: "Check certificate reusage" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs | grep "Certificate._enroll(): reuse existing certificate" + elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + docker exec acme-srv grep "Certificate._enroll(): reuse existing certificate" /var/log/messages + fi + shell: bash + + - name: "Enroll Lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 180 --http run + shell: bash + + - name: "Check timeout" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + fi + shell: bash + + - name: "Register certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Enroll certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --issuance-timeout 180 + shell: bash + + - name: "Check timeout" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + fi + shell: bash diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml new file mode 100644 index 00000000..fd1c6337 --- /dev/null +++ b/.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list/action.yml @@ -0,0 +1,55 @@ +name: "enroll_allowed_domain_list" +description: "enroll_allowed_domain_list" +inputs: + NAME_SPACE: + description: "namespace" + required: true + default: "acme" +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/ + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Check result " + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Enroll acme.sh with fqdn part of allowed_domainlist" + run: | + sudo rm -rf acme-sh/ + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} \ No newline at end of file diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml new file mode 100644 index 00000000..7aa2dc2c --- /dev/null +++ b/.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo/action.yml @@ -0,0 +1,59 @@ +name: "enroll_default_headerinfo" +description: "enroll_default_headerinfo" +inputs: + NAME_SPACE: + description: "namespace" + required: true + default: "acme" +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl -f http://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network ${{ inputs.NAME_SPACE }} curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "Enroll acme.sh with template in acme_srv.cfg (WebServer)" + run: | + sudo rm -rf acme-sh/ + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network ${{ inputs.NAME_SPACE }} --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.${{ inputs.NAME_SPACE }} --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/ca.cer + openssl verify -CAfile cert-1.pem acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/acme-sh.${{ inputs.NAME_SPACE }}.cer + openssl x509 -in acme-sh/acme-sh.${{ inputs.NAME_SPACE }}_ecc/acme-sh.${{ inputs.NAME_SPACE }}.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + + - name: "Enroll lego with template in acme_srv.cfg (WebServer)" + run: | + sudo rm -rf lego/ + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network ${{ inputs.NAME_SPACE }} goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.${{ inputs.NAME_SPACE }} --http run + sudo openssl verify -CAfile cert-1.pem lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt + sudo openssl x509 -in lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + + - name: "Enroll acme.sh with template submitted in command line (WebServerModified)" + run: | + sudo rm -rf acme-sh/ + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network ${{ inputs.NAME_SPACE }} --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.${{ inputs.NAME_SPACE }} --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure + openssl verify -CAfile cert-1.pem acme-sh/acme-sh.${{ inputs.NAME_SPACE }}/acme-sh.${{ inputs.NAME_SPACE }}.cer + openssl x509 -in acme-sh/acme-sh.${{ inputs.NAME_SPACE }}/acme-sh.${{ inputs.NAME_SPACE }}.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + + - name: "Enroll lego with template submitted in command line (WebServerModified)" + run: | + sudo rm -rf lego/ + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network ${{ inputs.NAME_SPACE }} goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.${{ inputs.NAME_SPACE }} --http run + sudo openssl verify -CAfile cert-1.pem lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt + sudo openssl x509 -in lego/certificates/lego.${{ inputs.NAME_SPACE }}.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash diff --git a/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml new file mode 100644 index 00000000..ce649c0e --- /dev/null +++ b/.github/actions/wf_specific/ms_ca_handler/enroll_eab/action.yml @@ -0,0 +1,125 @@ +name: "enroll_default_headerinfo" +description: "enroll_default_headerinfo" +inputs: + NAME_SPACE: + description: "namespace" + required: true + default: "acme" + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServer --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=Unknown --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: EAB with headerinfo 01c - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent ca_name=foo --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)" + run: | + sudo rm -rf lego/* + sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent user=user --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 02 - template from profile" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 03 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} + + - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network $NAME_SPACE goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 -d lego.$NAME_SPACE --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.$NAME_SPACE.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + shell: bash + env: + NAME_SPACE: ${{ inputs.NAME_SPACE }} \ No newline at end of file diff --git a/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml b/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml new file mode 100644 index 00000000..e3cda1ad --- /dev/null +++ b/.github/actions/wf_specific/ms_ca_handler/tunnel_setup/action.yml @@ -0,0 +1,76 @@ +name: "tunnel_setup" +description: "tunnel_setup" +inputs: + WCCE_SSH_ACCESS_KEY: + description: "SSH access key" + required: true + WCCE_SSH_KNOWN_HOSTS: + description: "SSH known hosts" + required: true + WCCE_FQDN_WOTLD: + description: "FQDN without top level domain" + required: true + WCCE_FQDN: + description: "FQDN" + required: true + WCCE_HOST: + description: "WCCE host" + required: true + WCCE_SSH_USER: + description: "SSH user" + required: true + WCCE_SSH_HOST: + description: "SSH host" + required: true + WCCE_SSH_PORT: + description: "SSH port" + required: true + NAME_SPACE: + description: "namespace" + required: true + default: "acme" + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Prepare ssh environment on ramdisk " + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ inputs.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ inputs.WCCE_SSH_KNOWN_HOSTS }} + shell: bash + + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network $NAME_SPACE --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + env: + SSH_USER: ${{ inputs.WCCE_SSH_USER }} + SSH_HOST: ${{ inputs.WCCE_SSH_HOST }} + SSH_PORT: ${{ inputs.WCCE_SSH_PORT }} + WCCE_HOST: ${{ inputs.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ inputs.WCCE_FQDN_WOTLD }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + shell: bash + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test conection to mscertsrv via ssh tunnel" + run: | + docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$WCCE_FQDN + env: + WCCE_FQDN: ${{ inputs.WCCE_FQDN }} + NAME_SPACE: ${{ inputs.NAME_SPACE }} + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml new file mode 100644 index 00000000..67378dc8 --- /dev/null +++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity/action.yml @@ -0,0 +1,44 @@ +name: "enroll_w_headerinfo" +description: "enroll_w_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Enroll certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Not After : Jun 9 17:17:00 2030 GMT" + shell: bash + + - name: "Revoke certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml new file mode 100644 index 00000000..55566c3d --- /dev/null +++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce/action.yml @@ -0,0 +1,47 @@ +name: "enroll_w_headerinfo" +description: "enroll_w_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Enroll certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Subject: CN = certbot.acme" + shell: bash + + - name: "Revoke certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml b/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml new file mode 100644 index 00000000..d21fd789 --- /dev/null +++ b/.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate/action.yml @@ -0,0 +1,78 @@ +name: "enroll_w_headerinfo" +description: "enroll_w_headerinfo" +inputs: + ASA_CA_NAME1: + description: "ASA CA 1" + required: true + ASA_CA_NAME2: + description: "ASA CA 2" + required: true + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Enroll acme.sh" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + # verify aborts due to unhandled critical extension + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, OCSP Signing" + shell: bash + + - name: "Revoke via acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Enroll certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + # verify aborts due to unhandled critical extension + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, OCSP Signing" + shell: bash + + - name: "Revoke certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + shell: bash + + - name: "Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + # verify aborts due to unhandled critical extension + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, OCSP Signing" + shell: bash + + - name: "Revoke lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml b/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml new file mode 100644 index 00000000..a887d318 --- /dev/null +++ b/.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep/action.yml @@ -0,0 +1,97 @@ +name: "ejbca_prep" +description: "ejbca_prep" +inputs: + RUNNER_IP: + description: "Runner IP" + required: true + WORKING_DIR: + description: "Working directory" + required: true + default: ${{ github.workspace }} + +runs: + using: "composite" + steps: + + - name: "Prepare Environment" + working-directory: ${{ inputs.WORKING_DIR }} + run: | + mkdir -p data/acme_ca + mkdir -p /tmp/openxpki + sudo chmod -R 777 data + sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts" + sudo cat /etc/hosts + env: + OPENXPKI_IP: ${{ inputs.RUNNER_IP }} + shell: bash + + - name: "Instanciate OpenXPKI server" + working-directory: /tmp/openxpki + run: | + sudo apt-get install -y docker-compose + git clone https://github.com/openxpki/openxpki-docker.git + cd openxpki-docker/ + git clone https://github.com/openxpki/openxpki-config.git --single-branch --branch=community + cd openxpki-config/ + # git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604 + cd .. + sed -i "s/value: 0/value: 1/g" openxpki-config/config.d/realm/democa/est/default.yaml + sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g" openxpki-config/config.d/realm/democa/est/default.yaml + sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml + sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml + sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml + cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yam + docker-compose up & + shell: bash + + - name: "Sleep for 60s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 60s + + - name: "Fix 1st time start issues with OpenXPKI server" + working-directory: /tmp/openxpki/openxpki-docker + run: | + docker ps + docker stop openxpki-docker_openxpki-server_1 + docker start openxpki-docker_openxpki-server_1 + shell: bash + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "Configure OpenXPKI server" + working-directory: /tmp/openxpki + run: | + docker ps + docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh + docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl + shell: bash + + - name: "Sleep for 45s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 45s + + - name: "Enroll keys for Client-authentication via scep" + working-directory: ${{ inputs.WORKING_DIR }} + run: | + sudo openssl genrsa -out data/acme_ca/client_key.pem 2048 + sudo openssl req -new -key data/acme_ca/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der | base64 > /tmp/request.pem + curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure | base64 -d > /tmp/cert.p7b + sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/acme_ca/client_crt.pem + sudo openssl pkcs12 -export -out data/acme_ca/client_crt.p12 -inkey data/acme_ca/client_key.pem -in data/acme_ca/client_crt.pem -passout pass:Test1234 + sudo openssl rsa -noout -modulus -in data/acme_ca/client_key.pem | openssl md5 + sudo openssl x509 -noout -modulus -in data/acme_ca/client_crt.pem | openssl md5 + sudo chmod a+r data/acme_ca/client_key.pem + sudo chmod a+r data/acme_ca/client_crt.pem + sudo chmod a+r data/acme_ca/client_crt.p12 + curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure | base64 -d > /tmp/cacert.p7b + sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/acme_ca/ca_bundle.pem + sudo chmod a+rw data/acme_ca/ca_bundle.pem + sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null > data/acme_ca/ca_bundle.pem + env: + OPENXPKI_IP: ${{ inputs.RUNNER_IP }} + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml new file mode 100644 index 00000000..3970d494 --- /dev/null +++ b/.github/actions/wf_specific/xca_ca_handler/enroll_eab/action.yml @@ -0,0 +1,210 @@ +name: "enroll_eab" +description: "enroll_eab" + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "EAB - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB - 01 - Enroll acme with a template_name taken from list in kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "EAB - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB - 02a - check result " + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 02b - Enroll acme with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=unknown -d lego.acme --http run + shell: bash + + - name: "EAB - 02a - check result " + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=acme -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "EAB - 03 - Enroll acme with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "EAB - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" + id: acmefail02 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB - 04 - check result " + if: steps.acmefail02.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run + shell: bash + + - name: "EAB - 04a - check result " + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 05 - Enroll acme with default values from acme.cfg" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "EAB - 05 - Enroll lego with default values from acme.cfg" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "EAB - 06 - Enroll acme with not allowed headerinfo-field (should fail)" + id: acmefail03 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure + shell: bash + + - name: "EAB - 06 - check result " + if: steps.acmefail03.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail03.outcome }}" + exit 1 + shell: bash + + - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent template_name=acme -d lego.acme --http run + shell: bash + + - name: "EAB - 06 - check result " + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml new file mode 100644 index 00000000..9b97905d --- /dev/null +++ b/.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp/action.yml @@ -0,0 +1,362 @@ +name: "enroll_eab" +description: "enroll_eab" +inputs: + DEPLOYMENT_TYPE: + description: "Deployment type" + required: true + default: "container" + + +runs: + using: "composite" + steps: + - name: "EAB - Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + + - name: "EAB - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "EAB - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "EAB SP - 01a - SUCC - Enroll acme - 1st list entry" + run: | + mkdir -p acme-sh + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme1/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "EAB SP - 01a - SUCC - Enroll lego - 1st list entry" + run: | + sudo mkdir -p lego + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme1/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "EAB SP - 01B - SUCC - Enroll acme - 2nd list entry" + run: | + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "EAB SP - 01B - SUCC - Enroll lego - 2nd list entry" + run: | + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "EAB SP - 01C - FAIL - Enroll acme - entry not in list" + id: acmefail01 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme3/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "Check result" + if: steps.acmefail01.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail01.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 01C - Fail - Enroll lego - entry not in list" + id: legofail01 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme3/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "Check result" + if: steps.legofail01.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail01.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "organizationalUnitName: value: acme3 expected: \['acme1', 'acme2'\]" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 02 - FAIL - Enroll acme - wildcard entry not present" + id: acmefail02 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme1/C=AC' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "Check result" + if: steps.acmefail02.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail02.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: \['serialNumber'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: \['serialNumber'\]" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 02 - FAIL - Enroll lego - wildcard entry not present" + id: legofail02 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme1/C=AC' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "Check result" + if: steps.legofail02.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail02.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: \['serialNumber'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: \['serialNumber'\]" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 03 - FAIL - Enroll acme - string check failed" + id: acmefail03 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=noacme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "Check result" + if: steps.acmefail03.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail03.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: organizationName: value: noacme corp expected: acme corp" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: organizationName: value: noacme corp expected: acme corp" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 03 - FAIL - Enroll lego - string check failed" + id: legofail03 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=noacme corp/OU=acme2/C=AC/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "Check result" + if: steps.legofail03.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail03.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: organizationName: value: noacme corp expected: acme corp" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: organizationName: value: noacme corp expected: acme corp" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 04 - FAIL - Enroll acme - string parameter not present" + id: acmefail04 + continue-on-error: true + run: | + sudo rm -rf acme-sh/* + openssl genrsa -out acme-sh/acme-sh.acme.key 2048 + openssl req -new -key acme-sh/acme-sh.acme.key -subj '/CN=acme-sh.acme/O=acme corp/OU=acme2/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:acme-sh.acme" -outform pem -out acme-sh/acme-sh.acme.csr + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name acme-sh neilpang/acme.sh:latest --signcsr --csr acme.sh/acme-sh.acme.csr --server http://acme-srv --standalone --debug 1 --output-insecure --insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout + shell: bash + + - name: "Check result" + if: steps.acmefail04.outcome != 'failure' + run: | + echo "acmefail outcome is ${{steps.acmefail04.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: \['countryName'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: \['countryName'\]" /var/log/messages + fi + shell: bash + + - name: "EAB SP - 04 - FAIL - Enroll acme - string parameter not present" + id: legofail04 + continue-on-error: true + run: | + sudo rm -rf lego/* + sudo openssl genrsa -out lego/lego.acme.key 2048 + sudo openssl req -new -key lego/lego.acme.key -subj '/CN=lego.acme/O=acme corp/OU=acme2/serialNumber=00-11-22-33' --addext "subjectAltName = DNS:lego.acme" -outform pem -out lego/lego.acme.csr + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --csr .lego/lego.acme.csr --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + shell: bash + + - name: "Check result" + if: steps.legofail04.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail04.outcome }}" + exit 1 + shell: bash + + - name: "Sleep for 2s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 2s + + - name: "Check logs for errors" + working-directory: examples/Docker/ + run: | + if [ ${{ inputs.DEPLOYMENT_TYPE }} == "container" ]; then + docker-compose logs > docker-compose.log + cat docker-compose.log | grep "failed for: \['countryName'\]" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + # elif [ ${{ inputs.DEPLOYMENT_TYPE }} == "rpm" ]; then + # docker exec acme-srv grep "failed for: \['countryName'\]" /var/log/messages + fi + shell: bash + diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml new file mode 100644 index 00000000..ea3c88d7 --- /dev/null +++ b/.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo/action.yml @@ -0,0 +1,68 @@ +name: "enroll_headerinfo" +description: "enroll_headerinfo" + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Header-info - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Header-info - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Header-info - 01 - Enroll acme.sh without template_name" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "Header-info - 01 - Enroll lego without template_name" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "Header-info - 02 - Enroll acme.sh with template_name template" + run: | + sudo rm -rf acme-sh/* + # docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent template_name=template -d acme-sh.acme --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "Header-info - 02 - Enroll lego with template_name template" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template_name=template -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" + shell: bash + + - name: "Delete acme-sh, letsencypt and lego folders" + run: | + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml new file mode 100644 index 00000000..2de41d0f --- /dev/null +++ b/.github/actions/wf_specific/xca_ca_handler/enroll_no_template/action.yml @@ -0,0 +1,56 @@ +name: "enroll_no_template" +description: "enroll_no_template" + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "No template - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "No template - Enroll acme.sh" + run: | + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication" + shell: bash + + - name: "No template - Register certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "No template - Enroll HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication" + shell: bash + + - name: "No template - Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication" + shell: bash + + - name: "Delete acme-sh, letsencypt and lego folders" + run: | + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* + shell: bash \ No newline at end of file diff --git a/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml b/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml new file mode 100644 index 00000000..e0981ce3 --- /dev/null +++ b/.github/actions/wf_specific/xca_ca_handler/enroll_template/action.yml @@ -0,0 +1,60 @@ +name: "enroll_template" +description: "enroll_template" + +runs: + using: "composite" + steps: + - name: "Sleep for 5s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 5s + + - name: "Template - Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + shell: bash + + - name: "Template - Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + shell: bash + + - name: "Template - Enroll acme.sh" + run: | + sudo rm -rf acme-sh/* + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "Template - Register certbot" + run: | + sudo rm -rf certbot/* + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + shell: bash + + - name: "Template - Enroll certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "Template - Enroll lego" + run: | + sudo rm -rf lego/* + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" + sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + shell: bash + + - name: "Delete acme-sh, letsencypt and lego folders" + run: | + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* + shell: bash \ No newline at end of file diff --git a/.github/workflows/acme_sh-application-test.yml b/.github/workflows/acme_sh-application-test.yml index 53d1a0c1..736b508d 100644 --- a/.github/workflows/acme_sh-application-test.yml +++ b/.github/workflows/acme_sh-application-test.yml @@ -9,9 +9,29 @@ on: - cron: '0 2 * * 6' jobs: + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + acme_container_tests: name: "acme_container_tests" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -19,43 +39,49 @@ jobs: keylength: [2048, ec-521] websrv: ['apache2', 'nginx'] dbhandler: ['wsgi', 'django'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" + - name: "Create folders" run: | mkdir acme-sh - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + ls -la + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - - name: "setup openssl ca_handler" + - name: "Setup openssl ca_handler" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ WAIT ] Sleep for 10s" + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: time: 10s @@ -66,11 +92,11 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" + - name: "Prepare acme.sh container" run: | docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] HTTP-01 single domain acme.sh" + - name: "Enroll HTTP-01 single domain acme.sh" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then @@ -78,7 +104,7 @@ jobs: fi openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ RENEW ] HTTP-01 single domain acme.sh" + - name: "Renew HTTP-01 single domain acme.sh" run: | if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then ECC="--ecc" @@ -89,14 +115,14 @@ jobs: fi openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ REVOKE ] HTTP-01 single domain acme.sh" + - name: "Revoke HTTP-01 single domain acme.sh" run: | if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then ECC="--ecc" fi docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure - - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" + - name: "Enroll HTTP-01 2x domain acme.sh" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then @@ -104,7 +130,7 @@ jobs: fi openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ RENEW ] HTTP-01 2x domain acme.sh" + - name: "Renew HTTP-01 2x domain acme.sh" run: | if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then ECC="--ecc" @@ -115,17 +141,23 @@ jobs: fi openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" + - name: "Revoke HTTP-01 2x domain acme.sh" run: | if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then ECC="--ecc" fi docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - - name: "[ DEACTIVATE ] acme.sh" + - name: "Deactivate acme.sh" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test data" if: ${{ failure() }} run: | @@ -142,3 +174,18 @@ jobs: with: name: acme_container_tests${{ matrix.websrv }}-${{ matrix.dbhandler }}-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + + cleanup: + name: "cleanup" + runs-on: ubuntu-latest + needs: acme_container_tests + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz diff --git a/.github/workflows/alpn-test.yml b/.github/workflows/alpn-test.yml index 9041dea3..9c217068 100644 --- a/.github/workflows/alpn-test.yml +++ b/.github/workflows/alpn-test.yml @@ -21,42 +21,27 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "setup openssl ca_handler" + - name: "Setup openssl ca_handler" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart docker-compose logs + - name: "create folders" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: @@ -68,19 +53,22 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "Prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "Enroll acme.sh" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - name: "Enroll lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -98,8 +86,8 @@ jobs: name: alpn_containercontainer-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - alpn_apache2_wsgi_rpm: - name: "alpn_apache2_wsgi_rpm" + alpn_wsgi_rpm: + name: "alpn_wsgi_rpm" runs-on: ubuntu-latest strategy: fail-fast: false @@ -109,81 +97,44 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] create letsencrypt and lego folder" + - name: "Create letsencrypt and lego folder" run: | mkdir acmme-sh mkdir lego - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | - mkdir -p data/acme_ca - sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo mkdir -p data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install script" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ ENROLL ] acme.sh" + - name: "Enroll acme.sh" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - name: "[ ENROLL ] lego" + - name: "Enroll lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ari-test.yml b/.github/workflows/ari-test.yml index 03ef4965..af56a306 100644 --- a/.github/workflows/ari-test.yml +++ b/.github/workflows/ari-test.yml @@ -22,35 +22,16 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo echo -e "\n\n[Renewalinfo]" >> examples/Docker/data/acme_srv.cfg @@ -64,24 +45,34 @@ jobs: with: time: 10s + - name: "Create lego folder" + run: | + mkdir lego + - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "enroll lego" + - name: "Enroll lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - name: "renew lego" + - name: "Renew lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt grep "renewalInfo endpoint indicates that renewal is needed" ari.txt cat ari.txt sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -110,71 +101,36 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | - mkdir -p data/acme_ca - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg sudo chmod 777 data/acme_srv.cfg sudo echo -e "\n\n[Renewalinfo]" >> data/acme_srv.cfg sudo echo "renewal_force: True" >> data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" + - name: "Execute install scipt" run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "[ RUN ] Execute install scipt" + - name: "Create lego folder" run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + mkdir lego - - name: "[ ENROLL ] HTTP-01 single domain lego" + - name: "Enroll HTTP-01 single domain lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - name: "[ RENEW ] HTTP-01 single domain lego" + - name: "Renew HTTP-01 single domain lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt grep "renewalInfo endpoint indicates that renewal is needed" ari.txt @@ -215,56 +171,18 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "[ PREPARE ] create lego folder" + - name: "Create lego folder" run: | mkdir lego - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ @@ -273,14 +191,7 @@ jobs: sudo echo -e "\n\n[Renewalinfo]" >> data/volume/acme_srv.cfg sudo echo "renewal_force: True" >> data/volume/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh @@ -290,12 +201,12 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ ENROLL ] HTTP-01 single domain lego" + - name: "Enroll HTTP-01 single domain lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - name: "[ RENEW ] HTTP-01 single domain lego" + - name: "Renew HTTP-01 single domain lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http renew --ari-enable --no-random-sleep 2> ari.txt grep "renewalInfo endpoint indicates that renewal is needed" ari.txt diff --git a/.github/workflows/ca_handler_tests_acme.yml b/.github/workflows/ca_handler_tests_acme.yml index 6407586e..c5618d6d 100644 --- a/.github/workflows/ca_handler_tests_acme.yml +++ b/.github/workflows/ca_handler_tests_acme.yml @@ -8,9 +8,29 @@ on: - cron: '0 2 * * 6' jobs: + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + acme_ca_handler_test: name: "acme_ca_handler_test" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -21,96 +41,61 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images - - name: "Setup le-sim" - run: | - sudo mkdir -p examples/Docker/data-le - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py - sudo mkdir -p examples/Docker/data-le/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg - sudo chmod 777 examples/Docker/data-le/acme_srv.cfg - docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare container environment" + uses: ./.github/actions/container_prep with: - time: 10s - - - name: "Test http://acme-le-sim/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - - name: "Enroll from le-sim" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Setup le-sim" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep - name: "Setup acme ca_handler" run: | sudo mkdir -p examples/Docker/data/acme - sudo chmod -R 777 examples/Docker/data/acme - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg - sudo echo "acme_url: http://acme-le-sim" >> examples/Docker/data/acme_srv.cfg + sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Bring up a2c container" + uses: ./.github/actions/container_up with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme_ca_handler 1st attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Enroll via acme_ca_handler 2nd attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Check acme account found in keyfile" run: | cd examples/Docker docker-compose logs | grep -i "found in keyfile" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test data" if: ${{ failure() }} run: | @@ -132,94 +117,68 @@ jobs: acme_ca_handler_sectigo_test: name: "acme_ca_handler_sectigo_test" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: websrv: ['apache2', 'nginx'] dbhandler: ['wsgi', 'django'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - name: "Setup le-sim" - run: | - sudo mkdir -p examples/Docker/data-le - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py - sudo mkdir -p examples/Docker/data-le/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg - sudo chmod 777 examples/Docker/data-le/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: False\nsectigo_sim: True/g" examples/Docker/data-le/acme_srv.cfg - docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:devel - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep with: - time: 10s - - - name: "Test http://acme-le-sim/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory - - - name: "Enroll from le-sim" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + SECTIGO_SIM: true - name: "Setup openssl ca_handler" run: | - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo mkdir -p examples/Docker/data/acme sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg - sudo echo "acme_url: http://acme-le-sim" >> examples/Docker/data/acme_srv.cfg + sudo echo "acme_url: http://le-sim" >> examples/Docker/data/acme_srv.cfg sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Bring up a2c container" + uses: ./.github/actions/container_up with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Enroll via acme_ca_handler 1st attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Enroll via acme_ca_handler 2nd attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test data" if: ${{ failure() }} @@ -242,6 +201,7 @@ jobs: acme_ca_handler_profiling_test: name: "acme_ca_handler_profiling_test" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -252,92 +212,78 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - - name: "Setup acme-le-sims" - run: | - sudo mkdir -p examples/Docker/acme-le-sim-1 - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/acme-le-sim-1/ca_handler.py - sudo mkdir -p examples/Docker/acme-le-sim-1/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/acme-le-sim-1/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/acme-le-sim-1/acme_srv.cfg - sudo chmod 777 examples/Docker/acme-le-sim-1/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/acme-le-sim-1/acme_srv.cfg - cp -R examples/Docker/acme-le-sim-1 examples/Docker/acme-le-sim-2 - - sudo mkdir -p examples/Docker/acme-le-sim-2/xca - sudo chmod -R 777 examples/Docker/acme-le-sim-2/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/acme-le-sim-2/xca/$XCA_DB_NAME - sudo chmod 777 examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "issuing_ca_name: root-ca" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "issuing_ca_key: root-ca" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - # sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/acme-le-sim-2/acme_srv.cfg - - docker run -d -p 81:80 --rm -id --network acme --name=acme-le-sim-1 -v "$(pwd)/examples/Docker/acme-le-sim-1":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - docker run -d -p 82:80 --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/examples/Docker/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + - name: "Setup acme-le-sim-1" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep + with: + LESIM_NAME: acme-le-sim-1 + + - name: "Setup acme-le-sim-2" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep + with: + LESIM_NAME: acme-le-sim-2 + + - name: "Reconfigure acme-le-sim-2" + run: | + docker stop acme-le-sim-2 + sudo mkdir acme-le-sim-2/xca + sudo chmod -R 777 acme-le-sim-2/xca + sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME + sudo chmod 777 acme-le-sim-2/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg + sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg + sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg + sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg + # sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg + docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi env: XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "[ WAIT ] Sleep for 10s" + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: time: 10s - - name: "Test http://acme-le-sim-1/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-1/directory - - name: "Test http://acme-le-sim2/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory - - name: "Enroll from acme-le-sim-1" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-1 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - name: "Enroll from acme-le-sim-2" run: | sudo rm -rf acme-sh/* docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-2 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca + sudo rm -rf acme-sh/* - name: "Setup acme ca_handler" run: | sudo mkdir -p examples/Docker/data/acme - sudo chmod -R 777 examples/Docker/data/acme - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg @@ -363,139 +309,20 @@ jobs: sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Bring up a2c container" + uses: ./.github/actions/container_up with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB - 01 - Enroll acme.sh without acme_url" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca - - - name: "EAB - 01 - Enroll lego without acme_url" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca - - - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://foo.bar -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://acme-le-sim-1.acme -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://foo.bar -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://acme-le-sim-1.acme -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca - - - name: "EAB - 03 - Enroll acme with a acme_url and key taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca - - - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh. --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 + - name: "Profiling - enrollment" + uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test data" if: ${{ failure() }} @@ -503,8 +330,8 @@ jobs: mkdir -p ${{ github.workspace }}/artifact/upload sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/data/acme-sh/ - sudo cp -rp examples/Docker/acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ - sudo cp -rp examples/Docker/acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ + sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ + sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log docker logs acme-le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log @@ -521,6 +348,7 @@ jobs: acme_ca_handler_smallstep_test: name: "acme_ca_handler_smallstep_test" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -531,72 +359,32 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - docker network create acme - mkdir lego - mkdir acme-sh - mkdir certbot - mkdir step - sudo chmod -R 777 step - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} - - - name: "Setup smallstep" - run: | - docker run -d -v "$(pwd)/step":/home/step \ - -p 9000:9000 -p 443:443 \ - --network acme \ - --name step-ca \ - -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ - -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ - smallstep/step-ca - - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Download container" + uses: actions/download-artifact@v4 with: - time: 20s + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "Configure smallstep" + - name: "Import container" run: | - docker ps - docker exec -i step-ca step ca provisioner add acme --type ACME - docker exec -i step-ca step ca provisioner update acme --remove-challenge=tls-alpn-01 - docker exec -i step-ca step ca provisioner update acme --remove-challenge=dns-01 - docker restart step-ca + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare container environment" + uses: ./.github/actions/container_prep with: - time: 20s + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - - name: "Test https://step-ca.acme/acme/acme/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f https://step-ca:9000/acme/acme/directory --insecure - - - name: "Enroll from smallstep using acme-sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server https://step-ca:9000/acme/acme/directory --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --insecure --output-insecure --force + - name: "Instanciate smallstep" + uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep - name: "Setup acme ca_handler" run: | sudo mkdir -p examples/Docker/data/acme - sudo chmod -R 777 examples/Docker/data/acme - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg @@ -607,20 +395,12 @@ jobs: sudo echo "account_path: /" >> examples/Docker/data/acme_srv.cfg sudo echo "ssl_verify: False" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Bring up a2c container" + uses: ./.github/actions/container_up with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Enroll via acme_ca_handler 1st attempt" run: | @@ -635,6 +415,12 @@ jobs: cd examples/Docker docker-compose logs | grep -i "found in keyfile" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test data" if: ${{ failure() }} run: | @@ -653,69 +439,61 @@ jobs: name: acme_ca_handler_container-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + cleanup: + name: "cleanup" + runs-on: ubuntu-latest + needs: [acme_ca_handler_test, acme_ca_handler_sectigo_test, acme_ca_handler_profiling_test, acme_ca_handler_smallstep_test] + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + + rpm_build_and_upload: + name: "rpm_build_and_upload" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build_upload + rpm_acme_ca_handler_test: name: "rpm_acme_ca_handler_test" runs-on: ubuntu-latest + needs: [rpm_build_and_upload] strategy: fail-fast: false matrix: rhversion: [8, 9] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false - - name: "Prepare setup le-sim" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data-le - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py - sudo mkdir -p examples/Docker/data-le/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg - sudo chmod 777 examples/Docker/data-le/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data-le/acme_srv.cfg - docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - time: 10s - - - name: "Test http://acme-le-sim/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "Prepare setup environment for alma installation" - run: | - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + - name: "Setup le-sim" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep - name: "Prepare setup acme_ca_handler" run: | @@ -725,36 +503,16 @@ jobs: sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg - sudo echo "acme_url: http://acme-le-sim" >> data/acme_srv.cfg + sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Run Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme_ca_handler 1st attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll via acme_ca_handler 2nd attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Check acme account found in keyfile" run: | @@ -763,7 +521,7 @@ jobs: - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | - docker logs acme-le-sim + docker logs le-sim > ${{ github.workspace }}/artifact/le-sim.log mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ @@ -784,6 +542,7 @@ jobs: rpm_acme_ca_handler_sectigo_test: name: "rpm_acme_ca_handler_sectigo_test" runs-on: ubuntu-latest + needs: [rpm_build_and_upload] strategy: fail-fast: false matrix: @@ -793,65 +552,24 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false - - name: "Prepare setup le-sim " - run: | - docker network create acme - sudo mkdir -p examples/Docker/data-le - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py - sudo mkdir -p examples/Docker/data-le/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg - sudo chmod 777 examples/Docker/data-le/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True\nsectigo_sim: True/g" examples/Docker/data-le/acme_srv.cfg - # docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:devel - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - time: 10s + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "Test http://acme-le-sim/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory - - - name: "Enroll from le-sim" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Prepare setup environment for alma installation" - run: | - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + - name: "Setup le-sim" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep + with: + SECTIGO_SIM: true - name: "Prepare setup acme_ca_handler" run: | @@ -861,42 +579,21 @@ jobs: sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> data/acme_srv.cfg sudo echo "acme_keyfile: /opt/acme2certifier/volume/le_staging_private_key.json" >> data/acme_srv.cfg - sudo echo "acme_url: http://acme-le-sim" >> data/acme_srv.cfg + sudo echo "acme_url: http://le-sim" >> data/acme_srv.cfg sudo echo "acme_account_email: grindsa@foo.bar" >> data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Run Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme_ca_handler 1st attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll via acme_ca_handler 2nd attempt" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Check acme account found in keyfile" run: | docker exec acme-srv grep -i "found in keyfile" /var/log/messages - - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -921,6 +618,7 @@ jobs: rpm_acme_ca_handler_profiling_test: name: "rpm_acme_ca_handler_profiling_test" runs-on: ubuntu-latest + needs: [rpm_build_and_upload] strategy: fail-fast: false matrix: @@ -929,77 +627,62 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - name: "Prepare setup le-sim" - run: | - docker network create acme - sudo mkdir -p examples/Docker/acme-le-sim-1 - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/acme-le-sim-1/ca_handler.py - sudo mkdir -p examples/Docker/acme-le-sim-1/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/acme-le-sim-1/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/acme-le-sim-1/acme_srv.cfg - sudo chmod 777 examples/Docker/acme-le-sim-1/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/acme-le-sim-1/acme_srv.cfg - cp -R examples/Docker/acme-le-sim-1 examples/Docker/acme-le-sim-2 - - sudo mkdir -p examples/Docker/acme-le-sim-2/xca - sudo chmod -R 777 examples/Docker/acme-le-sim-2/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/acme-le-sim-2/xca/$XCA_DB_NAME - sudo chmod 777 examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "issuing_ca_name: root-ca" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "issuing_ca_key: root-ca" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - # sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/acme-le-sim-2/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/acme-le-sim-2/acme_srv.cfg - - docker run -d -p 81:80 --rm -id --network acme --name=acme-le-sim-1 -v "$(pwd)/examples/Docker/acme-le-sim-1":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - docker run -d -p 82:80 --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/examples/Docker/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + - name: "Setup acme-le-sim-1" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep + with: + LESIM_NAME: acme-le-sim-1 + + - name: "Setup acme-le-sim-2" + uses: ./.github/actions/wf_specific/acme_ca_handler/le-sim_prep + with: + LESIM_NAME: acme-le-sim-2 + + - name: "Reconfigure acme-le-sim-2" + run: | + docker stop acme-le-sim-2 + sudo mkdir acme-le-sim-2/xca + sudo chmod -R 777 acme-le-sim-2/xca + sudo cp test/ca/acme2certifier-clean.xdb acme-le-sim-2/xca/$XCA_DB_NAME + sudo chmod 777 acme-le-sim-2/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > acme-le-sim-2/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> acme-le-sim-2/acme_srv.cfg + sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> acme-le-sim-2/acme_srv.cfg + sudo echo "issuing_ca_name: root-ca" >> acme-le-sim-2/acme_srv.cfg + sudo echo "issuing_ca_key: root-ca" >> acme-le-sim-2/acme_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> acme-le-sim-2/acme_srv.cfg + # sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> acme-le-sim-2/acme_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> acme-le-sim-2/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" acme-le-sim-2/acme_srv.cfg + docker run -d --rm -id --network acme --name=acme-le-sim-2 -v "$(pwd)/acme-le-sim-2":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi env: XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "[ WAIT ] Sleep for 10s" + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: time: 10s - - name: "Test http://acme-le-sim-1/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-1/directory - - name: "Test http://acme-le-sim2/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim-2/directory - - name: "Enroll from le-sim" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-le-sim-1 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - name: "Enroll from acme-le-sim-2" run: | sudo rm -rf acme-sh/* @@ -1007,21 +690,6 @@ jobs: openssl verify -CAfile acme-sh/acme-sh.acme_ecc/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca - - name: "Prepare setup environment for alma installation" - run: | - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - name: "Prepare setup acme_ca_handler" run: | sudo mkdir -p data/acme_ca @@ -1051,13 +719,6 @@ jobs: sudo sed -i '18,19d' data/acme_ca/kid_profiles.json sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Run Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh @@ -1070,125 +731,8 @@ jobs: - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "EAB - 01 - Enroll acme.sh without acme_url" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca - - - name: "EAB - 01 - Enroll lego without acme_url" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca - - - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://foo.bar -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent acme_url=http://acme-le-sim-1.acme -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://foo.bar -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent acme_url=http://acme-le-sim-1.acme -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca - - - name: "EAB - 03 - Enroll acme with a acme_url and key taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -issuer --noout | grep -i root-ca - - - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i root-ca - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh. --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i sub-ca - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i sub-ca + - name: "Profiling - enrollment" + uses: ./.github/actions/wf_specific/acme_ca_handler/enrollment_profiling - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1198,13 +742,13 @@ jobs: sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp examples/Docker/acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ - sudo cp -rp examples/Docker/acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ + sudo cp -rp acme-le-sim-1/ ${{ github.workspace }}/artifact/data/acme-le-sim-1/ + sudo cp -rp acme-le-sim-2/ ${{ github.workspace }}/artifact/data/acme-le-sim-2/ docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - docker logs acme-le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log - docker logs acme-le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log + docker logs le-sim-1 > ${{ github.workspace }}/artifact/acme-le-sim-1.log + docker logs le-sim-2 > ${{ github.workspace }}/artifact/acme-le-sim-2.log sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh acme-le-sim-1.log acme-le-sim-2.log - name: "[ * ] uploading artificates" @@ -1217,6 +761,7 @@ jobs: rpm_acme_ca_handler_smallstep_test: name: "rpm_acme_ca_handler_smallstep_test" runs-on: ubuntu-latest + needs: [rpm_build_and_upload] strategy: fail-fast: false matrix: @@ -1225,77 +770,22 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup smallstep" - run: | - mkdir step - sudo chmod -R 777 step - docker network create acme - docker run -d -v "$(pwd)/step":/home/step \ - -p 9000:9000 -p 443:443 \ - --network acme \ - --name step-ca \ - -e "DOCKER_STEPCA_INIT_NAME=Smallstep" \ - -e "DOCKER_STEPCA_INIT_DNS_NAMES=localhost,$(hostname -f)" \ - smallstep/step-ca - - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - time: 20s - - - name: "Configure smallstep" - run: | - docker ps - docker exec -i step-ca step ca provisioner add acme --type ACME - docker exec -i step-ca step ca provisioner update acme --remove-challenge=tls-alpn-01 - docker exec -i step-ca step ca provisioner update acme --remove-challenge=dns-01 - docker restart step-ca + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v2.0.3 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - time: 20s + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "Test https://step-ca.acme/acme/acme/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f https://step-ca:9000/acme/acme/directory --insecure - - - name: "Enroll from smallstep using acme-sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server https://step-ca:9000/acme/acme/directory --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --insecure --output-insecure --force - - - name: "Prepare setup environment for alma installation" - run: | - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + - name: "Instanciate smallstep" + uses: ./.github/actions/wf_specific/acme_ca_handler/smallstep_prep - name: "Prepare setup acme_ca_handler" run: | @@ -1311,13 +801,6 @@ jobs: sudo echo "ssl_verify: False" >> data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Run Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh @@ -1325,10 +808,6 @@ jobs: - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - #- name: "No profile - Enroll lego" - # run: | - # docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - - name: "Enroll via acme_ca_handler 1st attempt" run: | docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force @@ -1360,3 +839,13 @@ jobs: with: name: rpm_acme_ca_handler_smallstep_test_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + + rpm_cleanup: + name: "rpm_cleanup" + runs-on: ubuntu-latest + needs: [rpm_acme_ca_handler_test, rpm_acme_ca_handler_sectigo_test, rpm_acme_ca_handler_profiling_test, rpm_acme_ca_handler_smallstep_test] + steps: + - name: "Delete artifact" + uses: geekyeggo/delete-artifact@v5 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_asa.yml b/.github/workflows/ca_handler_tests_asa.yml index cf700bb1..f8291dfb 100644 --- a/.github/workflows/ca_handler_tests_asa.yml +++ b/.github/workflows/ca_handler_tests_asa.yml @@ -9,49 +9,31 @@ on: - cron: '0 2 * * 6' jobs: - asa_handler_tests: - name: "asa_handler_tests" + asa_handler_headerinfo_tests: + name: "asa_handler_headerinfo_tests" runs-on: ubuntu-latest - strategy: - max-parallel: 1 - fail-fast: false - matrix: - websrv: ['apache2', 'nginx'] - dbhandler: ['wsgi', 'django'] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: "wsgi" + WEB_SRV: "apache2" + + - name: "Create lego folder" run: | mkdir lego - mkdir acme-sh - mkdir certbot - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" + - name: "a2c configuration with standard profile" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg @@ -60,11 +42,11 @@ jobs: sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg - sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: ASA_API_HOST: ${{ secrets.ASA_API_HOST }} ASA_API_USER: ${{ secrets.ASA_API_USER }} @@ -72,56 +54,116 @@ jobs: ASA_API_KEY: ${{ secrets.ASA_API_KEY }} ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} - ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s + ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }} - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessible" + - name: "Test http://acme-srv/directory is accessible again" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "Enroll lego with profileID ACME - could potenially fail" + continue-on-error: True + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh" + - name: "Enroll acme.sh with profileID ACME" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh" + - name: "Enroll lego with profileID ACME" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot" + - name: "Enroll acme.sh with profileID ACME_2" run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --renew --server http://acme-srv --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot" + - name: "Enroll lego with profileID ACME_2" run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048 - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature" - # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: asa_handler_headerinfo_tests.tar.gz + path: ${{ github.workspace }}/artifact/upload/ - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego" + asa_handler_tests: + name: "asa_handler_tests" + runs-on: ubuntu-latest + needs: asa_handler_headerinfo_tests + strategy: + max-parallel: 2 + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - revoke HTTP-01 single domain lego" + - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + ASA_API_HOST: ${{ secrets.ASA_API_HOST }} + ASA_API_USER: ${{ secrets.ASA_API_USER }} + ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} + ASA_API_KEY: ${{ secrets.ASA_API_KEY }} + ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} + ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + + - name: "${{ secrets.ASA_PROFILE1 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Reconfiguration of a2c with a new profile" run: | @@ -140,7 +182,6 @@ jobs: sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: ASA_API_HOST: ${{ secrets.ASA_API_HOST }} ASA_API_USER: ${{ secrets.ASA_API_USER }} @@ -150,55 +191,13 @@ jobs: ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder" - run: | - sudo rm -rf certbot/* - sudo rm -rf lego/* - sudo rm -rf acme-sh/* - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048 - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "${{ secrets.ASA_PROFILE2 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} - name: "Header-info - Setup asa_ca_handler with header-info" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem @@ -213,10 +212,8 @@ jobs: sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ docker-compose restart - docker-compose logs env: ASA_API_HOST: ${{ secrets.ASA_API_HOST }} ASA_API_USER: ${{ secrets.ASA_API_USER }} @@ -226,57 +223,14 @@ jobs: ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Hederinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo with: - time: 10s - - - name: "Header-info - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Header-info - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - - name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} - name: "EAB without headerinfo - Setup asa_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem @@ -307,7 +261,6 @@ jobs: cd examples/Docker/ docker-compose restart - docker-compose logs env: ASA_API_HOST: ${{ secrets.ASA_API_HOST }} ASA_API_USER: ${{ secrets.ASA_API_USER }} @@ -320,129 +273,14 @@ jobs: ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo with: - time: 10s - - - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 01 - Enroll lego without profile_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" - - - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} - name: "EAB with headerinfo - Setup asa_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem @@ -474,7 +312,6 @@ jobs: cd examples/Docker/ docker-compose restart - docker-compose logs env: ASA_API_HOST: ${{ secrets.ASA_API_HOST }} ASA_API_USER: ${{ secrets.ASA_API_USER }} @@ -487,177 +324,17 @@ jobs: ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} - - name: "EAB with headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo with: - time: 10s - - - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB with headerinfo - 01 - Enroll lego without profile_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail021 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail021.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail021.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail021 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail021.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail021.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" - - - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 06 - check result " - if: steps.acmefail03.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} - - name: "EAB with headerinfo - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -681,6 +358,7 @@ jobs: asa_handler_tests_rpm: name: "asa_handler_tests_rpm" runs-on: ubuntu-latest + needs: asa_handler_headerinfo_tests strategy: max-parallel: 1 fail-fast: false @@ -690,47 +368,19 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] create letsencrypt and lego folder" + - name: "Create letsencrypt and lego folder" run: | mkdir certbot mkdir lego mkdir acme-sh - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" run: | mkdir -p data/acme_ca @@ -756,57 +406,14 @@ jobs: ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048 - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature" - # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "${{ secrets.ASA_PROFILE1 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_1 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" run: | @@ -835,49 +442,10 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder" - run: | - sudo rm -rf certbot/* - sudo rm -rf lego/* - sudo rm -rf acme-sh/* - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048 - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - - - name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "${{ secrets.ASA_PROFILE2 }} - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_profile_2 + with: + PROFILE: ${{ secrets.ASA_PROFILE1 }} - name: "Header-info - Setup asa_ca_handler with header-info" run: | @@ -907,39 +475,11 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - - name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" + - name: "Hederinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_headerinfo + with: + ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} + ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} - name: "EAB without headerinfo - Setup asa_ca_handler" run: | @@ -985,116 +525,11 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_wo_headerinfo with: - time: 10s - - - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 01 - Enroll lego without profile_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" - - - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} - name: "EAB with headerinfo - Setup asa_ca_handler" run: | @@ -1137,175 +572,15 @@ jobs: ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} - - name: "EAB without headerinfo - Reconfigure a2c " + - name: "EAB with headerinfo - Reconfigure a2c " run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/asa_ca_handler/enroll_eab_w_headerinfo with: - time: 10s - - - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB with headerinfo - 01 - Enroll lego without profile_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" - - - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail021 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail021.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail021.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail021 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail021.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail021.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" - - - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 06 - check result " - if: steps.acmefail03.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run - - - name: "EAB with headerinfo - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + ASA_CA_NAME1: ${{ secrets.ASA_CA_NAME }} + ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1326,108 +601,3 @@ jobs: with: name: asa_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - - - asa_handler_headerinfo_tests: - name: "asa_handler_headerinfo_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] reconfiguration of a2c with a new profile" - run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg - sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - ASA_API_HOST: ${{ secrets.ASA_API_HOST }} - ASA_API_USER: ${{ secrets.ASA_API_USER }} - ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} - ASA_API_KEY: ${{ secrets.ASA_API_KEY }} - ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} - ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} - ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }} - - - name: "Test http://acme-srv/directory is accessible again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh with profileID ACME" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" - - - name: "[ ENROLL ] lego with profileID ACME" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" - - - name: "[ ENROLL] acme.sh with profileID ACME_2" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --renew --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "[ ENROLL ] lego with profileID ACME_2" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: asa_handler_headerinfo_tests.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_certifier.yml b/.github/workflows/ca_handler_tests_certifier.yml index 8146abee..9625efd2 100644 --- a/.github/workflows/ca_handler_tests_certifier.yml +++ b/.github/workflows/ca_handler_tests_certifier.yml @@ -13,7 +13,7 @@ jobs: name: "certifier_handler_tests" runs-on: ubuntu-latest strategy: - max-parallel: 2 + # max-parallel: 1 fail-fast: false matrix: websrv: ['apache2', 'nginx'] @@ -22,46 +22,40 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} - name: "No profile - Setup a2c with certifier_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -69,65 +63,23 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "No profile - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "No profile - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "No profile - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "No profile - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "No profile - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "No profile - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "No profile - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "No profile - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "No profile - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "No profile - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "No profile - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg sudo echo "profile_id: 101" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -136,69 +88,23 @@ jobs: NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} PROFILE: ${{ secrets.PROFILE }} - - name: "Profile 101 - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Profile 101 - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Profile 101 - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Profile 101 - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Profile 101 - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile 101 - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile 101 - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Profile 101 - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile 101 - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Profile 101 - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Profile 101 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile - name: "Profile 102 - Setup a2c with certifier_ca_handler with Profile 102" run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg sudo echo "profile_id: 102" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -206,73 +112,23 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "Profile 102 - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Profile 102 - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Profile 102 - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Profile 102 - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Profile 102 - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile 102 - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile 102 - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Profile 102 - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile 102 - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Profile 102 - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Profile 102 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile - name: "Header-info - Setup a2c with certifier_ca_handler with header-info" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -280,62 +136,20 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Header-info - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Header-info - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Header-info - 01 - Enroll acme.sh with profile_id 101" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Header-info - 01 - Enroll lego with profile_id 101" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=101 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Header-info - 02 - Enroll acme.sh with profile_id 102" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Header-info - 02 - Enroll lego with profile_id 102" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=102 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + - name: "Header-info - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg @@ -354,7 +168,6 @@ jobs: cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -362,137 +175,22 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB without headerinfo - Enroll acme.sh without profile_id" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - Enroll lego without profile_id" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail021 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB without headerinfo - 04 - check result " - if: steps.acmefail021.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail021.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail021 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB without headerinfo - 04a - check result " - if: steps.legofail021.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail021.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" - - - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" + - name: "EAB without headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg @@ -509,10 +207,8 @@ jobs: sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json - cd examples/Docker/ docker-compose restart - docker-compose logs env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -520,175 +216,40 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "EAB with headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB with headerinfo - 01 - Enroll lego without profile_id" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication" - - - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication" - - - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" + - name: "EAB with headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo - - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" + - name: "EAB with headerinfo - Reconfigure key_file without restarting" run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" + sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" examples/Docker/data/kid_profiles.json + sudo sed -i '26,27d' examples/Docker/data/kid_profiles.json + sudo sed -i "s/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n },\n \"keyid_04\": {\n \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n \"cahandler\": {}\n }\n}/g" examples/Docker/data/kid_profiles.json - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" - - - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure + - name: "EAB with headerinfo - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true - - name: "EAB with headerinfo - 06 - check result " - if: steps.acmefail03.outcome != 'failure' + - name: "kid-file in yaml format - Reconfiguration" run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 + sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" examples/Docker/data/acme_srv.cfg + sudo pip3 install yq + sudo pip3 install jq + sudo sh -c "cat examples/Docker/data/kid_profiles.json | yq -y '.' > examples/Docker/data/kid_profiles.yml" + sudo rm examples/Docker/data/kid_profiles.json + sudo sed -i '33,34d' examples/Docker/data/kid_profiles.yml + # sudo cat examples/Docker/data/kid_profiles.yml - - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run + - name: "kid-file in yaml format - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true - - name: "EAB with headerinfo - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -712,53 +273,34 @@ jobs: certifier_handler_tests_rpm: name: "certifier_handler_tests_rpm" runs-on: ubuntu-latest + # needs: certifier_handler_tests strategy: fail-fast: false + # max-parallel: 1 matrix: rhversion: [8, 9] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/certifier_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} - name: "No profile - Setup a2c with certifier_ca_handler" run: | @@ -768,11 +310,13 @@ jobs: sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} NCM_API_USER: ${{ secrets.NCM_API_USER }} @@ -780,70 +324,24 @@ jobs: NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Profile 101 - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "No profile - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "No profile - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "No profile - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "No profile - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "No profile - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "No profile - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "No profile - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "No profile - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "No profile - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_no_profile - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg sudo echo "profile_id: 101" >> data/acme_srv.cfg env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} @@ -857,63 +355,20 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Profile 101 - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Profile 101 - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Profile 101 - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Profile 101 - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile 101 - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile 101 - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Profile 101 - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile 101 - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Profile 101 - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Profile 101 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_101_profile - name: "Profile 102 - Setup a2c with certifier_ca_handler with profile 101" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg sudo echo "profile_id: 102" >> data/acme_srv.cfg env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} @@ -927,63 +382,20 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Profile 102 - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Profile 102 - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Profile 102 - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Profile 102 - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Profile 102 - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Profile 102 - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Profile 102 - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Profile 102 - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Profile 102 - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Profile 102 - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_102_profile - name: "Header-info - Setup a2c with certifier_ca_handler" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg env: NCM_API_HOST: ${{ secrets.NCM_API_HOST }} @@ -997,53 +409,20 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Header-info - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Header-info - 01 - Enroll acme.sh with profile_id 101" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Header-info - 01 - Enroll lego with profile_id 101" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=101 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "Header-info - 02 - Enroll acme.sh with profile_id 102" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "Header-info - 02 - Enroll lego with profile_id 102" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_id=102 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + - name: "Header-info - Enrollmnet" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_headerinfo - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg sudo echo "profile_id: 100" >> data/acme_srv.cfg sudo echo "eab_profiling: True" >> data/acme_srv.cfg sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg @@ -1071,128 +450,20 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB without headerinfo - Enroll acme.sh without profile_id" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - Enroll lego without profile_id" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" - - - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail021 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB without headerinfo - 04 - check result " - if: steps.acmefail021.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail021.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail021 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB without headerinfo - 04a - check result " - if: steps.legofail021.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail021.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" - - - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" + - name: "EAB without headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_wo_headerinfo - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg + sudo echo "api_host: https://forwarder.acme:8084" >> data/acme_srv.cfg + sudo echo "ca_bundle: False" >> data/acme_srv.cfg sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg + # sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg sudo echo "profile_id: 100" >> data/acme_srv.cfg sudo echo "eab_profiling: True" >> data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg @@ -1221,169 +492,41 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB with headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB with headerinfo - 01 - Enroll lego without profile_id" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" - - - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication" - - - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run - - - name: "EAB with headerinfo - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 + - name: "EAB with headerinfo - Enrollment" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo - - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" + - name: "EAB with headerinfo - Reconfigure key_file without restarting" run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication" + sudo sed -i "s/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\"\]/\"allowed_domainlist\": \[\"www.example.com\", \"www.example.org\", \"*.acme\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i '26,27d' data/acme_ca/kid_profiles.json + sudo sed -i "s/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"/ \"hmac\": \"YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr\"\n },\n \"keyid_04\": {\n \"hmac\": \"YW5kX2hlcmVfaXNfYW5vdGhlcl92ZXJ5X2xvbmdfbWFja19obWFjX2tleV90b19jaGVja19pZl9jaGFuZ2VzX2FmZmVjdF9pbW1lZGF0ZWx5\",\n \"cahandler\": {}\n }\n}/g" data/acme_ca/kid_profiles.json - - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" + - name: "Update configuration" run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh update - - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" - - - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB with headerinfo - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB with headerinfo - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" - - - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" - - - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure + - name: "EAB with headerinfo - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true - - name: "EAB with headerinfo - 06 - check result " - if: steps.acmefail03.outcome != 'failure' + - name: "kid-file in yaml format - Reconfiguration" run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 + sudo sed -i "s/kid_profiles.json/kid_profiles.yml/g" data/acme_srv.cfg + sudo pip3 install yq + sudo pip3 install jq + sudo sh -c "cat data/acme_ca/kid_profiles.json | yq -y '.' > data/acme_ca/kid_profiles.yml" + sudo rm data/acme_ca/kid_profiles.json + sudo sed -i '33,34d' data/acme_ca/kid_profiles.yml - - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true + - name: "kid-file in yaml format - update a2c " run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB with headerinfo - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + - name: "kid-file in yaml format - Enrollment after reconfiguration" + uses: ./.github/actions/wf_specific/certifier_ca_handler/enroll_eab_w_headerinfo + with: + RECONFIGURE: true - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml index 1d5bd1a8..39381416 100644 --- a/.github/workflows/ca_handler_tests_cmp.yml +++ b/.github/workflows/ca_handler_tests_cmp.yml @@ -22,12 +22,6 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV @@ -35,20 +29,11 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Create ssh environment on ramdisk" run: | @@ -72,10 +57,6 @@ jobs: - name: "Setup a2c with cmp_ca_handler with key-cert authentication" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo touch examples/Docker/data/ca_bundle.pem sudo touch examples/Docker/data/ra_cert.pem sudo touch examples/Docker/data/ra_key.pem @@ -99,7 +80,6 @@ jobs: sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: RUNNER_IP: ${{ env.RUNNER_IP }} CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} @@ -123,13 +103,10 @@ jobs: docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + sudo rm -rf acme-sh/* - name: "Setup a2c with cmp_ca_handler with PSK refnum authentication" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo touch examples/Docker/data/ca_bundle.pem sudo touch examples/Docker/data/ra_cert.pem sudo chmod 777 examples/Docker/data/*.pem @@ -152,7 +129,6 @@ jobs: sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: RUNNER_IP: ${{ env.RUNNER_IP }} CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} @@ -166,6 +142,11 @@ jobs: with: time: 10s + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s + - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory @@ -177,6 +158,11 @@ jobs: docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -204,32 +190,12 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: 9 - name: "Get runner ip" run: | @@ -238,11 +204,6 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - name: "Create ssh environment on ramdisk" run: | sudo mkdir -p /tmp/rd @@ -300,21 +261,21 @@ jobs: CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} - - name: "[ PREPARE ] Almalinux instance" - run: | - cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "Enroll acme.sh" run: | docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force @@ -346,32 +307,12 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: 9 - name: "Get runner ip" run: | @@ -380,11 +321,6 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - name: "Create ssh environment on ramdisk" run: | sudo mkdir -p /tmp/rd @@ -442,21 +378,21 @@ jobs: CMP_REF: ${{ secrets.CMP_REF }} CMP_SECRET: ${{ secrets.CMP_SECRET }} - - name: "Prepare Almalinux instance" - run: | - cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "Enroll acme.sh" run: | docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force diff --git a/.github/workflows/ca_handler_tests_digicert.yml b/.github/workflows/ca_handler_tests_digicert.yml new file mode 100644 index 00000000..73d6f892 --- /dev/null +++ b/.github/workflows/ca_handler_tests_digicert.yml @@ -0,0 +1,289 @@ +name: CA handler Tests - Digicert CertCentral + +on: + push: + branches: [ 'devel', 'master', 'digicert', 'digicert_wf'] + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + digicert_handler_tests: + name: "digicert_handler_tests" + runs-on: ubuntu-latest + strategy: + max-parallel: 1 + fail-fast: false + matrix: + websrv: ['apache2'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "create folders" + run: | + mkdir lego + mkdir acme-sh + mkdir certbot + + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + NAME_SPACE: acme.dynamop.de + + - name: "Setup a2c with digicert_ca_handler" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + NAME_SPACE: acme.dynamop.de + USE_CERTBOT: false + + - name: "EAB - Setup a2c with digicert_ca_handler" + run: | + mkdir -p examples/Docker/data + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> examples/Docker/data/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + cd examples/Docker/ + docker-compose restart + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "EAB - Test enrollment" + uses: ./.github/actions/wf_specific/digicert_ca_handler/enroll_eab + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: digicert-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + digicert_ca_handler_tests_rpm: + name: "digicert_ca_handler_tests_rpm" + runs-on: ubuntu-latest + strategy: + max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + NAME_SPACE: acme.dynamop.de + + - name: "Setup a2c with digicert_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' + run: | + sudo mkdir -p data/acme_ca/certs + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/digicert_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> data/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "Setup a2c with digicert_ca_handler for django" + if: matrix.execscript == 'django_tester.sh' + run: | + sudo mkdir -p data/volume/acme_ca/certs + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem data/volume/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/digicert_ca_handler.py" >> data/volume/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> data/volume/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/volume/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/volume/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/volume/acme_srv.cfg + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + NAME_SPACE: acme.dynamop.de + USE_CERTBOT: false + + - name: "EAB - Setup a2c with digicert_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' + run: | + sudo mkdir -p data/acme_ca/certs + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> data/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> data/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "EAB - Setup a2c with digicert_ca_handler" + if: matrix.execscript == 'django_tester.sh' + run: | + sudo mkdir -p data/volume/acme_ca/certs + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem data/ca_certs.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/digicert_ca_handler.py" >> data/volume/acme_srv.cfg + sudo echo "api_key: $DIGICERT_API_KEY" >> data/volume/acme_srv.cfg + sudo echo "organization_name: $DIGICERT_ORGNAME" >> data/volume/acme_srv.cfg + sudo echo "allowed_domainlist: [\"$DIGICERT_DOMAIN\", \"bar.local$\"]" >> data/volume/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/volume/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/volume/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/volume/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/volume/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/volume/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/volume/acme_ca/kid_profiles.json + sudo chmod 777 data/volume/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_type\"\: \[\"ssl_basic\", \"ssl_securesite_pro\", \"ssl_securesite_flex\"\]/g" data/volume/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_type\"\: \"ssl_securesite_pro\"/g" data/volume/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/volume/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/volume/acme_ca/kid_profiles.json + sudo sed -i "s/www.example.org/*.acme.dynamop.de/g" data/volume/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/volume/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/volume/acme_ca/kid_profiles.json + env: + DIGICERT_API_KEY: ${{ secrets.DIGICERT_API_KEY }} + DIGICERT_ORGNAME: ${{ secrets.DIGICERT_ORGNAME }} + DIGICERT_DOMAIN: ${{ secrets.DIGICERT_DOMAIN }} + + - name: "Reconfigure a2c" + run: | + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "EAB - Test enrollment" + uses: ./.github/actions/wf_specific/digicert_ca_handler/enroll_eab + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: digicert_ca_handler_tests_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_ejbca.yml b/.github/workflows/ca_handler_tests_ejbca.yml index 182582b9..26255305 100644 --- a/.github/workflows/ca_handler_tests_ejbca.yml +++ b/.github/workflows/ca_handler_tests_ejbca.yml @@ -22,113 +22,32 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare Environment" - working-directory: examples/Docker/ - run: | - mkdir -p data/acme_ca - sudo chmod -R 777 data/acme_ca - docker network create acme - sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts" - env: - EJBCA_IP: ${{ env.RUNNER_IP }} - - - name: "Instanciate ejbca server" - run: | - docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data -v $(pwd)/examples/Docker/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce - - - name: "Sleep for 180s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Instanciate ejbca" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep with: - time: 180s - - - name: "Get randmonly generated Superadmin password for ejbca instance" - run: | - echo SAEC=$(docker logs ejbca | grep /opt/keyfactor/bin/start.sh | grep Password: | awk -F'Password: ' '{print $2}' | awk -F ' ' '{print $1}') >> $GITHUB_ENV - - - run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}" - - run: echo ${{ env.SAEC }} > examples/Docker/data/passphrase.txt - - - name: "Configure ejbca" - run: | - docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem - docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management" - docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2" - docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA + RUNNER_IP: ${{ env.RUNNER_IP }} + WORKING_DIR: ${{ github.workspace }}/examples/Docker - - name: "Get CAID" - run: | - echo CAID=$(docker logs ejbca | grep "msg=CA with id" | grep "and name acmeca added" | awk -F'with id ' '{print $2}' | awk -F' and name' '{print $1}') >> $GITHUB_ENV - - - run: echo "CAID of acmeca is ${{ env.CAID }}" - - - name: "Create subca" - run: | - docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID - docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/ - env: - CAID: ${{ env.CAID }} - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 10s - - - name: "Fetch superadmin certificate and key" - working-directory: examples/Docker/ - run: | - docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10 - docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC - docker exec -i ejbca bin/ejbca.sh batch - docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/ - env: - SAEC: ${{ env.SAEC }} - - - name: "Test superadmin certificate and key" - working-directory: examples/Docker/ - run: | - curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/superadmin.p12:$SAEC --insecure - curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem - env: - SAEC: ${{ env.SAEC }} - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Default - setup a2c with ejbca_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg + sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg @@ -142,61 +61,15 @@ jobs: env: SAEC: ${{ env.SAEC }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Default - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Default - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Default - enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Default - revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Default - register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Default - enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Default - revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Default - revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg + sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg @@ -225,82 +98,15 @@ jobs: env: SAEC: ${{ env.SAEC }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 02 - profilinging ca and cert_profile" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run - - - name: EAB without headerinfo - 03 - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo - name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg - sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg + sudo echo "cert_file: volume/acme_ca/superadmin.p12" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg @@ -330,90 +136,14 @@ jobs: env: SAEC: ${{ env.SAEC }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB wit headerinfo - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" - - - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - - - name: EAB with headerinfo 01c - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo - - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 02 - profilinging ca and cert_profile" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run - - - name: EAB with headerinfo - 03 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -447,116 +177,24 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] get runner ip" + - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare Environment" - run: | - mkdir -p data/acme_ca - sudo chmod -R 777 data - docker network create acme - sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts" - env: - EJBCA_IP: ${{ env.RUNNER_IP }} - - - name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders" - run: | - mkdir certbot - mkdir lego - mkdir acme-sh - - - name: "Instanciate ejbca server" - run: | - docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data -v $(pwd)/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce - - - name: "Sleep for 180s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Instanciate ejbca" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/ejbca_prep with: - time: 180s - - - name: "Get randmonly generated Superadmin password for ejbca instance" - run: | - echo SAEC=$(docker logs ejbca | grep /opt/keyfactor/bin/start.sh | grep Password: | awk -F'Password: ' '{print $2}' | awk -F ' ' '{print $1}') >> $GITHUB_ENV - - - run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}" - - run: echo ${{ env.SAEC }} > data/passphrase.txt - - - name: "Configure ejbca" - run: | - docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem - docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management" - docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2" - docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA + RUNNER_IP: ${{ env.RUNNER_IP }} + WORKING_DIR: ${{ github.workspace }} - - name: "Get CAID" - run: | - echo CAID=$(docker logs ejbca | grep "msg=CA with id" | grep "and name acmeca added" | awk -F'with id ' '{print $2}' | awk -F' and name' '{print $1}') >> $GITHUB_ENV - - - run: echo "CAID of acmeca is ${{ env.CAID }}" - - - name: "Create subca" - run: | - docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID - docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/ - - env: - CAID: ${{ env.CAID }} - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - time: 10s - - - name: "Fetch superadmin certificate and key" - run: | - docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10 - docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC - docker exec -i ejbca bin/ejbca.sh batch - docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/acme_ca/ - env: - SAEC: ${{ env.SAEC }} - - - name: "Test superadmin certificate and key" - run: | - curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --insecure - curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem - env: - SAEC: ${{ env.SAEC }} - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "Default - setup a2c with ejbca_ca_handler" run: | @@ -576,56 +214,15 @@ jobs: env: SAEC: ${{ env.SAEC }} - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Default - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Default - enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Default - revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Default - register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Default - enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Default - revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Default - enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Default - revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "EAB without headerinfo - setup a2c with ejbca_ca_handler" run: | - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg @@ -659,71 +256,11 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB without headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 02 - profilinging ca and cert_profile" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run - - - name: EAB without headerinfo - 03 - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + - name: "EAB without headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_wo_headerinfo - name: "EAB with headerinfo - setup a2c with ejbca_ca_handler" run: | - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg @@ -758,84 +295,8 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB with headerinfo - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" - - - name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - - - name: EAB with headerinfo 01c - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)" - run: | - sudo rm -rf lego/* - sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 02 - profilinging ca and cert_profile" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmeca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Client" - - - name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run - - - name: EAB with headerinfo - 03 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 - - - name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout | grep -i acmesubca - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep "TLS Web Server" + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ejbca_ca_handler/enroll_eab_w_headerinfo - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_est.yml b/.github/workflows/ca_handler_tests_est.yml index 725f60a1..efdbf079 100644 --- a/.github/workflows/ca_handler_tests_est.yml +++ b/.github/workflows/ca_handler_tests_est.yml @@ -24,44 +24,14 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "setup esthandler using http-basic-auth" + - name: "Setup esthandler using http-basic-auth" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo mkdir -p examples/Docker/data/est - sudo chmod -R 777 examples/Docker/data/est - sudo touch $HOME/.rnd - sudo openssl ecparam -genkey -name prime256v1 -out examples/Docker/data/est/est_client_key.pem - sudo openssl req -new -key examples/Docker/data/est/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' -addext "extendedKeyUsage = serverAuth, clientAuth" -addext keyUsage=keyEncipherment - sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem - sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/ca_bundle.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr - sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem - sudo openssl pkcs12 -export -out examples/Docker/data/est/est_client_cert.p12 -inkey examples/Docker/data/est/est_client_key.pem -in examples/Docker/data/est/est_client_cert.pem -passout pass:Test1234 sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg @@ -74,35 +44,19 @@ jobs: sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Check container configuration" + uses: ./.github/actions/container_check with: - time: 10s - - - name: "Enroll acme-sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -132,61 +86,15 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "create acme-sh and lego folder" - run: | - mkdir acme-sh - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "setup esthandler using http-basic-auth" run: | - sudo mkdir -p data/acme_ca - sudo touch $HOME/.rnd - sudo chmod -R 777 data/acme_ca - sudo openssl ecparam -genkey -name prime256v1 -out data/acme_ca/est_client_key.pem - sudo chmod a+rx data/acme_ca/est_client_key.pem - sudo openssl req -new -key data/acme_ca/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' - sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem - sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/ca_bundle.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr - sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out data/acme_ca/est_client_cert.pem - sudo openssl pkcs12 -export -out data/acme_ca/est_client_cert.p12 -inkey data/acme_ca/est_client_key.pem -in data/acme_ca/est_client_cert.pem -passout pass:Test1234 - sudo chmod -R 777 data/acme_ca sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg @@ -198,43 +106,16 @@ jobs: sudo echo "request_timeout: 30" >> data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "Enroll via EST using http-basic-auth" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile data/acme_ca/ca_bundle.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - # sudo openssl verify -CAfile data/acme_ca/ca_bundle.pem lego/certificates/lego.acme.crt - - - name: "delete lego and acme.sh" - run: | - sudo rm -rf lego/* - sudo rm -rf acme-sh/* + REVOCATION: "false" + VERIFY_CERT: "false" + USE_CERTBOT: "false" - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_msca.yml b/.github/workflows/ca_handler_tests_msca.yml index c2f69e07..5814aa7a 100644 --- a/.github/workflows/ca_handler_tests_msca.yml +++ b/.github/workflows/ca_handler_tests_msca.yml @@ -9,9 +9,29 @@ on: - cron: '0 2 * * 6' jobs: + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + mscertsrv_handler_tests: name: "mscertsrv_handler_tests" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false # max-parallel: 1 @@ -22,12 +42,26 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders and networks" + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" run: | - docker network create local - mkdir lego - mkdir acme-sh - mkdir certbot + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + NAME_SPACE: local - name: "Get runner ip" run: | @@ -36,59 +70,21 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare ssh environment on ramdisk " - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "Setup ssh forwarder" - run: | - docker run -d --rm --network local --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev - env: - SSH_USER: ${{ secrets.WCCE_SSH_USER }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} WCCE_HOST: ${{ secrets.WCCE_HOST }} WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test conection to mscertsrv via ssh tunnel" - run: | - docker run -i --rm --network local curlimages/curl --insecure -f https://$WCCE_FQDN - env: WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - sed -i "s/name: acme/name: local/g" docker-compose.yml - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo touch examples/Docker/data/ca_certs.pem sudo chmod 777 examples/Docker/data/ca_certs.pem sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem @@ -113,10 +109,6 @@ jobs: cat < examples/Docker/data/krb5.conf $WES_KRB5_CONF EOF - - cd examples/Docker/ - docker-compose restart - docker-compose logs env: WES_HOST: ${{ secrets.WES_HOST }} WES_USER: ${{ secrets.WES_USER }} @@ -129,54 +121,25 @@ jobs: WCCE_FQDN: ${{ secrets.WCCE_FQDN }} WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + NAME_SPACE: local + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: time: 10s - - name: "KRB - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl -f http://acme-srv/directory - - - name: "KRB - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl --insecure -f https://acme-srv/directory - - - name: "KRB - Enroll acme.sh with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.local_ecc/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local_ecc/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll lego with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.local --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll acme.sh with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.local/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "KRB - Enroll lego with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.local --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo + with: + NAME_SPACE: local - name: "NTLM - Setup a2c with mscertsrv_ca_handler using ntlm" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg @@ -191,9 +154,6 @@ jobs: sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs env: WES_HOST: ${{ secrets.WES_HOST }} WES_USER: ${{ secrets.WES_USER }} @@ -206,83 +166,181 @@ jobs: WCCE_FQDN: ${{ secrets.WCCE_FQDN }} WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - name: "NTLM - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo with: - time: 10s + NAME_SPACE: local - - name: "NTLM - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl -f http://acme-srv/directory + - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart - - name: "NTLM - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl --insecure -f https://acme-srv/directory + - name: "NTLM - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list + with: + NAME_SPACE: local - - name: "NTLM - Enroll acme.sh with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.local_ecc/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local_ecc/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "NTLM - Enroll lego with template in acme_srv.cfg (WebServer)" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.local --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /etc/hosts ${{ github.workspace }}/artifact/data/ + sudo cp /etc/resolv.conf ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq - - name: "NTLM - Enroll acme.sh with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.local/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ - - name: "NTLM - Enroll lego with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.local --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + mscertsrv_handler_eab_profiling_tests: + name: "mscertsrv_handler_eab_profiling_tests" + runs-on: ubuntu-latest + needs: container_build + strategy: + fail-fast: false + # max-parallel: 1 + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 - - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" + - name: "create folders and networks" run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs + mkdir lego + mkdir acme-sh + mkdir certbot - - name: "NTLM - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Download container" + uses: actions/download-artifact@v4 with: - time: 10s + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "NTLM - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl -f http://acme-srv/directory + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images - - name: "NTLM - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl --insecure -f https://acme-srv/directory + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + NAME_SPACE: local - - name: "NTLM - Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)" - id: acmefail01 - continue-on-error: true + - name: "Get runner ip" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - name: "NTLM - Check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local - - name: "NTLM - Enroll acme.sh with fqdn part of allowed_domainlist" + - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "krb5_config: /var/www/acme2certifier/volume/krb5.conf" >> examples/Docker/data/acme_srv.cfg + sudo echo "verify: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "request_timeout: 30" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo touch examples/Docker/data/krb5.conf + sudo chmod 777 examples/Docker/data/krb5.conf + cat < examples/Docker/data/krb5.conf + $WES_KRB5_CONF + EOF + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/local/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + NAME_SPACE: local + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + with: + NAME_SPACE: local + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -302,13 +360,13 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: mscertsrv_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + name: mscertsrv_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ mswcce_handler_tests: name: "mswcce_handler_tests" runs-on: ubuntu-latest - needs: mscertsrv_handler_tests + needs: container_build strategy: fail-fast: false # max-parallel: 1 @@ -325,11 +383,30 @@ jobs: mkdir acme-sh mkdir certbot + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" + run: | + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + - name: "[ PREPARE ] get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - name: "Install dnsmasq" @@ -365,46 +442,17 @@ jobs: WCCE_FQDN: ${{ secrets.WCCE_FQDN }} WES_HOST: ${{ secrets.WES_HOST }} - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} - - - name: "Prepare ssh environment on ramdisk " - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "Establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -fN -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 445:$WCCE_HOST:445 -L 88:$WCCE_HOST:88 -L 443:$WES_IP:443 -g - env: - SSH_USER: ${{ secrets.WCCE_SSH_USER }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WES_IP: ${{ secrets.WES_IP }} - CMP_HOST: ${{ secrets.CMP_HOST }} - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup with: - time: 5s + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - name: "NTLM - Setup a2c with ms_wcce_ca_handler (ntlm)" run: | @@ -428,10 +476,8 @@ jobs: sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg sudo echo "ssh_host: $SSH_HOST:$SSH_PORT" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs env: RUNNER_IP: ${{ env.RUNNER_IP }} WCCE_USER: ${{ secrets.WCCE_USER }} @@ -444,35 +490,14 @@ jobs: SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Bring up a2c container" + uses: ./.github/actions/container_up with: - time: 10s - - - name: "NTLM - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "NTLM - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "NTLM - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "NTLM - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "NTLM - Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem certbot/live/certbot/cert.pem + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "NTLM - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerboros)" run: | @@ -497,7 +522,6 @@ jobs: sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: RUNNER_IP: ${{ env.RUNNER_IP }} DNSMASQ_IP: ${{ env.DNSMASQ_IP }} @@ -514,53 +538,8 @@ jobs: with: time: 10s - - name: "KRB - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "KRB - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "KRB - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Check for kerberos connection" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep -i "Trying to connect" - - - name: "KRB - Register certbot" - run: | - sudo rm -rf certbot/ - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "KRB - Enroll lego with template in acme_srv.cfg (WebServer)" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll acme.sh with template in acme_srv.cfg (WebServer)" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll lego with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "KRB - Enroll acme.sh with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --keylength 2048 --issue -d acme-sh.acme --alpn --standalone --useragent template=WebServerModified --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" run: | @@ -568,38 +547,15 @@ jobs: sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - name: "KRB - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "KRB - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "KRB - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - - name: "KRB - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "KRB - Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure - - - name: "KRB - Check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "KRB - Enroll acme.sh with fqdn part of allowed_domainlist" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -612,7 +568,7 @@ jobs: sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data dnsmasq - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 @@ -621,107 +577,257 @@ jobs: name: mswcce_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - mscertsrv_handler_tests_rpm: - name: "mscertsrv_handler_tests_rpm" + mswcce_handler_eab_profiling_tests: + name: "mswcce_handler_eab_profiling_tests" runs-on: ubuntu-latest + needs: container_build strategy: - # max-parallel: 1 fail-fast: false + # max-parallel: 2 matrix: - rhversion: [8, 9] + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders and networks" + - name: "create folders" run: | - docker network create local mkdir lego mkdir acme-sh mkdir certbot - - name: "Get runner ip" + - name: "[ PREPARE ] get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare ssh environment on ramdisk " + - name: "Install dnsmasq" run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} - - name: "Setup ssh forwarder" + - name: "[ PREPARE ] test dns resulution" run: | - docker run -d --rm --network local --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev + host $WCCE_ADS_DOMAIN 127.0.0.1 + host $WCCE_FQDN 127.0.0.1 + host $WES_HOST 127.0.0.1 env: - SSH_USER: ${{ secrets.WCCE_SSH_USER }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Download container" + uses: actions/download-artifact@v4 with: - time: 10s + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "Test conection to mscertsrv via ssh tunnel" + - name: "Import container" run: | - docker run -i --rm --network local curlimages/curl --insecure -f https://$WCCE_FQDN + sudo apt-get install -y docker-compose + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + + - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerboros)" + run: | + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "timeout: 20" >> examples/Docker/data/acme_srv.cfg + sudo echo "use_kerberos: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json + sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json env: + RUNNER_IP: ${{ env.RUNNER_IP }} + DNSMASQ_IP: ${{ env.DNSMASQ_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - - run: echo "Latest tag is ${{ env.TAG_NAME }}" + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: update version number in spec file + - name: "[ * ] collecting test logs" + if: ${{ failure() }} run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego dnsmasq - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + name: mswcce_handler_profiling_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + cleanup: + name: "cleanup" + runs-on: ubuntu-latest + needs: [mscertsrv_handler_tests, mswcce_handler_tests, mswcce_handler_eab_profiling_tests, mscertsrv_handler_eab_profiling_tests ] + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: + rpm_build_and_upload: + name: "rpm_build_and_upload" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build_upload + + mscertsrv_handler_tests_rpm: + name: "mscertsrv_handler_tests_rpm" + runs-on: ubuntu-latest + needs: rpm_build_and_upload + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + NAME_SPACE: "local" - - name: "NTLM - Prepare Almalinux instance" + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network local --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local - name: "KRB - Setup a2c with mscertsrv_ca_handler using kerberos" run: | @@ -763,45 +869,13 @@ jobs: docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh docker exec acme-srv yum install -y krb5-libs - - name: "KRB - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo with: - time: 10s - - - name: "KRB - Enroll acme.sh with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.local_ecc/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local_ecc/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll lego with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.local --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "KRB - Enroll acme.sh with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.local/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "KRB - Enroll lego with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.local --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + NAME_SPACE: local - name: "NTLM - Setup a2c with mscertsrv_ca_handler" run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg @@ -826,38 +900,10 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "NTLM - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo with: - time: 5s - - - name: "NTLM - Enroll acme.sh with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.local_ecc/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local_ecc/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "NTLM - Enroll lego with template in acme_srv.cfg (WebServer)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.local --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" - - - name: "NTLM - Enroll acme.sh with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --useragent template=WebServerModified --keylength 2048 --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.local/acme-sh.local.cer - openssl x509 -in acme-sh/acme-sh.local/acme-sh.local.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" - - - name: "NTLM - Enroll lego with template submitted in command line (WebServerModified)" - run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network local goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.local --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.local.crt - sudo openssl x509 -in lego/certificates/lego.local.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + NAME_SPACE: local - name: "NTLM - Setup a2c with mscertsrv_ca_handler with allowed_domainlist configuration" run: | @@ -868,33 +914,137 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "NTLM - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "NTLM - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list with: - time: 5s + NAME_SPACE: local - - name: "NTLM - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network local curlimages/curl -f http://acme-srv/directory + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv ls -la /tmp > ${{ github.workspace }}/artifact/data/tmp_list + docker exec acme-srv ls -la /tmp + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mscertsrv_handler_eab_profile_tests_rpm: + name: "mscertsrv_handler_eab_profile_tests_rpm" + runs-on: ubuntu-latest + needs: mscertsrv_handler_tests_rpm + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + NAME_SPACE: "local" - - name: "NTLM - Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)" - id: acmefail02 - continue-on-error: true + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup + with: + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + NAME_SPACE: local - - name: "NTLM - Check result " - if: steps.acmefail02.outcome != 'failure' + - name: "EAB with headerinfo - Setup a2c with mscertsrv_ca_handler using kerberos" run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 + mkdir -p data/acme_ca + sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mscertsrv_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WES_USER" >> data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> data/acme_srv.cfg + sudo echo "auth_method: gssapi" >> data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "krb5_config: volume/acme_ca/krb5.conf" >> data/acme_srv.cfg + sudo echo "verify: False" >> data/acme_srv.cfg + sudo echo "request_timeout: 30" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg + + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/local/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json - - name: "NTLM - Enroll acme.sh with fqdn part of allowed_domainlist" + sudo touch data/acme_ca/krb5.conf + sudo chmod 777 data/acme_ca/krb5.conf + cat < data/acme_ca/krb5.conf + $WES_KRB5_CONF + EOF + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_KRB5_CONF: ${{ secrets.WES_KRB5_CONF }} + + - name: "KRB - Execute install scipt" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network local --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv yum install -y krb5-libs + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab + with: + NAME_SPACE: local - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -913,7 +1063,7 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: mscertsrv_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + name: mscertsrv_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ mswcce_handler_tests_rpm: @@ -929,6 +1079,21 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV @@ -972,73 +1137,23 @@ jobs: WCCE_FQDN: ${{ secrets.WCCE_FQDN }} WES_HOST: ${{ secrets.WES_HOST }} - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - name: "Create letsencrypt and lego folder" run: | mkdir certbot mkdir lego mkdir acme-sh - - name: "Ssh environment on ramdisk " - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "Establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -fN -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 445:$WCCE_HOST:445 -L 88:$WCCE_HOST:88 -L 443:$WES_IP:443 -g - env: - SSH_USER: ${{ secrets.WCCE_SSH_USER }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - WES_IP: ${{ secrets.WES_IP }} - CMP_HOST: ${{ secrets.CMP_HOST }} - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup with: - time: 5s + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - name: "NTLM - Prepare acme_srv.cfg with ms_wcce_ca_handler" run: | @@ -1058,6 +1173,7 @@ jobs: sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg sudo echo "timeout: 20" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg env: RUNNER_IP: ${{ env.RUNNER_IP }} @@ -1068,43 +1184,12 @@ jobs: WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - - name: "NTLM - Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "NTLM - Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "NTLM - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "NTLM - Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "NTLM - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "NTLM - Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem certbot/live/certbot/cert.pem - - - name: "NTLM - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "NTLM - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.acme.crt + - name: "NTLM - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - name: "KRB - Setup a2c with ms_wcce_ca_handler (Kerberos)" run: | @@ -1142,76 +1227,185 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "KRB - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s + - name: "KRB - enrollment mit default profile and headerinfo" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_default_headerinfo - - name: "KRB - Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" + run: | + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg + sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg - - name: "KRB - Enroll lego with template in acme_srv.cfg (WebServer)" + - name: "KRB - Reconfigure a2c " run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + + - name: "KRB - enrollment allowed domainlist" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_allowed_domain_list - - name: "KRB - Enroll acme.sh with template in acme_srv.cfg (WebServer)" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo rm -rf data/*.rpm + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp dnsmasq/ ${{ github.workspace }}/artifact/dnsmasq/ + # docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + # docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh dnsmasq - - name: "KRB - Enroll lego with template submitted in command line (WebServerModified)" + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + mswcce_handler_eab_profile_tests_rpm: + name: "mswcce_handler_eab_profile_tests_rpm" + runs-on: ubuntu-latest + needs: mscertsrv_handler_tests_rpm + strategy: + # max-parallel: 1 + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "Get runner ip" run: | - sudo rm -rf lego/ - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template=WebServerModified --key-type=rsa2048 -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/ca_certs.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "KRB - Enroll acme.sh with template submitted in command line (WebServerModified)" + - name: "Install dnsmasq" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --keylength 2048 -d acme-sh.acme --alpn --standalone --useragent template=WebServerModified --debug 3 --output-insecure --force - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" + sudo apt-get update + sudo apt-get install -y dnsmasq + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + # sudo chmod -R 777 /etc/resolv.conf + # sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf + sudo mkdir -p dnsmasq + sudo cp .github/dnsmasq.conf dnsmasq/ + sudo chmod -R 777 dnsmasq/dnsmasq.conf + sudo sed -i "s/RUNNER_IP/$RUNNER_IP/g" dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_FQDN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WCCE_ADS_DOMAIN/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + sudo echo "address=/$WES_HOST/$RUNNER_IP" >> dnsmasq/dnsmasq.conf + cat dnsmasq/dnsmasq.conf + sudo cp dnsmasq/dnsmasq.conf /etc/ + sudo sed -i "s/ --local-service/ /g" /etc/init.d/dnsmasq + sudo systemctl enable dnsmasq + sudo systemctl start dnsmasq + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} - - name: "KRB - Setup a2c with mswcce_ca_handler with allowed_domainlist configuration" + - name: "Test dns resulution" run: | - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" data/acme_srv.cfg - sudo echo "allowed_domainlist: [\"*.acme\", \"foo1.bar\", \"*.bar.local\"]" >> data/acme_srv.cfg + host $WCCE_ADS_DOMAIN ${{ env.RUNNER_IP }} + host $WCCE_FQDN ${{ env.RUNNER_IP }} + host $WES_HOST 127.0.0.1 + env: + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WES_HOST: ${{ secrets.WES_HOST }} - - name: "KRB - Reconfigure a2c " + - name: "Create letsencrypt and lego folder" run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart + mkdir certbot + mkdir lego + mkdir acme-sh - - name: "KRB - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Setup tunnel" + uses: ./.github/actions/wf_specific/ms_ca_handler/tunnel_setup with: - time: 10s - - - name: "KRB - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + WCCE_SSH_USER: ${{ secrets.WCCE_SSH_USER }} + WCCE_SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + WCCE_SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} + WCCE_SSH_KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + WCCE_SSH_ACCESS_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - - name: "KRB - Enroll acme.sh with fqdn not part of allowed_domainlist (should fail)" - id: acmefail02 - continue-on-error: true + - name: "EAB with headerinfo - Setup a2c with ms_wcce_ca_handler (Kerberos)" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.local --alpn --standalone --debug 3 --output-insecure + mkdir -p data/acme_ca + sudo touch data/acme_ca/ca_certs.pem + sudo chmod 777 data/acme_ca/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > data/acme_ca/ca_certs.pem + sudo touch data/acme_ca/acme_srv.cfg + sudo chmod 777 data/acme_ca/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> data/acme_srv.cfg + sudo echo "host: $WCCE_FQDN" >> data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> data/acme_srv.cfg + sudo echo "domain_controller: $RUNNER_IP" >> data/acme_srv.cfg + sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_certs.pem" >> data/acme_srv.cfg + sudo echo "timeout: 20" >> data/acme_srv.cfg + sudo echo "use_kerberos: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" data/acme_srv.cfg - - name: "KRB - Check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefai2 outcome is ${{steps.acmefail01.outcome }}" - exit 1 + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template\"\: \[\"WebServerModified\"\, \"WebServer\"]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template\"\: \"WebServerModified\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '18,19d' data/acme_ca/kid_profiles.json + sudo sed -i '8,9d' data/acme_ca/kid_profiles.json + + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + WCCE_FQDN: ${{ secrets.WCCE_FQDN }} - - name: "KRB - Enroll acme.sh with fqdn part of allowed_domainlist" + - name: "EAB with headerinfo - Execute install scipt" run: | - sudo rm -rf acme-sh/ - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/ca_certs.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "EAB with headerinfo - enrollment" + uses: ./.github/actions/wf_specific/ms_ca_handler/enroll_eab - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1231,6 +1425,15 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: mswcce_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + name: mswcce_handler_profile_tests_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + rpm_cleanup: + name: "rpm_cleanup" + runs-on: ubuntu-latest + needs: [mscertsrv_handler_tests_rpm, mscertsrv_handler_eab_profile_tests_rpm, mswcce_handler_tests_rpm, mswcce_handler_eab_profile_tests_rpm] + steps: + - name: "Delete artifact" + uses: geekyeggo/delete-artifact@v5 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml index 56e32621..eb4e7ed7 100644 --- a/.github/workflows/ca_handler_tests_nclm.yml +++ b/.github/workflows/ca_handler_tests_nclm.yml @@ -14,7 +14,7 @@ jobs: runs-on: ubuntu-latest strategy: fail-fast: false - max-parallel: 1 + # max-parallel: 1 matrix: websrv: ['apache2', 'nginx'] dbhandler: ['wsgi', 'django'] @@ -22,33 +22,19 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" + - name: "Generate UUID" run: | - mkdir lego - mkdir acme-sh - mkdir certbot + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "[ PREPARE ] setup a2c with nclm_ca_handler" + - name: "Setup a2c with nclm_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg @@ -64,7 +50,6 @@ jobs: sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 40/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} NCLM_API_USER: ${{ secrets.NCLM_API_USER }} @@ -73,83 +58,46 @@ jobs: NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "Enroll acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + HOSTNAME_SUFFIX: -${{ env.UUID }} - - name: "Enroll lego" + - name: "Generate UUID" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" - name: "Reconfigure nclm handler to test enrollment from MSCA" run: | sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg - sudo rm -rf lego/* + cd examples/Docker/ + docker-compose restart env: NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - name: "Restart a2c" - working-directory: examples/Docker/ - run: | - docker-compose restart - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile lego/certificates/lego.acme.issuer.crt lego/certificates/lego.acme.crt + USE_RSA: true + HOSTNAME_SUFFIX: -${{ env.UUID }} - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | mkdir -p ${{ github.workspace }}/artifact/upload + mkdir -p ${{ github.workspace }}/artifact/clients sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + sudo cp *.pem ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/certbot/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/lego/ cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data clients - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 @@ -164,54 +112,29 @@ jobs: runs-on: ubuntu-latest strategy: fail-fast: false - max-parallel: 1 + # max-parallel: 1 matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file + - name: "Generate UUID" run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with nclm_ca_handler" + - name: "Setup a2c with with nclm_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | mkdir -p data/acme_ca sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem @@ -227,7 +150,6 @@ jobs: sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg sudo echo "request_timeout: 40" >> data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/acme_srv.cfg - env: NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} NCLM_API_USER: ${{ secrets.NCLM_API_USER }} @@ -236,65 +158,100 @@ jobs: NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - name: "[ PREPARE ] Almalinux instance" + - name: "Setup a2c with with nclm_ca_handler for django" + if: matrix.execscript == 'django_tester.sh' run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + sudo mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/certsrv_ca_certs.pem data/volume/acme_ca/ca_certs.pem + sudo touch data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/volume/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/volume/acme_srv.cfg + sudo echo "api_host: $NCLM_API_HOST" >> data/volume/acme_srv.cfg + sudo echo "api_user: $NCLM_API_USER" >> data/volume/acme_srv.cfg + sudo echo "api_password: $NCLM_API_PASSWORD" >> data/volume/acme_srv.cfg + sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/volume/acme_srv.cfg + sudo echo "ca_name: $NCLM_CA_NAME" >> data/volume/acme_srv.cfg + sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/volume/acme_srv.cfg + sudo echo "request_timeout: 40" >> data/volume/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 60/g" data/volume/acme_srv.cfg + env: + NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh -e MAX_RETRY_TIMES=4 neilpang/acme.sh:latest daemon + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + HOSTNAME_SUFFIX: -${{ env.UUID }} - - name: "[ REGISTER] acme.sh" + - name: "Generate UUID" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + echo UUID=$(uuidgen | cut -d "-" -f1) >> $GITHUB_ENV + - run: echo "UUID ${{ env.UUID }}" - - name: "[ ENROLL] acme.sh" + - name: "Reconfigure nclm handler to test enrollment from MSCA" + if: matrix.execscript == 'rpm_tester.sh' run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/acme_srv.cfg + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - name: "[ REGISTER ] certbot" + - name: "Reconfigure nclm handler to test enrollment from MSCA" + if: matrix.execscript == 'django_tester.sh' run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" data/volume/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> data/volume/acme_srv.cfg + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - name: "[ ENROLL ] HTTP-01 single domain certbot" + - name: "Execute install scipt" run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + USE_RSA: true + HOSTNAME_SUFFIX: -${{ env.UUID }} - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | mkdir -p ${{ github.workspace }}/artifact/upload + mkdir -p ${{ github.workspace }}/artifact/clients docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp *.pem ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/acme-sh/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/certbot/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/clients/lego/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data clients acme-srv.log - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz + name: nclm_ca_handler_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript}}.tar.gz path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/.github/workflows/ca_handler_tests_openssl.yml b/.github/workflows/ca_handler_tests_openssl.yml index 357f2025..fac0b65c 100644 --- a/.github/workflows/ca_handler_tests_openssl.yml +++ b/.github/workflows/ca_handler_tests_openssl.yml @@ -21,105 +21,26 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup a2c with openssl_ca_handler - default" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "Enroll acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Revoke via acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Revoke lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Setup a2c with openssl_ca_handler - with template" run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo echo -e "\nopenssl_conf: volume/acme_ca/openssl.cnf" >> examples/Docker/data/acme_srv.cfg sudo touch examples/Docker/data/acme_ca/openssl.cnf @@ -128,85 +49,31 @@ jobs: sudo echo -e "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement\nextendedKeyUsage = critical, serverAuth, OCSPSigning\n" >> examples/Docker/data/acme_ca/openssl.cnf cd examples/Docker/ docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, OCSP Signing" - - - name: "Revoke via acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - # sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, OCSP Signing" - - - name: "Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - # sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, OCSP Signing" - - - name: "Revoke lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "With Tempßlate - enrollment" + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate - name: "Setup a2c with openssl_ca_handler - cn_enforce" run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo echo -e "\ncn_enforce: True" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s + - name: "With CN enforce - enrollment" + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Setup a2c with openssl_ca_handler - adjust cert_validity" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo sed -i "s/cert_validity_days: 30/cert_validity_days: 3650\ncert_validity_adjust: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "With cert_validity - enrollment" + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -220,64 +87,6 @@ jobs: docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - name: "Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Subject: CN = certbot.acme" - - - name: "Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Setup a2c with openssl_ca_handler - adjust cert_validity" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo sed -i "s/cert_validity_days: 30/cert_validity_days: 3650\ncert_validity_adjust: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Not After : Jun 9 17:17:00 2030 GMT" - - - name: "Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} @@ -285,125 +94,126 @@ jobs: name: openssl_ca_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz path: ${{ github.workspace }}/artifact/upload/ - openssl_ca_handler_no_tmpl_tests_rpm: - name: "openssl_ca_handler_no_tmpl_tests_rpm" + openssl_ca_handler_tests_rpm: + name: "openssl_ca_handler_tests_rpm" runs-on: ubuntu-latest strategy: fail-fast: false matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] setup environment for alma installation" + - name: "Setup a2c with openssl_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - - name: "[ PREPARE ] create letsencrypt and lego folder" + - name: "Setup a2c with openssl_ca_handler for django" + if: matrix.execscript == 'django_tester.sh' run: | - mkdir certbot - mkdir lego + sudo mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg - - name: "Retrieve rpms from SBOM repo" + - name: "Execute install scipt" run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + + - name: "Setup a2c with openssl_ca_handler - with template" + if: matrix.execscript == 'rpm_tester.sh' run: | - mkdir -p data/acme_ca - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo echo -e "\nopenssl_conf: volume/acme_ca/openssl.cnf" >> data/acme_srv.cfg + sudo touch data/acme_ca/openssl.cnf + sudo chmod 777 data/acme_ca/openssl.cnf + sudo echo -e "[extensions]\nbasicConstraints = critical, CA:FALSE\nsubjectKeyIdentifier = critical, hash, issuer:always\nauthorityKeyIdentifier = keyid:always, issuer:always" >> data/acme_ca/openssl.cnf + sudo echo -e "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement\nextendedKeyUsage = critical, serverAuth, OCSPSigning\n" >> data/acme_ca/openssl.cnf - - name: "[ PREPARE ] Almalinux instance" + - name: "Setup a2c with openssl_ca_handler - with template" + if: matrix.execscript == 'django_tester.sh' run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo echo -e "\nopenssl_conf: volume/acme_ca/openssl.cnf" >> data/volume/acme_srv.cfg + sudo touch data/volume/acme_ca/openssl.cnf + sudo chmod 777 data/volume/acme_ca/openssl.cnf + sudo echo -e "[extensions]\nbasicConstraints = critical, CA:FALSE\nsubjectKeyIdentifier = critical, hash, issuer:always\nauthorityKeyIdentifier = keyid:always, issuer:always" >> data/volume/acme_ca/openssl.cnf + sudo echo -e "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement\nextendedKeyUsage = critical, serverAuth, OCSPSigning\n" >> data/volume/acme_ca/openssl.cnf - - name: "[ RUN ] Execute install scipt" + - name: "Reconfigure a2c" run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "With Tempßlate - enrollment" + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_w_teamplate - - name: "[ PREPARE ] prepare acme.sh container" + - name: "Setup a2c with openssl_ca_handler - cn_enforce" + if: matrix.execscript == 'rpm_tester.sh' run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo echo -e "\ncn_enforce: True" >> data/acme_srv.cfg - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "revoke via acme.sh" + - name: "Setup a2c with openssl_ca_handler for django - cn_enforce" + if: matrix.execscript == 'django_tester.sh' run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo echo -e "\ncn_enforce: True" >> data/volume/acme_srv.cfg - - name: "[ REGISTER] certbot" + - name: "Reconfigure a2c" run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "revoke HTTP-01 single domain certbot" + - name: "With CN enforce - enrollment" + if: matrix.execscript == 'rpm_tester.sh' + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_cn_enforce + + - name: "Setup a2c with openssl_ca_handler - adjust cert_validity" + if: matrix.execscript == 'rpm_tester.sh' run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo sed -i "s/cert_validity_days: 30/cert_validity_days: 3650\ncert_validity_adjust: True/g" data/acme_srv.cfg - - name: "[ ENROLL ] lego" + - name: "Setup a2c with openssl_ca_handler for django - adjust cert_validity" + if: matrix.execscript == 'django_tester.sh' run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "revoke HTTP-01 single domain lego" + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo sed -i "s/cert_validity_days: 30/cert_validity_days: 3650\ncert_validity_adjust: True/g" data/volume/acme_srv.cfg + + - name: "Reconfigure a2c" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT restart + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "With cert_validity - enrollment" + uses: ./.github/actions/wf_specific/openssl_ca_handler/enroll_adjust_cert_validity - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -415,7 +225,6 @@ jobs: sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log @@ -425,5 +234,5 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: openssl-rpmopenssl_ca_handler_no_tmpl_tests_rpm-rh${{ matrix.rhversion }}.tar.gz + name: openssl-openssl_ca_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_openxpki.yml b/.github/workflows/ca_handler_tests_openxpki.yml index b0572bf2..57690987 100644 --- a/.github/workflows/ca_handler_tests_openxpki.yml +++ b/.github/workflows/ca_handler_tests_openxpki.yml @@ -1,5 +1,4 @@ name: CA handler tests - OpenXPKI handler - on: push: pull_request: @@ -21,154 +20,45 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] get runner ip" + - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare Environment" - working-directory: examples/Docker/ - run: | - mkdir -p data/openxpki - sudo chmod -R 777 data - docker network create acme - sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts" - sudo cat /etc/hosts - env: - OPENXPKI_IP: ${{ env.RUNNER_IP }} - - - name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders" - run: | - mkdir -p /tmp/openxpki - mkdir certbot - mkdir lego - mkdir acme-sh - - name: "Instanciate OpenXPKI server" - working-directory: /tmp/openxpki - run: | - sudo apt-get install -y docker-compose - git clone https://github.com/openxpki/openxpki-docker.git - cd openxpki-docker/ - git clone https://github.com/openxpki/openxpki-config.git --single-branch --branch=community - cd openxpki-config/ - # git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604 - cd .. - sed -i "s/value: 0/value: 1/g" openxpki-config/config.d/realm/democa/est/default.yaml - sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g" openxpki-config/config.d/realm/democa/est/default.yaml - sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml - sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml - sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml - cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yam - docker-compose up & - - - name: "Sleep for 60s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 60s - - - name: "Fix 1st time start issues with OpenXPKI server" - working-directory: /tmp/openxpki/openxpki-docker - run: | - docker ps - docker stop openxpki-docker_openxpki-server_1 - docker start openxpki-docker_openxpki-server_1 - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + uses: ./.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep with: - time: 10s - - - name: "Configure OpenXPKI server" - working-directory: /tmp/openxpki - run: | - docker ps - docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh - docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl + RUNNER_IP: ${{ env.RUNNER_IP }} + WORKING_DIR: ${{ github.workspace }}/examples/Docker - - name: "Sleep for 45s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 45s - - - name: "Enroll keys for Client-authentication via scep" - working-directory: examples/Docker/ - run: | - sudo openssl genrsa -out data/openxpki/client_key.pem 2048 - sudo openssl req -new -key data/openxpki/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der | base64 > /tmp/request.pem - curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure | base64 -d > /tmp/cert.p7b - sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/openxpki/client_crt.pem - sudo openssl pkcs12 -export -out data/openxpki/client_crt.p12 -inkey data/openxpki/client_key.pem -in data/openxpki/client_crt.pem -passout pass:Test1234 - sudo openssl rsa -noout -modulus -in data/openxpki/client_key.pem | openssl md5 - sudo openssl x509 -noout -modulus -in data/openxpki/client_crt.pem | openssl md5 - sudo chmod a+r data/openxpki/client_key.pem - sudo chmod a+r data/openxpki/client_crt.pem - sudo chmod a+r data/openxpki/client_crt.p12 - curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure | base64 -d > /tmp/cacert.p7b - sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/openxpki/ca_bundle.pem - sudo chmod a+rw data/openxpki/ca_bundle.pem - sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null > data/openxpki/ca_bundle.pem - - env: - OPENXPKI_IP: ${{ env.RUNNER_IP }} - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup a2c with est_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg # sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_client_cert: volume/openxpki/client_crt.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_client_key: volume/openxpki/client_key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_client_cert: volume/acme_ca/client_crt.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_client_key: volume/acme_ca/client_key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + REVOCATION: "false" + USE_CERTBOT: "false" - name: "Delete acme-sh, letsencypt and lego folders" run: | @@ -184,36 +74,19 @@ jobs: sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg # sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_client_cert: volume/openxpki/client_crt.p12" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_client_cert: volume/acme_ca/client_crt.p12" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + REVOCATION: "false" + USE_CERTBOT: "false" - name: "Delete acme-sh, letsencypt and lego folders" run: | @@ -227,66 +100,25 @@ jobs: sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg # sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg - sudo echo "client_cert: volume/openxpki/client_crt.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "client_key: volume/openxpki/client_key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "client_cert: volume/acme_ca/client_crt.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "client_key: volume/acme_ca/client_key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Delete acme-sh, letsencypt and lego folders" run: | - sudo rm -rf certbot/* sudo rm -rf lego/* sudo rm -rf acme-sh/* + sudo rm -rf certbot/* - name: "Reconfigure a2c (pkcs12 support)" run: | @@ -294,56 +126,19 @@ jobs: sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg # sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg - sudo echo "client_cert: volume/openxpki/client_crt.p12" >> examples/Docker/data/acme_srv.cfg + sudo echo "client_cert: volume/acme_ca/client_crt.p12" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -377,125 +172,24 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] get runner ip" + - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Prepare Environment" - run: | - mkdir -p data/acme_ca - sudo chmod -R 777 data - docker network create acme - sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts" - env: - OPENXPKI_IP: ${{ env.RUNNER_IP }} - - - name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders" - run: | - mkdir -p /tmp/openxpki - mkdir certbot - mkdir lego - mkdir acme-sh - - name: "Instanciate OpenXPKI server" - working-directory: /tmp/openxpki - run: | - sudo apt-get install -y docker-compose - git clone https://github.com/openxpki/openxpki-docker.git - cd openxpki-docker/ - git clone https://github.com/openxpki/openxpki-config.git --single-branch --branch=community - cd openxpki-config/ - # git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604 - cd .. - sed -i "s/value: 0/value: 1/g" openxpki-config/config.d/realm/democa/est/default.yaml - sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g" openxpki-config/config.d/realm/democa/est/default.yaml - sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml - sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml - sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml - cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yam - docker-compose up & - - - name: "Sleep for 60s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 60s - - - name: "Fix 1st time start issues with OpenXPKI server" - working-directory: /tmp/openxpki/openxpki-docker - run: | - docker ps - docker stop openxpki-docker_openxpki-server_1 - docker start openxpki-docker_openxpki-server_1 - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Configure OpenXPKI server" - working-directory: /tmp/openxpki - run: | - docker ps - docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh - docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl - - - name: "Sleep for 45s" - uses: juliangruber/sleep-action@v2.0.3 + uses: ./.github/actions/wf_specific/openxpki_ca_handler/openxpki_prep with: - time: 45s - - - name: "Enroll keys for Client-authentication via scep" - run: | - sudo openssl genrsa -out data/acme_ca/client_key.pem 2048 - sudo openssl req -new -key data/acme_ca/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der | base64 > /tmp/request.pem - curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure | base64 -d > /tmp/cert.p7b - sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/acme_ca/client_crt.pem - sudo openssl pkcs12 -export -out data/acme_ca/client_crt.p12 -inkey data/acme_ca/client_key.pem -in data/acme_ca/client_crt.pem -passout pass:Test1234 - sudo openssl rsa -noout -modulus -in data/acme_ca/client_key.pem | openssl md5 - sudo openssl x509 -noout -modulus -in data/acme_ca/client_crt.pem | openssl md5 - sudo chmod a+r data/acme_ca/client_key.pem - sudo chmod a+r data/acme_ca/client_crt.pem - sudo chmod a+r data/acme_ca/client_crt.p12 - curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure | base64 -d > /tmp/cacert.p7b - sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/acme_ca/ca_bundle.pem - sudo chmod a+rw data/acme_ca/ca_bundle.pem - sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null > data/acme_ca/ca_bundle.pem - env: - OPENXPKI_IP: ${{ env.RUNNER_IP }} + RUNNER_IP: ${{ env.RUNNER_IP }} + WORKING_DIR: ${{ github.workspace }} - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "Setup a2c with est_ca_handler" run: | @@ -511,30 +205,15 @@ jobs: env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" + USE_CERTBOT: "false" - name: "Delete acme-sh, letsencypt and lego folders" run: | @@ -542,7 +221,7 @@ jobs: sudo rm -rf lego/* sudo rm -rf acme-sh/* - - name: "setup a2c with est_ca_handler (pkcs12)" + - name: "Setup a2c with est_ca_handler (pkcs12)" run: | sudo touch data/acme_srv.cfg sudo chmod 777 data/acme_srv.cfg @@ -555,27 +234,19 @@ jobs: env: OPENXPKI_IP: ${{ env.RUNNER_IP }} - - name: "[ PREPARE ] reconfigure a2c " + - name: "Reconfigure a2c" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" + USE_CERTBOT: "false" - name: "Delete acme-sh, letsencypt and lego folders" run: | @@ -602,48 +273,16 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Test http://acme-srv/directory is accessible again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke - - - name: "[ PREPARE ] delete acme-sh, letsencypt and lego folders" + - name: "Delete acme-sh, letsencypt and lego folders" run: | sudo rm -rf certbot/* sudo rm -rf lego/* sudo rm -rf acme-sh/* - - name: "reconfigure a2c (pkcs12 support)" + - name: "Reconfigure a2c (pkcs12 support)" run: | sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/openxpki_ca_handler.py" >> data/acme_srv.cfg @@ -662,36 +301,14 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Test http://acme-srv/directory is accessible again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "Revoke HTTP-01 single domain lego" + - name: "Delete acme-sh, letsencypt and lego folders" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + sudo rm -rf certbot/* + sudo rm -rf lego/* + sudo rm -rf acme-sh/* - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_pkcs7_soap.yml b/.github/workflows/ca_handler_tests_pkcs7_soap.yml index f41c6b77..0768f7c8 100644 --- a/.github/workflows/ca_handler_tests_pkcs7_soap.yml +++ b/.github/workflows/ca_handler_tests_pkcs7_soap.yml @@ -16,7 +16,7 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] SOAP server" + - name: "Prepare SOAP server" run: | sudo mkdir -p examples/Docker/data docker network create acme @@ -38,7 +38,7 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "[ PREPARE ] Build and start SOAP server" + - name: "Build and start SOAP server" working-directory: examples/Docker/ run: | sudo apt-get install -y docker-compose @@ -46,25 +46,19 @@ jobs: docker-compose -f soap_srv.yml up -d docker-compose -f soap_srv.yml logs - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + - name: "Build docker-compose (apache2_wsgi)" working-directory: examples/Docker/ run: | sudo mv ../../.dockerignore.acme ../../.dockerignore docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" + - name: "Setup a2c with pkcs7_ca_handler" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp test/ca/sub-ca-key.pem examples/Docker/data/key.pem @@ -82,31 +76,11 @@ jobs: cat examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -135,7 +109,7 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] SOAP server" + - name: "Prepare SOAP server" run: | sudo mkdir -p examples/Docker/data docker network create acme @@ -157,7 +131,7 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "[ PREPARE ] Build and start SOAP server" + - name: "Build and start SOAP server" working-directory: examples/Docker/ run: | sudo apt-get install -y docker-compose @@ -165,25 +139,23 @@ jobs: docker-compose -f soap_srv.yml up -d docker-compose -f soap_srv.yml logs - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + - name: "Build docker-compose (apache2_wsgi)" working-directory: examples/Docker/ run: | sudo mv ../../.dockerignore.acme ../../.dockerignore docker-compose up -d docker-compose logs - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" + - name: "Setup a2c with pkcs7_ca_handler" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo cp examples/soap/mock_signer.py examples/Docker/data/ @@ -204,31 +176,11 @@ jobs: cat examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + REVOCATION: "false" - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/ca_handler_tests_xca.yml b/.github/workflows/ca_handler_tests_xca.yml index cac80ae4..57e1db19 100644 --- a/.github/workflows/ca_handler_tests_xca.yml +++ b/.github/workflows/ca_handler_tests_xca.yml @@ -21,26 +21,11 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} - - - name: "Create acme-sh and lego folder" - run: | - mkdir acme-sh - mkdir certbot - mkdir lego + WEB_SRV: ${{ matrix.websrv }} - name: "No template - Setup a2c with xca_ca_handler" run: | @@ -70,59 +55,11 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "No template - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "No template - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "No template - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "No template - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "No template - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "No template - Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "No template - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "No Template - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_no_template - name: "Template - Setup a2c with xca_ca_handler" run: | @@ -148,59 +85,11 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Template - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Template - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Template - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Template - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Template - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Template - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Template - Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Template - Revoke certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Template - Enroll lego" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Template - Revoke lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Template - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_template - name: "Header-info - Setup a2c with xca_ca_handler" run: | @@ -231,55 +120,8 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Header-info - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Header-info - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Header-info - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Header-info - 01 - Enroll acme.sh without template_name" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Header-info - 01 - Enroll lego without template_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Header-info - 02 - Enroll acme.sh with template_name template" - run: | - sudo rm -rf acme-sh/* - # docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent template_name=template -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "Header-info - 02 - Enroll lego with template_name template" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template_name=template -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" + - name: "Header-info - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo - name: "EAB - Setup a2c with xca_ca_handler - profiling" run: | @@ -325,183 +167,55 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "EAB - Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "EAB - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "EAB - Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "EAB - 01 - Enroll acme with a template_name taken from list in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=unknown -d lego.acme --http run - - - name: "EAB - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=acme -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 03 - Enroll acme with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 + - name: "EAB - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab - - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true + - name: "EAB subject profiling - Setup a2c with xca_ca_handler " run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo mkdir -p examples/Docker/data/xca + sudo chmod -R 777 examples/Docker/data/xca + sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg - - name: "EAB - 06 - check result " - if: steps.acmefail03.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 + sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json + sudo chmod 777 examples/eab_handler/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \"acme\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\",/g" examples/Docker/data/kid_profiles.json + sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json + sudo sed -i '19,20d' examples/Docker/data/kid_profiles.json + sudo sed -i '9d' examples/Docker/data/kid_profiles.json + sudo sed -i "s/\"api_user\"\: \"api_user\",/\"subject\"\: \{\n \"serialNumber\"\: \"*\",\n \"organizationName\"\: \"acme corp\",\n \"organizationalUnitName\"\: \[\"acme1\", \"acme2\"\],\n \"countryName\"\: \"AC\"\n \}/g" examples/Docker/data/kid_profiles.json + cd examples/Docker/ + docker-compose restart + env: + XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} + XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} + XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} + XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent template_name=acme -d lego.acme --http run - - - name: "EAB - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + - name: "EAB subject profiling - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -521,8 +235,8 @@ jobs: name: xca_handler-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - xca_handler_tests_profiling_rpm: - name: "xca_handler_tests_profiling_rpm" + xca_handler_tests_rpm: + name: "xca_handler_tests_rpm" runs-on: ubuntu-latest strategy: fail-fast: false @@ -532,46 +246,12 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - mkdir achme-sh - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "No template - Setup a2c with xca_ca_handler" run: | @@ -594,62 +274,15 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "Execute install scipt" + - name: "No template - Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "No template - Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "No template - Test enrollment" + uses: ./.github/actions/acme_clients - - name: "No template - Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "No template - Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "No template - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "No template - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication" - - - name: "No template - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "No Template - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_no_template - name: "Template - Setup a2c with xca_ca_handler" run: | @@ -676,55 +309,11 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Template - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Template - Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Template - Enroll acme.sh" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Template - Revoke via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "Template - Register certbot" - run: | - sudo rm -rf certbot/* - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Template - Enroll HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Template - Revoke HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "Template - Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" + - name: "Template - Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Template - Revoke HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke + - name: "Template - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_template - name: "Header-info - Setup a2c with xca_ca_handler" run: | @@ -754,53 +343,8 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "Header-info - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Header-info - Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Header-info - 01 - Enroll acme.sh without template_name" - run: | - sudo rm -rf acme-sh/* - # docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Header-info - 01 - Enroll lego without template_name" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "Header-info - 02 - Enroll acme.sh with template_name template" - run: | - sudo rm -rf acme-sh/* - # docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent template_name=template -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "Header-info - 02 - Enroll lego with template_name template" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent template_name=template -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" + - name: "Header-info - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_headerinfo - name: "EAB - Setup a2c with xca_ca_handler" run: | @@ -841,182 +385,54 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB - Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "EAB - Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "EAB - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab - - name: "EAB - 01 - Enroll acme with a template_name taken from list in kid.json" + - name: "EAB subject profiling - Setup a2c with xca_ca_handler" run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" - id: acmefail01 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB - 02a - check result " - if: steps.acmefail01.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail01.outcome }}" - exit 1 - - - name: "EAB - 02b - Enroll acme with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" - id: legofail01 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=unknown -d lego.acme --http run - - - name: "EAB - 02a - check result " - if: steps.legofail01.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail01.outcome }}" - exit 1 - - - name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent template_name=acme -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 03 - Enroll acme with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication, Code Signing" - - - name: "EAB - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" - id: acmefail02 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB - 04 - check result " - if: steps.acmefail02.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail02.outcome }}" - exit 1 - - - name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" - id: legofail02 - continue-on-error: true - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - - - name: "EAB - 04a - check result " - if: steps.legofail02.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail02.outcome }}" - exit 1 - - - name: "EAB - 05 - Enroll acme with default values from acme.cfg" - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 05 - Enroll lego with default values from acme.cfg" - run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run - sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement" - sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication, TLS Web Client Authentication" - - - name: "EAB - 06 - Enroll acme with not allowed headerinfo-field (should fail)" - id: acmefail03 - continue-on-error: true - run: | - sudo rm -rf acme-sh/* - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent template_name=acme -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "EAB - 06 - check result " - if: steps.acmefail03.outcome != 'failure' - run: | - echo "acmefail outcome is ${{steps.acmefail03.outcome }}" - exit 1 + mkdir -p data/acme_ca + sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo touch data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> data/acme_srv.cfg + sudo echo "xdb_file: volume/acme_ca/$XCA_DB_NAME" >> data/acme_srv.cfg + sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> data/acme_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> data/acme_srv.cfg + sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> data/acme_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> data/acme_srv.cfg + sudo echo "eab_profiling: True" >> data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg + sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json + sudo chmod 777 data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"template_name\"\: \[\"template\", \"acme\"\]/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"template_name\"\: \"template\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"issuing_ca_name\": \"root-ca\",\n \"issuing_ca_key\": \"root-ca\"/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\",/g" data/acme_ca/kid_profiles.json + sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json + sudo sed -i '19,20d' data/acme_ca/kid_profiles.json + sudo sed -i '9d' data/acme_ca/kid_profiles.json + sudo sed -i "s/\"api_user\"\: \"api_user\",/\"subject\"\: \{\n \"serialNumber\"\: \"*\",\n \"organizationName\"\: \"acme corp\",\n \"organizationalUnitName\"\: \[\"acme1\", \"acme2\"\],\n \"countryName\"\: \"AC\"\n \}/g" data/acme_ca/kid_profiles.json + env: + XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} + XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} + XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} + XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)" - id: legofail03 - continue-on-error: true + - name: "EAB subject profiling - Reconfigure a2c " run: | - sudo rm -rf lego/* - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent template_name=acme -d lego.acme --http run + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - name: "EAB - 06 - check result " - if: steps.legofail03.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail03.outcome }}" - exit 1 + - name: "EAB subject profiling - enrollment" + uses: ./.github/actions/wf_specific/xca_ca_handler/enroll_eab_sp + with: + DEPLOYMENT_TYPE: "rpm" - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1035,5 +451,5 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: xca_handler_tests_profiling_rpm-rh${{ matrix.rhversion }}.tar.gz + name: xca_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/caddy-application-test.yml b/.github/workflows/caddy-application-test.yml index b386fa63..121e75e7 100644 --- a/.github/workflows/caddy-application-test.yml +++ b/.github/workflows/caddy-application-test.yml @@ -23,20 +23,11 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | @@ -57,11 +48,8 @@ jobs: with: time: 10s - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Create caddy folder and copy configuratation files" run: | @@ -82,6 +70,13 @@ jobs: run: | docker logs caddy 2>&1 | grep "successfully downloaded available certificate chains" docker logs caddy 2>&1 | grep "certificate obtained successfully" + docker logs caddy 2>&1 | grep "got renewal info" + + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/certbot-application-test.yml b/.github/workflows/certbot-application-test.yml index 414a035d..2fb07375 100644 --- a/.github/workflows/certbot-application-test.yml +++ b/.github/workflows/certbot-application-test.yml @@ -23,27 +23,13 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 10s + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "[ PREPARE ] setup openssl ca_handler" + - name: "Setup openssl ca_handler" run: | sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem @@ -55,7 +41,6 @@ jobs: sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -68,42 +53,48 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] create letsencrypt folder" + - name: "Create letsencrypt folder" run: | mkdir certbot - - name: "[ REGISTER] certbot" + - name: "Register certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - name: "[ ENROLL ] HTTP-01 single domain certbot" + - name: "Enroll HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "[ RENEW ] HTTP-01 single domain certbot" + - name: "Renew HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "[ REVOKE ] HTTP-01 single domain certbot" + - name: "REvoke HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - name: "[ ENROLL ] HTTP-01 2x domain certbot" + - name: "Enroll HTTP-01 2x domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "[ RENEW ] HTTP-01 single domain certbot" + - name: "Renew HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "[ REVOKE ] HTTP-01 single domain certbot" + - name: "Revoke HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | diff --git a/.github/workflows/codescanner.yml b/.github/workflows/codescanner.yml index 7309e56f..91e9748a 100644 --- a/.github/workflows/codescanner.yml +++ b/.github/workflows/codescanner.yml @@ -61,7 +61,7 @@ jobs: python -m pip install --upgrade pip pip install lxml beautifulsoup4 html5lib pip install pytest - pip install pytest-cov + pip install pytest-cov impacket if [ -f requirements.txt ]; then pip install -r requirements.txt; fi pytest --cov=./ --cov-report=xml @@ -94,7 +94,7 @@ jobs: - name: Install pytest coverage and any other packages run: | python -m pip install --upgrade pip - pip install pytest coverage + pip install pytest coverage impacket if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - name: run coverage @@ -123,7 +123,7 @@ jobs: # If this run was triggered by a pull request event, then checkout # the head of the pull request instead of the merge commit. - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} + if: github.event_name == 'pull_request' # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/container-tests.yml b/.github/workflows/container-tests.yml index 2d76c63d..301f32bc 100644 --- a/.github/workflows/container-tests.yml +++ b/.github/workflows/container-tests.yml @@ -20,54 +20,31 @@ jobs: steps: - uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Enable tls" + - name: "Configure a2c" run: | sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll via acme.sh (http)" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh --network acme neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll via acme.sh (https)" + - name: "Delete acme-sh, letsencypt and lego folders" run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh --network acme neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --insecure --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* + sudo rm -rf *.pem - name: "Test ca_handler_migration" run: | @@ -75,28 +52,22 @@ jobs: cd examples/Docker/ docker-compose restart head -n 13 data/ca_handler.py - docker-compose logs - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients with: - time: 10s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll via acme.sh (http)" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh --network acme neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force + VERIFY_CERT: false + REVOCATION: false - name: "[ * ] collecting test data" if: ${{ failure() }} run: | mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - name: "[ * ] uploading artifacts" uses: actions/upload-artifact@v4 diff --git a/.github/workflows/debian-tests.yml b/.github/workflows/debian-tests.yml new file mode 100644 index 00000000..a25903f8 --- /dev/null +++ b/.github/workflows/debian-tests.yml @@ -0,0 +1,101 @@ +name: Debian Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + + deb_build: + name: "deb_build" + runs-on: ubuntu-latest + steps: + + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "deb build and upload" + uses: ./.github/actions/deb_build_upload + + deb_tests: + name: "deb_tests" + needs: deb_build + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + execscript: ['deb_tester.sh', 'django_tester.sh'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Ubuntu environment" + if: matrix.execscript == 'deb_tester.sh' + uses: ./.github/actions/deb_prep + with: + DEB_BUILD: false + + - name: "Prepare Ubuntu environment" + if: matrix.execscript == 'django_tester.sh' + uses: ./.github/actions/deb_prep + with: + DEB_BUILD: false + DJANGO_DB: psql + + - name: "Retrieve Version from version.py" + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + + - name: Download debian package + uses: actions/download-artifact@v4 + with: + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + path: data/ + + - name: "Prepare acme_srv.cfg with openssl_ca_handler" + run: | + mkdir -p data/volume/acme_ca + sudo mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" data/volume/acme_srv.cfg + sudo sed -i "s/volume/\/var\/www\/acme2certifier\/volume/g" data/volume/acme_srv.cfg + + - name: "Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/$EXECSCRIPT install $WEBSRV + env: + WEBSRV: ${{ matrix.websrv }} + EXECSCRIPT: ${{ matrix.execscript }} + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /var/www/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo rm ${{ github.workspace }}/artifact/data/*.deb + if [ ${{ matrix.websrv }} == "apache2" ]; then + docker exec acme-srv cat /var/log/apache2/error.log > ${{ github.workspace }}/artifact/acme-srv.log + else + docker exec acme-srv cat /var/log/nginx/error.log > ${{ github.workspace }}/artifact/acme-srv.log + fi + docker exec acme-srv cat /var/log/syslog > ${{ github.workspace }}/artifact/syslog + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log syslog + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: deb_test-${{ matrix.websrv }}-${{ matrix.execscript }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + diff --git a/.github/workflows/django_tests..yml b/.github/workflows/django_tests..yml index 86d6e44b..91558bbb 100644 --- a/.github/workflows/django_tests..yml +++ b/.github/workflows/django_tests..yml @@ -9,95 +9,50 @@ on: - cron: '0 2 * * 6' jobs: - apache_django_mariadb: - name: "apache_django_mariadb" + django_mariadb: + name: "django_mariadb" runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data/mysql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 10s - - - name: "configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" + DB_HANDLER: "django" + WEB_SRV: ${{ matrix.websrv }} + DJANGO_DB: "mariadb" - - name: "configure acme2certifier" + - name: "Setup openssl ca_handler" run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ sudo chmod 777 data/acme_srv.cfg sudo echo "" >> data/acme_srv.cfg sudo echo "[Directory]" >> data/acme_srv.cfg sudo echo "url_prefix: /foo" >> data/acme_srv.cfg + grep -i 'django.db.backends.mysql' data/settings.py docker-compose restart - docker-compose logs - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: "django" + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | docker exec mariadbsrv mariadb-dump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql mkdir -p ${{ github.workspace }}/artifact/upload @@ -106,111 +61,57 @@ jobs: cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: apache-django-mariadb.tar.gz + name: ${{ matrix.websrv }}-mariadb.tar.gz path: ${{ github.workspace }}/artifact/upload/ - apache_django_psql: - name: "apache_django_psql" + django_psql: + name: "django_psql" runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build environment" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data/mysql - sudo mkdir -p data/pgsql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "postgres environment" - run: | - sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql - sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass - sudo chmod 600 examples/Docker/data/pgsql/pgpass - - - name: "install postgres" - working-directory: examples/Docker/ - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 10s + DB_HANDLER: "django" + WEB_SRV: ${{ matrix.websrv }} + DJANGO_DB: "psql" - - name: "configure postgres" - working-directory: examples/Docker/ + - name: "Setup openssl ca_handler" run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "configure acme2certifier" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ sudo chmod 777 data/acme_srv.cfg sudo echo "" >> data/acme_srv.cfg sudo echo "[Directory]" >> data/acme_srv.cfg sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + grep -i 'django.db.backends.postgresql_psycopg2' data/settings.py docker-compose restart - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: "django" + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql mkdir -p ${{ github.workspace }}/artifact/upload @@ -224,234 +125,24 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: apache-django-psql.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - nginx_django_mariadb: - name: "nginx_django_mariadb" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Build environment" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data/mysql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "configure acme2certifier" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - cd examples/Docker/ - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker exec mariadbsrv mariadb-dump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: nginx-django-mariadb.tar.gz + name: ${{ matrix.websrv }}-psql.tar.gz path: ${{ github.workspace }}/artifact/upload/ - nginx_django_psql: - name: "nginx_django_psql" + rpm_build_and_upload: + name: "rpm_build_and_upload" runs-on: ubuntu-latest steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build environment" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data/mysql - sudo mkdir -p data/pgsql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "postgres environment" - run: | - sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql - sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass - sudo chmod 600 examples/Docker/data/pgsql/pgpass - - - name: "install postgres" - working-directory: examples/Docker/ - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "configure postgres" - working-directory: examples/Docker/ - run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "configure acme2certifier" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - cd examples/Docker/ - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: nginx-django-psql.tar.gz - path: ${{ github.workspace }}/artifact/upload/ + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build_upload nginx_django_rpm_sqlite: name: "nginx_django_rpm_sqlite" runs-on: ubuntu-latest + needs: rpm_build_and_upload strategy: fail-fast: false matrix: @@ -460,108 +151,37 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | - sudo mkdir acme-sh sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + grep -i 'django.db.backends.sqlite3' data/acme2certifier/settings.py - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force - openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier @@ -585,6 +205,7 @@ jobs: nginx_django_rpm_mariadb: name: "nginx_django_rpm_mariadb" runs-on: ubuntu-latest + needs: rpm_build_and_upload strategy: fail-fast: false matrix: @@ -593,125 +214,43 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: mariadb + RPM_BUILD: false - - name: "setup environment for alma installation" + - name: "Retrieve Version from version.py" run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings_mariadb.py data/acme2certifier/settings.py - # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "install mariadb" - run: | - sudo mkdir -p /tmp/mysql - docker run --name mariadbsrv --network acme -v /tmp/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - # docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - time: 10s - - - name: "configure mariadb" - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | - sudo mkdir acme-sh sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + grep -i 'django.db.backends.mysql' data/acme2certifier/settings.py - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force - openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier @@ -736,6 +275,7 @@ jobs: nginx_django_rpm_psql: name: "nginx_django_rpm_psql" runs-on: ubuntu-latest + needs: rpm_build_and_upload strategy: fail-fast: false matrix: @@ -744,133 +284,44 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings_psql.py data/acme2certifier/settings.py - # sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "postgres environment" - run: | - sudo mkdir -p /tmp/pgsql/data - sudo cp .github/a2c.psql /tmp/pgsql/a2c.psql - sudo cp .github/pgpass /tmp/pgsql/pgpass - sudo chmod 600 /tmp/pgsql/pgpass - - - name: "install postgres" - run: | - docker run --name postgresdbsrv -v /tmp/pgsql/data:/var/lib/postgresql/data --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - time: 10s + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql + RPM_BUILD: false - - name: "configure postgres" + - name: "Retrieve version from version.py" run: | - docker run -v /tmp/pgsql/a2c.psql:/tmp/a2c.psql -v /tmp/pgsql/pgpass:/root/.pgpass --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: Download rpm package + uses: actions/download-artifact@v4 with: - time: 10s + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | sudo mkdir acme-sh sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + grep -i 'django.db.backends.postgresql_psycopg2' data/acme2certifier/settings.py - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "acme.sh" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --insecure --output-insecure --force - openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} + continue-on-error: true run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier @@ -889,4 +340,14 @@ jobs: if: ${{ failure() }} with: name: nginx_django_rpm_psql-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file + path: ${{ github.workspace }}/artifact/upload/ + + rpm_cleanup: + name: "rpm_cleanup" + runs-on: ubuntu-latest + needs: [nginx_django_rpm_psql, nginx_django_rpm_mariadb, nginx_django_rpm_sqlite] + steps: + - name: "Delete artifact" + uses: geekyeggo/delete-artifact@v5 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm diff --git a/.github/workflows/dns-test.yml b/.github/workflows/dns-test.yml index c7010bf5..61f9c9fe 100644 --- a/.github/workflows/dns-test.yml +++ b/.github/workflows/dns-test.yml @@ -22,36 +22,21 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: False\ndns_server_list: [\"DNS-IP\"]/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -150,42 +135,14 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | mkdir -p data/acme_ca sudo mkdir -p examples/Docker/data/acme_ca/certs @@ -194,7 +151,7 @@ jobs: sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: False\ndns_server_list: [\"DNS-IP\"]/g" data/acme_srv.cfg sudo sed -i "s/\[CAhandler\]/\[CAhandler\]\nhandler_file: \/opt\/acme2certifier\/examples\/ca_handler\/openssl_ca_handler.py/g" data/acme_srv.cfg - - name: "[ PREPARE ] prepare acme.sh container" + - name: "prepare acme.sh container" run: | docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon sudo cp .github/dns_test.sh acme-sh/ @@ -203,18 +160,11 @@ jobs: docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/ docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh - - name: "[ PREPARE ] set DNS server" + - name: "set DNS server" run: | docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh diff --git a/.github/workflows/eab-test.yml b/.github/workflows/eab-test.yml index db14b438..1bd34a8d 100644 --- a/.github/workflows/eab-test.yml +++ b/.github/workflows/eab-test.yml @@ -21,27 +21,20 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "[ PREPARE ] setup openssl ca_handler" + - name: "Create letsencrypt folder" + run: | + mkdir -p certbot + mkdir -p lego + mkdir -p acme-sh + + - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg @@ -51,7 +44,6 @@ jobs: sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -64,73 +56,65 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] create letsencrypt folder" + - name: "Fail - Register lego" + id: legofail + continue-on-error: true + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + + - name: "Check lego result" + if: steps.legofail.outcome != 'failure' run: | - mkdir certbot + echo "legofail outcome is ${{steps.legofail.outcome }}" + exit 1 - - name: "[ FAIL ] certbot without eab-credentials" + - name: "Enroll lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run + sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "Fail - Registercertbot without eab-credentials" id: certbotfail continue-on-error: true run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - name: "[ CHECK ] certbot result " + - name: "check certbot result " if: steps.certbotfail.outcome != 'failure' run: | echo "certbot outcome is ${{steps.certbotfail.outcome }}" exit 1 - - name: "[ REGISTER] certbot" + - name: "Register certbot using eab-credentials" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM - - name: "[ ENROLL ] HTTP-01 single domain certbot" + - name: "Enroll HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - name: "[ FAIL] acme.sh" + - name: "Fail - Register acme.sh" id: acmeshfail continue-on-error: true run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 - - name: "[ CHECK ] acme.sh result " + - name: "Check acme.sh result " if: steps.acmeshfail.outcome != 'failure' run: | echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" exit 1 - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - - - name: "[ ENROLL] acme.sh" + - name: "Register acme.sh with eab-credentials" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - - name: "[ FAIL ] lego" - id: legofail - continue-on-error: true - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - - - name: "[ CHECK ] lego result " - if: steps.legofail.outcome != 'failure' + - name: "Enroll acme.sh" run: | - echo "legofail outcome is ${{steps.legofail.outcome }}" - exit 1 - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -148,58 +132,33 @@ jobs: name: eab-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - eab_wsgi_rpm: - name: "eab_wsgi_rpm" + eab_rpm: + name: "eab_rpm" runs-on: ubuntu-latest strategy: fail-fast: false matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + + - name: "Create letsencrypt and lego folder" + run: | + sudo mkdir -p acme-sh + sudo mkdir -p certbot + sudo mkdir -p lego - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg for wsgi with openssl_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | sudo mkdir -p data/acme_ca/certs/ sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ @@ -209,281 +168,111 @@ jobs: sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >> data/acme_srv.cfg sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" + - name: "Prepare acme_srv.cfg for django with openssl_ca_handler" + if: matrix.execscript == 'django_tester.sh' run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + sudo mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg + sudo chmod 777 data/volume/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg + sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg + sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ FAIL ] certbot without eab-credentials" - id: certbotfail - continue-on-error: true - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ CHECK ] certbot result " - if: steps.certbotfail.outcome != 'failure' - run: | - echo "certbot outcome is ${{steps.certbotfail.outcome }}" - exit 1 - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ FAIL] acme.sh" - id: acmeshfail - continue-on-error: true - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ CHECK ] acme.sh result " - if: steps.acmeshfail.outcome != 'failure' - run: | - echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" - exit 1 - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test if https://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ FAIL ] lego" + - name: "Fail - Register lego" id: legofail continue-on-error: true run: | - mkdir lego docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - - name: "[ CHECK ] lego result " + - name: "Check lego result" if: steps.legofail.outcome != 'failure' run: | echo "legofail outcome is ${{steps.legofail.outcome }}" exit 1 - - name: "[ ENROLL ] lego" + - name: "Enroll lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: eab-rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - eab_django_rpm: - name: "eab_django_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" - run: | - sudo mkdir -p data/volume/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg - sudo chmod 777 data/volume/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg - sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg - sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg - - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ FAIL ] certbot without eab-credentials" + - name: "Fail - Registercertbot without eab-credentials" id: certbotfail continue-on-error: true run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - name: "[ CHECK ] certbot result " + - name: "check certbot result " if: steps.certbotfail.outcome != 'failure' run: | echo "certbot outcome is ${{steps.certbotfail.outcome }}" exit 1 - - name: "[ REGISTER] certbot" + - name: "Register certbot using eab-credentials" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM - - name: "[ ENROLL ] HTTP-01 single domain certbot" + - name: "Enroll HTTP-01 single domain certbot" run: | docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - name: "[ FAIL] acme.sh" + - name: "Fail - Register acme.sh" id: acmeshfail continue-on-error: true run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --debug 3 - - name: "[ CHECK ] acme.sh result " + - name: "Check acme.sh result " if: steps.acmeshfail.outcome != 'failure' run: | echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" exit 1 - - name: "[ REGISTER] acme.sh" + - name: "Register acme.sh with eab-credentials" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 - - name: "[ ENROLL] acme.sh" + - name: "Enroll acme.sh" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ FAIL ] lego" - id: legofail - continue-on-error: true - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - - - name: "[ CHECK ] lego result " - if: steps.legofail.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail.outcome }}" - exit 1 - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego certbot + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: eab_django_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file + name: eab-rpm-{{ matrix.execscript }}-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + diff --git a/.github/workflows/enrollment-timeout.yml b/.github/workflows/enrollment-timeout.yml index 48fde3a1..8fdd0726 100644 --- a/.github/workflows/enrollment-timeout.yml +++ b/.github/workflows/enrollment-timeout.yml @@ -30,116 +30,29 @@ jobs: mkdir acme-sh mkdir certbot - - name: "Prepare Postgres environment" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data/pgsql/ - sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql - sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass - sudo chmod 600 examples/Docker/data/pgsql/pgpass - - - name: "Install postgres" - working-directory: examples/Docker/ - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_prep with: - time: 10s - - - name: "Configure postgres" - working-directory: examples/Docker/ - run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + DJANGO_DB: psql - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo chmod 777 examples/Docker/data/ca_handler.py sudo sed -i "s/import uuid/import uuid\\nimport time/g" examples/Docker/data/ca_handler.py sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(30)/g" examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 300/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Check certificate reusage" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate._enroll(): reuse existing certificate" - - - name: "Enroll Lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 180 --http run - - - name: "Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - - - name: "Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + - name: "Enrollment" + uses: ./.github/actions/wf_specific/enrollment_timeout/enroll - name: "[ * ] collecting test data" if: ${{ failure() }} @@ -170,82 +83,35 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "Setup openssl ca_handler" run: | - mkdir -p data/acme_ca + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg sudo cp examples/ca_handler/openssl_ca_handler.py data/acme_ca/ca_handler.py sudo chmod 777 data/acme_ca/ca_handler.py sudo sed -i "s/import uuid/import uuid\\nimport time/g" data/acme_ca/ca_handler.py sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(22)\\n self.logger.debug('CAhandler.enroll(): timeout done')/g" data/acme_ca/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg sudo chmod 777 data/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 1800\\nenrollment_timeout: 15/g" data/acme_srv.cfg # sudo sed -i "s/retry_after_timeout: 15/retry_after_timeout: 30\\nenrollment_timeout: 15/g" data/acme_srv.cfg sudo sed -i "s/handler_file: examples\/ca_handler\/openssl_ca_handler.py/handler_file: \/opt\/acme2certifier\/volume\/acme_ca\/ca_handler.py/g" data/acme_srv.cfg - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Check timeout" - run: | - docker exec acme-srv grep "Certificate.enroll_and_store() ended with: None:timeout" /var/log/messages - - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Check certificate reusage" - run: | - docker exec acme-srv grep "Certificate._enroll(): reuse existing certificate" /var/log/messages + - name: "Enrollment" + uses: ./.github/actions/wf_specific/enrollment_timeout/enroll + with: + DEPLOYMENT_TYPE: "rpm" - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -278,141 +144,37 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "Prepare Postgres environment" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data/pgsql/ - sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql - sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass - sudo chmod 600 examples/Docker/data/pgsql/pgpass - - - name: "Install postgres" - working-directory: examples/Docker/ - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Configure postgres" - working-directory: examples/Docker/ - run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - time: 10s - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: Update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: Build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings_psql.py data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + DJANGO_DB: psql - name: "Setup openssl ca_handler" run: | mkdir -p data/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp examples/ca_handler/openssl_ca_handler.py data/volume/acme_ca/ca_handler.py sudo chmod 777 data/volume/acme_ca/ca_handler.py sudo sed -i "s/import uuid/import uuid\\nimport time/g" data/volume/acme_ca/ca_handler.py # sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(15)/g" data/volume/acme_ca/ca_handler.py sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n self.logger.debug('CAhandler.enroll(): timeout start')\\n time.sleep(30)\\n self.logger.debug('CAhandler.enroll(): timeout done')/g" data/volume/acme_ca/ca_handler.py - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg sudo chmod 777 data/volume/acme_srv.cfg sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 1800\\nenrollment_timeout: 15/g" data/volume/acme_srv.cfg # sudo sed -i "s/retry_after_timeout: 15/retry_after_timeout: 30\\nenrollment_timeout: 15/g" data/volume/acme_srv.cfg sudo sed -i "s/handler_file: examples\/ca_handler\/openssl_ca_handler.py/handler_file: \/opt\/acme2certifier\/volume\/acme_ca\/ca_handler.py/g" data/volume/acme_srv.cfg - - name: "Prepare Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Check timeout" - run: | - docker exec acme-srv grep "Certificate.enroll_and_store() ended with: None:timeout" /var/log/messages - - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Enrollment" + uses: ./.github/actions/wf_specific/enrollment_timeout/enroll with: - time: 5s - - - name: "Check certificate reusage" - run: | - docker exec acme-srv grep "Certificate._enroll(): reuse existing certificate" /var/log/messages - + DEPLOYMENT_TYPE: "rpm" - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/headerinfo.yml b/.github/workflows/headerinfo.yml index 83ced3ad..148d1a81 100644 --- a/.github/workflows/headerinfo.yml +++ b/.github/workflows/headerinfo.yml @@ -28,42 +28,27 @@ jobs: mkdir acme-sh mkdir certbot - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} - + WEB_SRV: ${{ matrix.websrv }} - name: "Setup a2c with xca_ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp examples/ca_handler/xca_ca_handler.py examples/Docker/data/ca_handler.py - sudo chmod 777 examples/Docker/data/ca_handler.py sudo sed -i "s/error = eab_profile_header_info_check(self.logger, self, csr, 'template_name')/qset = header_info_get(self.logger, csr=csr)\n if qset:\n self.logger.info('header_info: %s', qset[-1]['header_info'])/g" examples/Docker/data/ca_handler.py sudo sed -i "s/eab_profile_header_info_check/header_info_get/g" examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/xca sudo chmod -R 777 examples/Docker/data/xca sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME + sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ sudo touch examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - # sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg @@ -72,7 +57,6 @@ jobs: sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} @@ -92,8 +76,9 @@ jobs: - name: "Enroll lego" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent foo-bar-doo -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent foo-bar-doo -d lego.acme --http run + sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - name: "Sleep for 15s" uses: juliangruber/sleep-action@v2.0.3 @@ -129,54 +114,28 @@ jobs: fail-fast: false matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + steps: - name: "Checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: Update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: Build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - name: "Create lego folder" run: | mkdir lego - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "prepare acme_srv.cfg with xca_ca_handler" + - name: "RPM - Setup acme_srv.cfg with xca_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | mkdir -p data/acme_ca sudo cp test/ca/acme2certifier-clean.xdb data/acme_ca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ sudo cp examples/ca_handler/xca_ca_handler.py data/acme_ca/ca_handler.py @@ -200,126 +159,8 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - - name: "Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Enroll lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent foo-bar-doo -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "Sleep for 15s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 15s - - - name: "check header info" - run: | - docker exec acme-srv grep foo-bar-doo /var/log/messages - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: rpm_header_info.ap_wsgi-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - headerinfo_django_rpm: - name: "headerinfo_django_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: Build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - #- name: "prepare acme_srv.cfg with openssl_ca_handler" - # run: | - # sudo mkdir -p data/volume/acme_ca/certs - # sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ - # sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg - # sudo chmod 777 data/volume/acme_srv.cfg - # sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/volume/acme_srv.cfg - - - name: "Setup acme_srv.cfg with xca_ca_handler" + - name: "DJango - Setup acme_srv.cfg with xca_ca_handler" + if: matrix.execscript == 'django_tester.sh' run: | mkdir -p data/volume/acme_ca/certs sudo cp test/ca/acme2certifier-clean.xdb data/volume/acme_ca/$XCA_DB_NAME @@ -346,16 +187,16 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "Execute install scipt" run: | - docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} + + - name: "Sleep for 10s" + uses: juliangruber/sleep-action@v2.0.3 + with: + time: 10s - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory @@ -363,10 +204,11 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "lego" + - name: "Enroll lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent foo-bar-doo -d lego.acme --http run - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + sudo cat lego/certificates/lego.acme.issuer.crt | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - name: "Sleep for 15s" uses: juliangruber/sleep-action@v2.0.3 @@ -382,22 +224,16 @@ jobs: run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: headerinfo_django_rpm-rh${{ matrix.rhversion }}.tar.gz + name: rpm_header_info.ap_wsgi-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - - - diff --git a/.github/workflows/hooks-test.yml b/.github/workflows/hooks-test.yml index fc38e359..f1dea486 100644 --- a/.github/workflows/hooks-test.yml +++ b/.github/workflows/hooks-test.yml @@ -8,9 +8,30 @@ on: - cron: '0 2 * * 6' jobs: + + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + hooks_tests: name: "hooks_tests" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -21,35 +42,36 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Create folders" - run: | - mkdir lego - mkdir acme-sh - mkdir certbot + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | sudo mkdir -p examples/Docker/data/hooks sudo chmod -R 777 examples/Docker/data/hooks - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ @@ -62,7 +84,6 @@ jobs: # sudo cat examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs env: HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} @@ -109,6 +130,12 @@ jobs: run: | sha256sum -c checksums.sha256 + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -125,141 +152,10 @@ jobs: name: hooks-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - hooks_test_rpm: - name: "hooks_test_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "create letsencrypt and lego folder" - run: | - mkdir acmme-sh - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "prepare acme_srv.cfg with openssl_ca_handler" - run: | - sudo mkdir -p data/acme_ca/certs - sudo mkdir -p data/acme_ca/hooks - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo chmod -R 777 data/acme_ca/hooks - sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg - sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg - sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg - sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256 - env: - HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} - - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ CHECK ] compare checksums to validate hook file content" - working-directory: data/acme_ca/hooks - run: | - sha256sum -c checksums.sha256 - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - hooks_exception_handling: name: "hooks_exception_handling" runs-on: ubuntu-latest + needs: container_build strategy: fail-fast: false matrix: @@ -275,20 +171,31 @@ jobs: mkdir acme-sh mkdir certbot - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "setup openssl ca_handler" run: | @@ -434,6 +341,12 @@ jobs: echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}" exit 1 + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -450,9 +363,36 @@ jobs: name: hooks_exception_handling-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - hooks_exception_handling_rpm: - name: "hooks_exception_handling_rpm" + cleanup: + name: "cleanup" runs-on: ubuntu-latest + needs: [hooks_tests, hooks_exception_handling] + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + + rpm_build_and_upload: + name: "rpm_build_and_upload" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build rpm package" + id: rpm_build + uses: ./.github/actions/rpm_build_upload + + hooks_test_rpm: + name: "hooks_test_rpm" + runs-on: ubuntu-latest + needs: rpm_build_and_upload strategy: fail-fast: false matrix: @@ -461,45 +401,129 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "create letsencrypt and lego folder" + run: | + mkdir acme-sh + mkdir lego + + - name: "prepare acme_srv.cfg with openssl_ca_handler" run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" + sudo mkdir -p data/acme_ca/certs + sudo mkdir -p data/acme_ca/hooks + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo chmod -R 777 data/acme_ca/hooks + sudo echo -e "\n\n[Hooks]" >> data/acme_srv.cfg + sudo echo "hooks_file: /opt/acme2certifier/examples/hooks/cn_dump_hooks.py" >> data/acme_srv.cfg + sudo echo "save_path: /tmp/acme2certifier/acme_ca/hooks" >> data/acme_srv.cfg + sudo echo "$HOOKS_CHECKSUM" > data/acme_ca/hooks/checksums.sha256 + env: + HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} - - name: update version number in spec file + - name: "[ RUN ] Execute install scipt" run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - name: "setup environment for alma installation" + - name: "prepare acme.sh container" run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "create letsencrypt and lego folder" + - name: "[ REGISTER] acme.sh" run: | - mkdir acmme-sh - mkdir lego + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - name: "Retrieve rpms from SBOM repo" + - name: "[ ENROLL] acme.sh" run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ CHECK ] compare checksums to validate hook file content" + working-directory: data/acme_ca/hooks + run: | + sha256sum -c checksums.sha256 + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo rm ${{ github.workspace }}/artifact/data/*.rpm + docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig + docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v4 + if: ${{ failure() }} + with: + name: hooks-rpm-rh${{ matrix.rhversion }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + hooks_exception_handling_rpm: + name: "hooks_exception_handling_rpm" + runs-on: ubuntu-latest + needs: rpm_build_and_upload + strategy: + fail-fast: false + matrix: + rhversion: [8, 9] + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + RPM_BUILD: false + + - name: Download rpm package + uses: actions/download-artifact@v4 + with: + name: acme2certifier-${{ github.run_id }}.noarch.rpm + path: data/ + + - name: "create letsencrypt and lego folder" + run: | + mkdir acme-sh + mkdir lego - name: "prepare acme_srv.cfg with openssl_ca_handler" run: | @@ -517,13 +541,6 @@ jobs: env: HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh diff --git a/.github/workflows/ip-address-tests.yml b/.github/workflows/ip-address-tests.yml index f39fe56f..c742828b 100644 --- a/.github/workflows/ip-address-tests.yml +++ b/.github/workflows/ip-address-tests.yml @@ -27,54 +27,28 @@ jobs: echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "create lego folder" - run: | - mkdir lego + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Enroll HTTP-01 single domain and ip address " run: | + sudo rm -rf lego/* docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address" env: RUNNER_IP: ${{ env.RUNNER_IP }} @@ -96,13 +70,14 @@ jobs: name: ip_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - ip_wsgi_rpm: - name: "ip_wsgi_rpm" + ip_rpm: + name: "ip_rpm" runs-on: ubuntu-latest strategy: fail-fast: false matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] steps: - name: "checkout GIT" uses: actions/checkout@v4 @@ -113,184 +88,40 @@ jobs: echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "WSGI - Prepare acme_srv.cfg with openssl_ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | mkdir -p data/acme_ca sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "Enroll HTTP-01 single domain and ip address " - run: | - docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address" - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: ip_wsgi_rpm-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - - ip_django_rpm: - name: "ip_django_rpm" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Django - Prepare acme_srv.cfg with openssl_ca_handler" + if: matrix.execscript == 'django_tester.sh' run: | sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" + - name: "Execute install scipt" run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Enroll HTTP-01 single domain and ip address " run: | docker run -i -p 80:80 -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme -d $RUNNER_IP --http run - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt sudo openssl x509 -in lego/certificates/lego.acme.crt --text --noout | grep "IP Address" env: RUNNER_IP: ${{ env.RUNNER_IP }} @@ -300,13 +131,11 @@ jobs: run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego @@ -314,7 +143,6 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: ip_django_rpm-rh${{ matrix.rhversion }}.tar.gz + name: ip_wsgi_rpm-rh${{ matrix.rhversion }}-${{ matrix.execscript }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - diff --git a/.github/workflows/ipv6-test.yml b/.github/workflows/ipv6-test.yml index 7a553f36..50a7895c 100644 --- a/.github/workflows/ipv6-test.yml +++ b/.github/workflows/ipv6-test.yml @@ -19,34 +19,20 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + IPV6: true - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -89,244 +75,84 @@ jobs: name: ipv6_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ - rpm_wsgi_ipv6: - name: "rpm_wsgi_ipv6" + rpm_ipv6: + name: "rpm_ipv6" runs-on: ubuntu-latest strategy: fail-fast: false matrix: rhversion: [8, 9] + execscript: ['rpm_tester.sh', 'django_tester.sh'] + steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + IPV6: true - name: "[ PREPARE ] create lego and certbot folder" run: | mkdir lego mkdir certbot - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] setup openssl ca_handler" + - name: "Stup openssl ca_handler" + if: matrix.execscript == 'rpm_tester.sh' run: | mkdir -p data/acme_ca sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROL] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 180 --http run - - - name: "[ REGISTER ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo rm ${{ github.workspace }}/artifact/data/*.rpm - docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig - docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: rpm_wsgi_ipv6-rh${{ matrix.rhversion }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - - rpm_django_ipv6: - name: "rpm_django_ipv6" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - rhversion: [8, 9] - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file and path in nginx ssl config - run: | - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "rpm update" - git add examples/nginx - git commit -a -m "rpm update" - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - sudo mkdir -p data/volume - sudo mkdir -p data/acme2certifier - sudo mkdir -p data/nginx - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/django_tester.sh data - sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem - sudo cp .github/django_settings.py data/acme2certifier/settings.py - sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py - sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py - - - name: "[ PREPARE ] create lego folder" - run: | - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "[ PREPARE ] setup openssl ca_handler" + - name: "Setup openssl ca_handler" + if: matrix.execscript == 'django_tester.sh' run: | sudo mkdir -p data/volume/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" + - name: "Execute install scipt" run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" - run: | - docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - + docker exec acme-srv sh /tmp/acme2certifier/$EXEC_SCRIPT + env: + EXEC_SCRIPT: ${{ matrix.execscript }} - - name: "[ PREPARE ] prepare acme.sh container" + - name: "Prepare acme.sh container" run: | docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROL] lego" + - name: "Enroll acme.sh" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 180 --http run + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - name: "[ REGISTER ] certbot" + - name: "Enroll acme.sh using ipv6 with ipv4 fallback" run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - name: "[ ENROLL ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | mkdir -p ${{ github.workspace }}/artifact/upload docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier - docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ sudo rm ${{ github.workspace }}/artifact/data/*.rpm docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf - docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: rpm_django_ipv6-rh${{ matrix.rhversion }}.tar.gz + name: rpm_ipv6-rh${{ matrix.rhversion }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + diff --git a/.github/workflows/lego-application-test.yml b/.github/workflows/lego-application-test.yml index ba04ddd3..6d413c57 100644 --- a/.github/workflows/lego-application-test.yml +++ b/.github/workflows/lego-application-test.yml @@ -10,8 +10,28 @@ on: jobs: + container_build: + name: "container_build" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "Build container" + uses: ./.github/actions/container_build_upload + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + lego_tests: - name: "lego_tests" + name: lego_tests + needs: container_build runs-on: ubuntu-latest strategy: fail-fast: false @@ -27,34 +47,37 @@ jobs: run: | mkdir lego - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Download container" + uses: actions/download-artifact@v4 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + path: /tmp + + - name: "Import container" run: | sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + gunzip /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz + docker load -i /tmp/a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar + docker images + + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg + + - name: "Bring up a2c container" + uses: ./.github/actions/container_up + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -74,7 +97,7 @@ jobs: - name: "Renew HTTP-01 single domain lego" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew --no-random-sleep sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - name: "Revoke HTTP-01 single domain lego" @@ -88,13 +111,19 @@ jobs: - name: "Renew HTTP-01 2x domain lego" run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew --no-random-sleep sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - name: "Revoke HTTP-01 2x domain lego" run: | docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -112,3 +141,17 @@ jobs: name: lego_tests-${{ matrix.keylength }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ + cleanup: + name: "cleanup" + runs-on: ubuntu-latest + needs: lego_tests + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] + + steps: + - uses: geekyeggo/delete-artifact@v5 + with: + name: a2c-${{ github.run_id }}.${{ matrix.websrv }}.${{ matrix.dbhandler }}.tar.gz diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 3e8f9c88..af3aca32 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -35,19 +35,23 @@ jobs: run: | sudo apt-get install -y socat sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf + sudo sed -i "s/Listen 443/Listen 1443/g" /etc/apache2/ports.conf sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf + sudo sed -i "s/*:443/*:1443/g" /etc/apache2/sites-available/acme2certifier_ssl.conf sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo service apache2 restart - - name: "Test http://acme-srv/directory is accessible" - run: curl -f http://127.0.0.1:8080/directory + - name: "Create Namespace" + run: docker network create acme - - name: "Enroll via acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest --issue --server http://${{ env.RUNNER_IP }}:8080 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + ACME_SERVER: ${{ env.RUNNER_IP }} + HTTP_PORT: 8080 + HTTPS_PORT: 1443 - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -89,15 +93,23 @@ jobs: sudo apt-get install -y socat sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/listen 443/listen 1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf + sudo sed -i "s/listen [::]:443/listen [::]:1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo service nginx restart - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest --issue --server http://${{ env.RUNNER_IP }}:8080 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Create Namespace" + run: docker network create acme + + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + ACME_SERVER: ${{ env.RUNNER_IP }} + HTTP_PORT: 8080 + HTTPS_PORT: 1443 - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -144,13 +156,8 @@ jobs: run: | docker exec acme-srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -170,6 +177,10 @@ jobs: alma_nginx_wsgi_rpm: name: "alma_nginx_wsgi_rpm" runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + rhversion: [8, 9] steps: - name: "checkout GIT" uses: actions/checkout@v4 @@ -177,49 +188,26 @@ jobs: - name: Branch name run: echo running on branch ${GITHUB_REF##*/} - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "Setup environment" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | - docker network create acme - mkdir -p data/acme_ca/certs/ - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + mkdir -p data/acme_ca + sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Almalinux instance" - run: | - cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -237,9 +225,21 @@ jobs: name: alma_nginx_wsgi_rpm.tar.gz path: ${{ github.workspace }}/artifact/upload/ + deb_build: + name: "deb_build" + runs-on: ubuntu-latest + steps: + + - name: "checkout GIT" + uses: actions/checkout@v4 + + - name: "deb build and upload" + uses: ./.github/actions/deb_build_upload + deb_apache2: name: "deb_apache2" runs-on: ubuntu-latest + needs: deb_build steps: - name: "checkout GIT" uses: actions/checkout@v4 @@ -247,40 +247,34 @@ jobs: - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: Retrieve Version from version.py + - name: "Retrieve Version from version.py" run: | echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: "Prepare environment to build deb package" - run: | - sudo apt-get update && sudo apt-get -y upgrade - sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper - rm setup.py - cp -R examples/install_scripts/debian ./ - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog - cd ../ - tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ - - - name: "Build debian package" - run: | - dpkg-buildpackage -uc -us - dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + - name: Download debian package + uses: actions/download-artifact@v4 + continue-on-error: true + with: + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + path: /tmp - name: Install apache2 and acme2certifier packages" run: | sudo apt-get update sudo apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 - sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + sudo apt-get install -y /tmp/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb - name: "configure a2c" run: | sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf + sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf + sudo a2enmod ssl sudo a2ensite acme2certifier + sudo a2ensite acme2certifier_ssl + sudo mkdir -p /var/www/acme2certifier/volume/ + sudo cp .github/acme2certifier.pem /var/www/acme2certifier/volume/ sudo rm /etc/apache2/sites-enabled/000-default.conf sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo mkdir -p /var/www/acme2certifier/volume/acme_ca/certs @@ -288,26 +282,27 @@ jobs: sudo chown -R www-data.www-data /var/www/acme2certifier/volume sudo systemctl start apache2 - - name: "Test http://acme-srv/directory is accessible" - run: curl -f http://127.0.0.1/directory - - name: "Modfiy configuration to allow certifiate enrollment" run: | # sudo apt-get install -y socat sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf + sudo sed -i "s/Listen 443/Listen 1443/g" /etc/apache2/ports.conf sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf + sudo sed -i "s/*:443/*:1443/g" /etc/apache2/sites-available/acme2certifier_ssl.conf sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo systemctl restart apache2 - - name: "Test http://acme-srv/directory is accessible" - run: curl -f http://127.0.0.1:8080/directory + - name: "Create Namespace" + run: docker network create acme - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest --issue --server http://${{ env.RUNNER_IP }}:8080 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + ACME_SERVER: ${{ env.RUNNER_IP }} + HTTP_PORT: 8080 + HTTPS_PORT: 1443 - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -326,6 +321,7 @@ jobs: deb_nginx: name: "deb_nginx" runs-on: ubuntu-latest + needs: deb_build steps: - name: "checkout GIT" uses: actions/checkout@v4 @@ -333,41 +329,36 @@ jobs: - name: "Get runner ip" run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - name: Retrieve Version from version.py + - name: "Retrieve Version from version.py" run: | echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - name: "Prepare environment to build deb package" - run: | - sudo apt-get update && sudo apt-get -y upgrade - sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper - rm setup.py - cp -R examples/install_scripts/debian ./ - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog - cd ../ - tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ - - - name: "Build debian package" - run: | - dpkg-buildpackage -uc -us - dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + - name: Download debian package + uses: actions/download-artifact@v4 + with: + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb + path: /tmp - name: "Install nginx and acme2certifier packages" run: | sudo apt-get update sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 - sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + sudo apt-get install -y /tmp/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb - name: "Prepare local modification to get a2c running" run: | sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf + sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv_ssl.conf sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf + sudo cp examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/sites-available/acme_srv_ssl.conf sudo rm /etc/nginx/sites-enabled/default sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf + sudo ln -s /etc/nginx/sites-available/acme_srv_ssl.conf /etc/nginx/sites-enabled/acme_srv_ssl.conf + sudo mkdir -p /var/www/acme2certifier/volume/ + sudo cp .github/acme2certifier_cert.pem /var/www/acme2certifier/volume/ + sudo cp .github/acme2certifier_key.pem /var/www/acme2certifier/volume/ sudo chown -R www-data.www-data /var/www/acme2certifier/ sudo systemctl start nginx @@ -414,18 +405,22 @@ jobs: run: | sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/listen 443/listen 1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf + sudo sed -i "s/listen [::]:443/listen [::]:1443/g" /etc/nginx/sites-enabled/acme_srv_ssl.conf sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg sudo systemctl restart nginx - - name: "Test http://acme-srv/directory is accessible" - run: curl -f http://127.0.0.1:8080/directory + - name: "Create Namespace" + run: docker network create acme - - name: "Enroll acme.sh" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest --issue --server http://${{ env.RUNNER_IP }}:8080 --accountemail 'acme-sh@example.com' -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients + with: + ACME_SERVER: ${{ env.RUNNER_IP }} + HTTP_PORT: 8080 + HTTPS_PORT: 1443 - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/proxy-test.yml b/.github/workflows/proxy-test.yml index e1dff9e0..140080d9 100644 --- a/.github/workflows/proxy-test.yml +++ b/.github/workflows/proxy-test.yml @@ -16,7 +16,7 @@ jobs: fail-fast: false max-parallel: 1 matrix: - websrv: ['apache2'] + websrv: ['apache2', 'nginx'] dbhandler: ['wsgi', 'django'] steps: @@ -28,9 +28,14 @@ jobs: run: | echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" + - name: "Build container" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "Install dnsmasq" run: | sudo apt-get update @@ -56,10 +61,6 @@ jobs: env: WES_HOST: ${{ secrets.WES_HOST }} - - name: "create network" - run: | - docker network create acme - - name: "proxy container" run: | docker pull mosajjal/pproxy:latest @@ -70,52 +71,32 @@ jobs: with: time: 10s - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ + - name: "Setup openssl ca_handler" run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} - DB_HANDLER: ${{ matrix.dbhandler }} - - - name: "setup openssl ca_handler" - run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/proxy.acme:8080\", \"acme-sh.\$\": \"http\:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: time: 10s - - name: "Test http://acme-srv/directory is accessible" + - name: "Openssl - Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessible" + - name: "Openssl - Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - name: "Prepare acme.sh container" run: | docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "Enroll acme.sh - http challenge validation" + - name: "Openssl - Enroll acme.sh - http challenge validation" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer @@ -127,7 +108,7 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - name: "Enroll acme.sh - alpn challenge validation" + - name: "Openssl - Enroll acme.sh - alpn challenge validation" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer @@ -139,12 +120,13 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - name: "setup certifier ca_handler for proxy usage" + + - name: "Setup certifier ca_handler for proxy usage" run: | - sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg @@ -153,20 +135,19 @@ jobs: sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 5s" uses: juliangruber/sleep-action@v2.0.3 with: time: 5s - - name: "Enroll via certifier ca_handler" + - name: "Certifier - Enroll via certifier ca_handler" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - name: "[ REVOKE ] via certifier ca_handler" + - name: "Certifier - Revoke via certifier ca_handler" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure @@ -176,13 +157,7 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - name: "patch est_ca handler for testrfc7030.com" - run: | - sudo apt-get install curl openssl patch - sudo cp examples/ca_handler/est_ca_handler.py examples/Docker/data/ca_handler.py - # sudo patch examples/Docker/data/ca_handler.py .github/est_handler.patch - - - name: "setup using http-basic-auth for proxy usage" + - name: "Setup using http-basic-auth for proxy usage" run: | sudo mkdir -p examples/Docker/data/est sudo chmod -R 777 examples/Docker/data/est @@ -196,7 +171,8 @@ jobs: sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg @@ -204,14 +180,13 @@ jobs: sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 5s" uses: juliangruber/sleep-action@v2.0.3 with: time: 5s - - name: "Enroll via EST using http-basic-auth" + - name: "EST - Enroll via EST using http-basic-auth" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force @@ -221,19 +196,29 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - #- name: "setup using tls-client-auth" + #- name: "setup nclm ca_handler for proxy usage" # run: | - # sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - # sudo echo "est_host: https://testrfc7030.com:9443" >> examples/Docker/data/acme_srv.cfg - # sudo echo "est_client_key: volume/est/est_client_key.pem" >> examples/Docker/data/acme_srv.cfg - # sudo echo "est_client_cert: volume/est/est_client_cert.pem" >> examples/Docker/data/acme_srv.cfg - # sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg - # sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + # sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py + # sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + # sudo chmod 777 examples/Docker/data/acme_srv.cfg + # sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + # sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg + # sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg + # sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg + # sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg + # sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg # cd examples/Docker/ # docker-compose restart # docker-compose logs - # - name: "Enroll via est using tls-client-auth" + #- name: "Sleep for 5s" + # uses: juliangruber/sleep-action@v2.0.3 + # with: + # time: 5s + + #- name: "Enroll via nclm ca_handler" # run: | # docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force # # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer @@ -244,46 +229,13 @@ jobs: # docker stop proxy # docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - name: "setup nclm ca_handler for proxy usage" - run: | - sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Enroll via nclm ca_handler" + - name: "Setup msca ca_handler for proxy usage" run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Check proxy logs" - run: | - docker logs proxy | grep http | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "setup msca ca_handler for proxy usage" - run: | - sudo cp examples/ca_handler/mscertsrv_ca_handler.py examples/Docker/data/ca_handler.py sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem sudo chmod 777 examples/Docker/data/acme_srv.cfg sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg sudo echo "host: ${{ secrets.WES_HOST }}" >> examples/Docker/data/acme_srv.cfg sudo echo "user: ${{ secrets.WES_USER }}" >> examples/Docker/data/acme_srv.cfg sudo echo "password: ${{ secrets.WES_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg @@ -293,9 +245,8 @@ jobs: sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - - name: "ssh environment on ramdisk" + - name: "Prepare ssh environment on ramdisk " run: | sudo mkdir -p /tmp/rd sudo mount -t tmpfs -o size=5M none /tmp/rd @@ -306,20 +257,22 @@ jobs: SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - name: "establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 443:$WES_IP:443 -g ping -c 120 $WES_IP & + - name: "Setup ssh forwarder" + run: | + docker run -d --rm --network acme --name=$WCCE_FQDN_WOTLD -e "MAPPINGS=445:$WCCE_HOST:445; 443:$WCCE_HOST:443; 88:$WCCE_HOST:88" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev env: - SSH_USER: ${{ secrets.CMP_SSH_USER }} - SSH_HOST: ${{ secrets.CMP_SSH_HOST }} - SSH_PORT: ${{ secrets.CMP_SSH_PORT }} - WES_IP: ${{ secrets.WES_IP }} + SSH_USER: ${{ secrets.WCCE_SSH_USER }} + SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + WCCE_FQDN_WOTLD: ${{ secrets.WCCE_FQDN_WOTLD }} - - name: "Sleep for 5s" + - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 with: - time: 5s + time: 10s - - name: "Enroll via msca ca_handler" + - name: "MScertsrv - Enroll via msca ca_handler" run: | docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer @@ -330,10 +283,16 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - name: "[ stop ] proxy container" + - name: "Stop proxy container" run: | docker stop proxy + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -371,6 +330,13 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep + with: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} + - name: "Install dnsmasq" run: | sudo apt-get update @@ -396,42 +362,6 @@ jobs: env: WES_HOST: ${{ secrets.WES_HOST }} - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 - with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - # sudo cp examples/install_scripts/rpm/*.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - name: "proxy container" run: | docker pull mosajjal/pproxy:latest @@ -455,14 +385,7 @@ jobs: sudo chmod 777 data/acme_srv.cfg sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/${{ env.PROXY_IP }}:8080\", \"acme-sh.\$\": \"http\:\/\/${{ env.PROXY_IP }}:8080\"}/g" data/acme_srv.cfg - - name: "Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh @@ -576,64 +499,39 @@ jobs: docker stop proxy docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - #- name: "setup using tls-client-auth" + #- name: "Prepare acme_srv.cfg with nclm_ca_handler" # run: | - # sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - # sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg - # sudo echo "est_host: https://testrfc7030.com:9443" >> data/acme_srv.cfg - # sudo echo "est_client_key: volume/acme_ca/est_client_key.pem" >> data/acme_srv.cfg - # sudo echo "est_client_cert: volume/acme_ca/est_client_cert.pem" >> data/acme_srv.cfg - # sudo echo "ca_bundle: False" >> data/acme_srv.cfg - # sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg - - #- name: "[ PREPARE ] reconfigure est ca-handler " + # mkdir -p data/acme_ca + # sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem + # sudo touch data/acme_srv.cfg + # sudo chmod 777 data/acme_srv.cfg + # sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg + # sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg + # sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg + # sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg + # sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg + # sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg + # sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg + # sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg + # sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg + # sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg + # env: + # NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + # NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + # NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + # NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + # NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + # NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} + + #- name: "[ PREPARE ] reconfigure a2c " # run: | # docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - #- name: "Enroll via est using tls-client-auth" + #- name: "Enroll via nclm_ca_handler" # run: | - # docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - #- name: "Check proxy logs" - # run: | - # docker logs proxy | grep socks5 | grep -- "->" - - - name: "setup using nclm_ca_handler" - run: | - - - name: "Prepare acme_srv.cfg with nclm_ca_handler" - run: | - mkdir -p data/acme_ca - sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem - sudo touch data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> data/acme_srv.cfg - sudo echo "api_host: $NCLM_API_HOST" >> data/acme_srv.cfg - sudo echo "api_user: $NCLM_API_USER" >> data/acme_srv.cfg - sudo echo "api_password: $NCLM_API_PASSWORD" >> data/acme_srv.cfg - sudo echo "tsg_name: $NCLM_TSG_NAME" >> data/acme_srv.cfg - sudo echo "ca_name: $NCLM_CA_NAME" >> data/acme_srv.cfg - sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout: 30/g" data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" data/acme_srv.cfg - env: - NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} - NCLM_API_USER: ${{ secrets.NCLM_API_USER }} - NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} - NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - - name: "[ PREPARE ] reconfigure a2c " - run: | - docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart - - - name: "Enroll via nclm_ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force & - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + # docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force & + # docker stop proxy + # docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & #- name: "Check proxy logs" # run: | diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml index dcedc089..985ac1f3 100644 --- a/.github/workflows/python-test.yml +++ b/.github/workflows/python-test.yml @@ -33,7 +33,7 @@ jobs: - name: Install dependencies run: | python -m pip install --upgrade pip - pip install pytest + pip install pytest impacket if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - name: cp diff --git a/.github/workflows/tnauth-test.yml b/.github/workflows/tnauth-test.yml index 2efd55ae..af1c10cc 100644 --- a/.github/workflows/tnauth-test.yml +++ b/.github/workflows/tnauth-test.yml @@ -22,31 +22,17 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart @@ -78,6 +64,12 @@ jobs: cd /tmp/acme_sh /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2 + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | @@ -105,42 +97,14 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | mkdir -p data/acme_ca sudo mkdir -p examples/Docker/data/acme_ca/certs @@ -148,31 +112,24 @@ jobs: sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - name: "Test http://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ CURL ] install curl and socat and test connction" + - name: "Install curl and socat and test connction" run: | sudo apt-get install -y curl socat curl -f http://localhost:22280 - - name: "[ ACME.SH ] install acme.sh" + - name: "Install acme.sh" run: | mkdir /tmp/acme_sh curl -kL https://github.com/grindsa/acme.sh/archive/tnauth_list_support.tar.gz | tar xz -C /tmp/acme_sh --strip-components=1 - - name: "[ ACME.SH ] enroll certificate using tnauth identifier" + - name: "Enroll certificate using tnauth identifier" run: | cd /tmp/acme_sh /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2 diff --git a/.github/workflows/traffic-application-test.yml b/.github/workflows/traffic-application-test.yml index 59e39d2c..81d9737a 100644 --- a/.github/workflows/traffic-application-test.yml +++ b/.github/workflows/traffic-application-test.yml @@ -31,34 +31,19 @@ jobs: - run: echo "runner IP is ${{ env.RUNNER_IP }}" - run: echo "runner hostname is ${{ env.RUNNER_HOSTNAME }}" - - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - sed -i "s/wsgi/$DB_HANDLER/g" .env - sed -i "s/apache2/$WEB_SRV/g" .env - cat .env - docker network create acme - docker-compose up -d - docker-compose logs - env: - WEB_SRV: ${{ matrix.websrv }} + - name: "Build container" + uses: ./.github/actions/container_prep + with: DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "setup openssl ca_handler" + - name: "Setup openssl ca_handler" run: | - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - name: "Sleep for 10s" uses: juliangruber/sleep-action@v2.0.3 @@ -71,7 +56,7 @@ jobs: - name: "Test if https://acme-srv/directory is accessible" run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "setup and instanciate traefik" + - name: "Setup and instanciate traefik" run: | mkdir traefik sudo cp .github/traefik-matrix.yml traefik/docker-compose.yml @@ -85,7 +70,7 @@ jobs: with: time: 30s - - name: "check for certificate" + - name: "Check for certificate" working-directory: traefik run: | sudo cat letsencrypt/acme.json | jq -r '.a2c | .Certificates | . [] | .certificate ' | base64 -d | awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' diff --git a/.github/workflows/upgrade_tests.yml b/.github/workflows/upgrade_tests.yml index 3ee9cbb1..49b763c2 100644 --- a/.github/workflows/upgrade_tests.yml +++ b/.github/workflows/upgrade_tests.yml @@ -10,131 +10,29 @@ on: jobs: - wsgi_upgrade_apache2: - name: "wsgi_upgrade_apache2" + container_upgrade: + name: "container_upgrade" runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] + dbhandler: ['wsgi', 'django'] - - name: "Configure acme2certifier" - run: | - # sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - echo "" >> examples/Docker/data/acme_srv.cfg - echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - - - name: "Install a2c 0.19.3" - run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-apache2-wsgi - docker logs acme-srv - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "Upgrade to latest a2c build" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - docker stop acme-srv - sudo chmod -R 777 data - # sed -i "s/wsgi/django/g" .env - docker-compose up -d - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: apache2-wsgi-upgrade.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - wsgi_upgrade_nginx: - name: "wsgi_upgrade_nginx" - runs-on: ubuntu-latest steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "Prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme + - name: "Prepare container environment" + uses: ./.github/actions/container_prep + with: + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} + CONTAINER_BUILD: false + DJANGO_DB: mariadb - name: "Configure acme2certifier" run: | - # sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg @@ -146,352 +44,54 @@ jobs: - name: "Install a2c 0.19.3" run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-nginx-wsgi + docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-apache2-wsgi docker logs acme-srv - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Upgrade to latest a2c build" - working-directory: examples/Docker/ + - name: "Delete acme-sh, letsencypt and lego folders" run: | - sudo apt-get install -y docker-compose docker stop acme-srv - sudo chmod -R 777 data - sed -i "s/apache2/nginx/g" .env - docker-compose up -d - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: nginx-wsgi-upgrade.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - - django_upgrade_apache2: - name: "django_upgrade_apache2" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme - sudo mkdir -p data/mysql + sudo rm -rf lego/* + sudo rm -rf acme-sh/* + sudo rm -rf certbot/* - - name: "Install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Build container" + uses: ./.github/actions/container_build with: - time: 10s - - - name: "Configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Configure acme2certifier" - run: | - # sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo chmod 777 examples/Docker/data/settings.py - sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - echo "" >> examples/Docker/data/acme_srv.cfg - echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - - - name: "Install a2c 0.19.3" - run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-apache2-django - docker logs acme-srv - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Spin-up a2c instance" + uses: ./.github/actions/container_up with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "Upgrade to latest a2c build" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - docker stop acme-srv - sudo chmod -R 777 data - sed -i "s/wsgi/django/g" .env - docker-compose up -d - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 + - name: "Check container configuration" + uses: ./.github/actions/container_check with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + DB_HANDLER: ${{ matrix.dbhandler }} + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql mkdir -p ${{ github.workspace }}/artifact/upload sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ cd examples/Docker docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} - with: - name: apache2-django-upgrade.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - django_upgrade_nginx: - name: "django_upgrade_nginx" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "Prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme - sudo mkdir -p data/mysql - - - name: "Install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "Configure acme2certifier" - run: | - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo chmod 777 examples/Docker/data/settings.py - sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - echo "" >> examples/Docker/data/acme_srv.cfg - echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - - - name: "Install a2c 0.19.3" - run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.19.3-nginx-django - docker logs acme-srv - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "Upgrade to latest a2c build" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - docker stop acme-srv - sudo chmod -R 777 data - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - docker-compose up -d - docker-compose logs - - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: nginx-django-upgrade.tar.gz + name: apache2-wsgi-upgrade.tar.gz path: ${{ github.workspace }}/artifact/upload/ rpm_build: @@ -549,9 +149,6 @@ jobs: name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm path: /tmp/ - - name: List files - run: ls -la /tmp/ - - name: "Setup environment for alma installation" run: | docker network create acme @@ -603,38 +200,15 @@ jobs: cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh sudo docker cp data/nginx acme-srv:/etc sudo docker cp data/volume/ acme-srv:/opt/acme2certifier/ docker exec acme-srv chmod -R 777 /opt/acme2certifier/volume - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Update acme2certifier" run: | @@ -664,18 +238,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -724,9 +288,6 @@ jobs: name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm path: /tmp/ - - name: List files - run: ls -la /tmp/ - - name: "Setup environment for alma installation" run: | sudo mkdir acme-sh @@ -748,23 +309,8 @@ jobs: sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" data/nginx/conf.d/nginx_acme_srv_ssl.conf - - name: "Install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mariadb -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mariadb -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mariadb -u root --password=foobar -e"FLUSH PRIVILEGES;" + - name: "Instanciate mariadb" + uses: ./.github/actions/mariadb_prep - name: "Retrieve rpms from SBOM repo" run: | @@ -799,38 +345,12 @@ jobs: cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Update acme2certifier" run: | @@ -860,18 +380,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -920,9 +430,6 @@ jobs: name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm path: /tmp/ - - name: List files - run: ls -la /tmp/ - - name: "Setup environment for alma installation" run: | sudo mkdir acme-sh @@ -977,38 +484,12 @@ jobs: cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Update acme2certifier" run: | @@ -1038,18 +519,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1098,9 +569,6 @@ jobs: name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm path: /tmp/ - - name: List files - run: ls -la /tmp/ - - name: "Setup environment for alma installation" run: | sudo mkdir acme-sh @@ -1122,32 +590,8 @@ jobs: sudo cp examples/nginx/nginx_acme_srv_ssl.conf data/nginx/conf.d sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" data/nginx/conf.d/nginx_acme_srv_ssl.conf - - name: "postgres environment" - run: | - sudo mkdir -p /tmp/data/pgsql - sudo cp .github/a2c.psql /tmp/data/pgsql/a2c.psql - sudo cp .github/pgpass /tmp//data/pgsql/pgpass - sudo chmod 600 /tmp/data/pgsql/pgpass - - - name: "Install postgres" - working-directory: /tmp - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s - - - name: "Configure postgres" - working-directory: /tmp - run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - - name: "Sleep for 10s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 10s + - name: "Instanciate postgres" + uses: ./.github/actions/psql_prep - name: "Retrieve rpms from SBOM repo" run: | @@ -1182,39 +626,12 @@ jobs: cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Register certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Update acme2certifier" run: | @@ -1244,18 +661,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via https" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --insecure --debug 3 --output-insecure --force - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1284,32 +691,8 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: "Prepare environment to build deb package" - run: | - sudo apt-get update && sudo apt-get -y upgrade - sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper - rm setup.py - cp -R examples/install_scripts/debian ./ - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog - cd ../ - tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ - - - name: "Build debian package" - run: | - dpkg-buildpackage -uc -us - mkdir -p ${{ github.workspace }}/artifact/upload - cp ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb ${{ github.workspace }}/artifact/upload - - - name: "Upload debian package" - uses: actions/upload-artifact@master - with: - name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb - path: ${{ github.workspace }}/artifact/upload + - name: "deb build and upload" + uses: ./.github/actions/deb_build_upload deb_upgrade_wsgi: name: "deb_upgrade_wsgi" @@ -1337,8 +720,9 @@ jobs: - name: Download debian package uses: actions/download-artifact@v4 + continue-on-error: true with: - name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb path: data/ - name: List files @@ -1355,8 +739,6 @@ jobs: - name: "Install a2c" run: | - - docker ps -a docker exec acme-srv apt-get update docker exec acme-srv apt-get -y upgrade docker exec acme-srv apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 @@ -1365,10 +747,15 @@ jobs: - name: "Configure a2c" run: | + sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf - docker exec acme-srv a2ensite acme2certifier + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf + docker exec acme-srv a2enmod ssl + docker exec acme-srv a2ensite acme2certifier + docker exec acme-srv a2ensite acme2certifier_ssl docker exec acme-srv rm /etc/apache2/sites-enabled/000-default.conf docker exec acme-srv mkdir -p /var/www/acme2certifier/volume/ + docker exec acme-srv cp /tmp/acme2certifier/volume/acme2certifier.pem /var/www/acme2certifier/volume/ docker exec acme-srv systemctl start apache2 - name: "Setup xca-handler" @@ -1388,40 +775,19 @@ jobs: docker exec acme-srv cp /tmp/acme2certifier/volume/$XCA_DB_NAME /var/www/acme2certifier/volume/ docker exec acme-srv chown -R www-data.www-data /var/www/acme2certifier/volume docker exec acme-srv systemctl restart apache2 + docker exec acme-srv systemctl status apache2 env: XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Upgrade a2c" run: | - # docker exec acme-srv apt-get install -y /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb - # docker exec acme-srv apt-get install -y -o Dpkg::Options::="--force-confask,confnew,confmiss" /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb - docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb + docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb docker exec -w /var/www/acme2certifier acme-srv python3 tools/db_update.py docker exec acme-srv systemctl restart apache2 @@ -1446,15 +812,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1500,8 +859,9 @@ jobs: - name: Download debian package uses: actions/download-artifact@v4 + continue-on-error: true with: - name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb path: data/ - name: List files @@ -1518,8 +878,6 @@ jobs: - name: "Install a2c" run: | - - docker ps -a docker exec acme-srv apt-get update docker exec acme-srv apt-get -y upgrade docker exec acme-srv apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 @@ -1528,10 +886,15 @@ jobs: - name: "Configure a2c" run: | - docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf - docker exec acme-srv a2ensite acme2certifier + sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-available/acme2certifier.conf + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf + docker exec acme-srv a2enmod ssl + docker exec acme-srv a2ensite acme2certifier + docker exec acme-srv a2ensite acme2certifier_ssl docker exec acme-srv rm /etc/apache2/sites-enabled/000-default.conf docker exec acme-srv mkdir -p /var/www/acme2certifier/volume/ + docker exec acme-srv cp /tmp/acme2certifier/volume/acme2certifier.pem /var/www/acme2certifier/volume/ docker exec acme-srv systemctl start apache2 - name: "Setup xca-handler" @@ -1566,27 +929,12 @@ jobs: with: time: 5s - - name: "Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Upgrade a2c" run: | - docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb + docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb docker exec -w /var/www/acme2certifier acme-srv python3 tools/django_update.py docker exec acme-srv systemctl restart apache2 @@ -1611,15 +959,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1683,8 +1024,9 @@ jobs: - name: Download debian package uses: actions/download-artifact@v4 + continue-on-error: true with: - name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb path: data/ - name: List files @@ -1701,8 +1043,6 @@ jobs: - name: "Install a2c" run: | - - docker ps -a docker exec acme-srv apt-get update docker exec acme-srv apt-get -y upgrade docker exec acme-srv apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 @@ -1711,10 +1051,15 @@ jobs: - name: "Configure a2c" run: | - docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf - docker exec acme-srv a2ensite acme2certifier + sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-available/acme2certifier.conf + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf + docker exec acme-srv a2enmod ssl + docker exec acme-srv a2ensite acme2certifier + docker exec acme-srv a2ensite acme2certifier_ssl docker exec acme-srv rm /etc/apache2/sites-enabled/000-default.conf docker exec acme-srv mkdir -p /var/www/acme2certifier/volume/ + docker exec acme-srv cp /tmp/acme2certifier/volume/acme2certifier.pem /var/www/acme2certifier/volume/ docker exec acme-srv systemctl start apache2 - name: "Setup xca-handler" @@ -1745,32 +1090,12 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Upgrade a2c" run: | - docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb + docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb docker exec -w /var/www/acme2certifier acme-srv python3 tools/django_update.py docker exec acme-srv systemctl restart apache2 @@ -1795,15 +1120,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -1878,8 +1196,9 @@ jobs: - name: Download debian package uses: actions/download-artifact@v4 + continue-on-error: true with: - name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + name: acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb path: data/ - name: List files @@ -1896,8 +1215,6 @@ jobs: - name: "Install a2c" run: | - - docker ps -a docker exec acme-srv apt-get update docker exec acme-srv apt-get -y upgrade docker exec acme-srv apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 @@ -1906,10 +1223,15 @@ jobs: - name: "Configure a2c" run: | - docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf - docker exec acme-srv a2ensite acme2certifier + sudo cp .github/acme2certifier.pem data/volume/acme2certifier.pem + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django.conf /etc/apache2/sites-available/acme2certifier.conf + docker exec acme-srv cp /var/www/acme2certifier/examples/apache2/apache_django_ssl.conf /etc/apache2/sites-available/acme2certifier_ssl.conf + docker exec acme-srv a2enmod ssl + docker exec acme-srv a2ensite acme2certifier + docker exec acme-srv a2ensite acme2certifier_ssl docker exec acme-srv rm /etc/apache2/sites-enabled/000-default.conf docker exec acme-srv mkdir -p /var/www/acme2certifier/volume/ + docker exec acme-srv cp /tmp/acme2certifier/volume/acme2certifier.pem /var/www/acme2certifier/volume/ docker exec acme-srv systemctl start apache2 - name: "Setup xca-handler" @@ -1940,32 +1262,12 @@ jobs: XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test http://acme-srv/directory is accessible " - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Register certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "Upgrade a2c" run: | - docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-1_all.deb + docker exec acme-srv apt-get install -y -o Dpkg::Options::='--force-confdef' -o Dpkg::Options::='--force-confold' /tmp/acme2certifier/acme2certifier_${{ env.TAG_NAME }}-${{ github.run_id }}-1_all.deb docker exec -w /var/www/acme2certifier acme-srv python3 tools/django_update.py docker exec acme-srv systemctl restart apache2 @@ -1990,15 +1292,8 @@ jobs: run: | exit 1 - - name: "Enroll acme.sh via http" - run: | - docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "Enroll certbot HTTP-01 single domain" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/.github/workflows/wsgi_handler-test.yml b/.github/workflows/wsgi_handler-test.yml index 30dcb06b..e1ba8bbd 100644 --- a/.github/workflows/wsgi_handler-test.yml +++ b/.github/workflows/wsgi_handler-test.yml @@ -12,127 +12,42 @@ jobs: a2_cust_db_file: name: "a2_cust_db_file" runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + websrv: ['apache2', 'nginx'] steps: - name: "checkout GIT" uses: actions/checkout@v4 - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo apt-get install -y docker-compose - sudo mkdir -p data - docker network create acme - sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[DBhandler]" >> data/acme_srv.cfg - sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessible again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v4 - if: ${{ failure() }} + - name: "Build container" + uses: ./.github/actions/container_prep with: - name: a2_custdb.tar.gz - path: ${{ github.workspace }}/artifact/upload/ + DB_HANDLER: wsgi + WEB_SRV: ${{ matrix.websrv }} - nginx_cust_db_file: - name: "nginx_cust__db_file" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v4 - - - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" - working-directory: examples/Docker/ + - name: "Setup openssl ca_handler" run: | - sudo apt-get install -y docker-compose - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[DBhandler]" >> data/acme_srv.cfg - sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose up -d - docker-compose logs - sleep 5 - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py sudo mkdir -p examples/Docker/data/acme_ca/certs sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo echo "" >> examples/Docker/data/acme_srv.cfg + sudo echo "[DBhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "dbfile: volume/a2c.db" >> examples/Docker/data/acme_srv.cfg + sudo echo "[Directory]" >> examples/Docker/data/acme_srv.cfg + sudo echo "url_prefix: /foo" >> examples/Docker/data/acme_srv.cfg cd examples/Docker/ docker-compose restart - docker-compose logs - sleep 5 - - - name: "Test http://acme-srv/directory is accessible again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - - name: "[ ENROLL ] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + - name: "Check container configuration" + uses: ./.github/actions/container_check + with: + DB_HANDLER: wsgi + WEB_SRV: ${{ matrix.websrv }} - name: "[ * ] collecting test logs" if: ${{ failure() }} @@ -147,7 +62,7 @@ jobs: uses: actions/upload-artifact@v4 if: ${{ failure() }} with: - name: nginx_cust_db.tar.gz + name: a2_custdb.${{ matrix.websrv }}.tar.gz path: ${{ github.workspace }}/artifact/upload/ rpm_cust_db_file: @@ -161,47 +76,14 @@ jobs: - name: "checkout GIT" uses: actions/checkout@v4 - - name: Retrieve Version from version.py - run: | - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: update version number in spec file - run: | - # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec - sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec - cat examples/install_scripts/rpm/acme2certifier.spec - - - name: build RPM package - id: rpm - uses: grindsa/rpmbuild@alma9 + - name: "Prepare Alma environment" + uses: ./.github/actions/rpm_prep with: - spec_file: "examples/install_scripts/rpm/acme2certifier.spec" - - - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" - - - name: "[ PREPARE ] setup environment for alma installation" - run: | - docker network create acme - sudo mkdir -p data - sudo chmod -R 777 data - sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data - sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Retrieve rpms from SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data - env: GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + RH_VERSION: ${{ matrix.rhversion }} - - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" + - name: "Prepare acme_srv.cfg with openssl_ca_handler" run: | sudo mkdir -p data/acme_ca/certs/ sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ @@ -212,38 +94,12 @@ jobs: sudo echo "[Directory]" >> data/acme_srv.cfg sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - - name: "[ PREPARE ] Almalinux instance" - run: | - sudo cp examples/Docker/almalinux-systemd/Dockerfile data - sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile - cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd - - - name: "[ RUN ] Execute install scipt" + - name: "Execute install scipt" run: | docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh - - name: "Sleep for 5s" - uses: juliangruber/sleep-action@v2.0.3 - with: - time: 5s - - - name: "Test http://acme-srv/directory is accessible" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + - name: "Test enrollment" + uses: ./.github/actions/acme_clients - name: "[ * ] collecting test logs" if: ${{ failure() }} diff --git a/README.md b/README.md index d8964c4b..4bb68508 100644 --- a/README.md +++ b/README.md @@ -21,19 +21,23 @@ on [rfc8555](https://tools.ietf.org/html/rfc8555) - ca_handler.py - interface towards CA server. The intention of this library is to be modular that an [adaption to other CA servers](docs/ca_handler.md) should be straight forward. As of today the following handlers are available: - - [NetGuard Certificate Manager/Insta Certifier](docs/certifier.md) - - [NetGuard Certificate Lifecycle Manager](docs/nclm.md) - - [Insta ActiveCMS](docs/asa.md) - - [EJBCA](docs/ejbca.md) - - [OpenXPKI](docs/openxpki.md) - - [Microsoft Certificate Enrollment Web Services](docs/mscertsrv.md) - - [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](docs/mswcce.md) - - [Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL](docs/acme_ca.md) - - [Generic EST protocol handler](docs/est.md) - - [Generic CMPv2 protocol handler](docs/cmp.md) - - [Openssl](docs/openssl.md) - - [XCA](docs/xca.md) - - [acme2dfn](https://github.com/pfisterer/acme2dfn) (external; ACME proxy for the [German research network's PKI](https://www.pki.dfn.de/ueberblick-dfn-pki/) + +| E - Certificte Enrollment, R - Certificte Revocation, P - [EAB Profiling](docs/eab_profiling.md) |E|R|P| +| :-------- | - | - | - | +| [DigiCert® CertCentral](docs/digicert.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| [EJBCA](docs/ejbca.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| [Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL](docs/acme_ca.md) | :x: | :x: | :white_check_mark: | +| [Generic CMPv2 protocol handler](docs/cmp.md) | :white_check_mark: | :x: | :x: | +| [Generic EST protocol handler](docs/est.md) | :white_check_mark: | :x: | :x: | +| [Insta ActiveCMS](docs/asa.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| [Microsoft Certificate Enrollment Web Services](docs/mscertsrv.md) | :white_check_mark: | :x: | :white_check_mark: | +| [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](docs/mswcce.md) | :white_check_mark: | :x: | :white_check_mark: | +| [NetGuard Certificate Lifecycle Manager](docs/nclm.md) | :white_check_mark: | :white_check_mark: | :x: | +| [NetGuard Certificate Manager/Insta Certifier](docs/certifier.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| [Openssl](docs/openssl.md) | :white_check_mark: | :white_check_mark: | :x: | +| [OpenXPKI](docs/openxpki.md) | :white_check_mark: | :white_check_mark: | :x: | +| [XCA](docs/xca.md) | :white_check_mark: | :white_check_mark: | :white_check_mark: | +| [acme2dfn](https://github.com/pfisterer/acme2dfn) (external; ACME proxy for the [German research network's PKI](https://www.pki.dfn.de/ueberblick-dfn-pki/)| :white_check_mark: | :x: | :x: | For more up-to-date information and further documentation, please visit the project's home page at: [https://github.com/grindsa/acme2certifier](https://github.com/grindsa/acme2certifier) diff --git a/acme_srv/certificate.py b/acme_srv/certificate.py index 3841b7ac..3bc31476 100644 --- a/acme_srv/certificate.py +++ b/acme_srv/certificate.py @@ -42,12 +42,13 @@ def __exit__(self, *args): def _account_check(self, account_name: str, certificate: str) -> Dict[str, str]: """ check account """ - self.logger.debug('Certificate.issuer_check()') + self.logger.debug('Certificate._account_check()') try: result = self.dbstore.certificate_account_check(account_name, b64_url_recode(self.logger, certificate)) except Exception as err_: self.logger.critical('acme2certifier database error in Certificate._account_check(): %s', err_) result = None + self.logger.debug('Certificate._account_check() ended with: %s', result) return result def _authz_check(self, identifier_dic: Dict[str, str], certificate: str) -> List[str]: diff --git a/acme_srv/helper.py b/acme_srv/helper.py index ea924412..b6ee66b5 100644 --- a/acme_srv/helper.py +++ b/acme_srv/helper.py @@ -434,17 +434,58 @@ def cert_ski_get(logger: logging.Logger, certificate: str) -> str: return ski_value +def cryptography_version_get(logger: logging.Logger) -> int: + """ get version number of cryptography module """ + logger.debug('Helper.cryptography_version_get()') + # pylint: disable=c0415 + import cryptography + + try: + version_list = cryptography.__version__.split('.') + if version_list: + major_version = int(version_list[0]) + except Exception as err: + logger.error('cryptography_version_get(): Error: %s', err) + major_version = 36 + + logger.debug('cryptography_version_get() ended with %s', major_version) + return major_version + + def cert_extensions_get(logger: logging.Logger, certificate: str, recode: bool = True): """ get extenstions from certificate certificate """ logger.debug('Helper.cert_extensions_get()') - cert = cert_load(logger, certificate, recode=recode) + crypto_module_version = cryptography_version_get(logger) + if crypto_module_version < 36: + logger.debug('Helper.cert_extensions_get(): using pyopenssl') + extension_list = cert_extensions_py_openssl_get(logger, certificate, recode) + else: + cert = cert_load(logger, certificate, recode=recode) + extension_list = [] + for extension in cert.extensions: + extension_list.append(convert_byte_to_string(base64.b64encode(extension.value.public_bytes()))) + logger.debug('Helper.cert_extensions_get() ended with: %s', extension_list) + return extension_list + + +def cert_extensions_py_openssl_get(logger, certificate, recode=True): + """ get extenstions from certificate certificate """ + logger.debug('cert_extensions_py_openssl_get()') + if recode: + pem_file = build_pem_file(logger, None, b64_url_recode(logger, certificate), True) + else: + pem_file = certificate + + cert = crypto.load_certificate(crypto.FILETYPE_PEM, pem_file) extension_list = [] - for extension in cert.extensions: - extension_list.append(convert_byte_to_string(base64.b64encode(extension.value.public_bytes()))) + ext_count = cert.get_extension_count() + for i in range(0, ext_count): + ext = cert.get_extension(i) + extension_list.append(convert_byte_to_string(base64.b64encode(ext.get_data()))) - logger.debug('Helper.cert_extensions_get() ended with: %s', extension_list) + logger.debug('cert_extensions_py_openssl_get() ended with: %s', extension_list) return extension_list @@ -610,6 +651,22 @@ def csr_extensions_get(logger: logging.Logger, csr: str) -> List[str]: return extension_list +def csr_subject_get(logger: logging.Logger, csr: str) -> Dict[str, str]: + """ get subject from csr as a list of tuples """ + logger.debug('Helper.csr_subject_get()') + # pylint: disable=w0212 + + csr_obj = csr_load(logger, csr) + subject_dic = {} + # get subject and look for common name + subject = csr_obj.subject + for attr in subject: + subject_dic[attr.oid._name] = attr.value + + logger.debug('Helper.csr_subject_get() ended') + return subject_dic + + def decode_deserialize(logger: logging.Logger, string: str) -> Dict: """ decode and deserialize string """ logger.debug('Helper.decode_deserialize()') @@ -1668,6 +1725,75 @@ def eab_profile_header_info_check(logger: logging.Logger, cahandler, csr: str, h return error +def cn_validate(logger: logging.Logger, cn: str) -> bool: + """ validate common name """ + logger.debug('Helper.cn_validate(%s)', cn) + + error = False + if cn: + # check if CN is a valid IP address + result = validate_ip(logger, cn) + if not result: + # check if CN is a valid fqdn + result = validate_fqdn(logger, cn) + if not result: + error = 'Profile subject check failed: CN validation failed' + else: + error = 'Profile subject check failed: commonName missing' + + logger.debug('Helper.cn_validate() ended with: %s', error) + return error + + +def eab_profile_subject_string_check(logger: logging.Logger, profile_subject_dic, key: str, value: str) -> str: + """ check if a for a string value taken from profile if its a variable inside a class and apply value """ + logger.debug('Helper.eab_profile_subject_string_check(): string: key: %s, value: %s', key, value) + + error = False + if key == 'commonName': + # check if CN is a valid IP address or fqdn + error = cn_validate(logger, value) + elif key in profile_subject_dic: + if isinstance(profile_subject_dic[key], str) and (value == profile_subject_dic[key] or profile_subject_dic[key] == '*'): + logger.debug('Helper.eab_profile_subject_check() successul for string : %s', key) + del profile_subject_dic[key] + elif isinstance(profile_subject_dic[key], list) and value in profile_subject_dic[key]: + logger.debug('Helper.eab_profile_subject_check() successul for list : %s', key) + del profile_subject_dic[key] + else: + logger.error('Helper.eab_profile_subject_check() failed for: %s: value: %s expected: %s', key, value, profile_subject_dic[key]) + error = f'Profile subject check failed for {key}' + else: + logger.error('Helper.eab_profile_subject_check() failed for: %s', key) + error = f'Profile subject check failed for {key}' + + logger.debug('Helper.eab_profile_subject_string_check() ended') + return error + + +def eab_profile_subject_check(logger: logging.Logger, csr: str, profile_subject_dic: str) -> str: + """ check subject against profile information""" + logger.debug('Helper.eab_profile_subject_check()') + error = None + + # get subject from csr + subject_dic = csr_subject_get(logger, csr) + + # check if all profile subject entries are in csr + for key, value in subject_dic.items(): + error = eab_profile_subject_string_check(logger, profile_subject_dic, key, value) + if error: + break + + # check if we have any entries left in the profile_subject_dic + if not error and profile_subject_dic: + logger.error('Helper.eab_profile_subject_check() failed for: %s', list(profile_subject_dic.keys())) + error = 'Profile subject check failed' + + logger.debug('Helper.eab_profile_subject_check() ended with: %s', error) + return error + + def eab_profile_check(logger: logging.Logger, cahandler, csr: str, handler_hifield: str) -> str: """ check eab profile""" logger.debug('Helper.eab_profile_check()') @@ -1676,7 +1802,9 @@ def eab_profile_check(logger: logging.Logger, cahandler, csr: str, handler_hifie with cahandler.eab_handler(logger) as eab_handler: eab_profile_dic = eab_handler.eab_profile_get(csr) for key, value in eab_profile_dic.items(): - if isinstance(value, str): + if key == 'subject': + result = eab_profile_subject_check(logger, csr, value) + elif isinstance(value, str): eab_profile_string_check(logger, cahandler, key, value) elif isinstance(value, list): # check if we need to execute a function from the handler @@ -1684,8 +1812,8 @@ def eab_profile_check(logger: logging.Logger, cahandler, csr: str, handler_hifie result = cahandler.eab_profile_list_check(eab_handler, csr, key, value) else: result = eab_profile_list_check(logger, cahandler, eab_handler, csr, key, value) - if result: - break + if result: + break # we need to reject situations where profiling is enabled but the header_hifiled is not defined in json if cahandler.header_info_field and handler_hifield not in eab_profile_dic: @@ -1703,7 +1831,7 @@ def eab_profile_list_check(logger, cahandler, eab_handler, csr, key, value): logger.debug('Helper.eab_profile_list_check(): list: key: %s, value: %s', key, value) result = None - if hasattr(cahandler, key): + if hasattr(cahandler, key) and key != 'allowed_domainlist': new_value, error = header_info_field_validate(logger, csr, cahandler.header_info_field, key, value) if new_value: logger.debug('Helper.eab_profile_list_check(): setting attribute: %s to %s', key, new_value) diff --git a/docs/digicert.md b/docs/digicert.md new file mode 100644 index 00000000..e3bf9687 --- /dev/null +++ b/docs/digicert.md @@ -0,0 +1,116 @@ + + +# Connecting to DigiCert CertCentral + +This handler can be used to enroll certificates from [DigiCert CertCentral](https://dev.digicert.com/en/certcentral-apis.html). + +## Prerequisites + +- you'll need: + - a DigiCert CertCentral subscription :-) + - an [API-Key](https://dev.digicert.com/en/certcentral-apis/authentication.html) for Authentication and Authorization + - an [Organization](https://dev.digicert.com/en/certcentral-apis/services-api/organizations.html) + - a [whitelisted domain](https://dev.digicert.com/en/certcentral-apis/services-api/domains.html) + +## Configuration + +- modify the server configuration (`acme_srv.cfg`) and add the first thre of the below mentioned parameters + +```confag +[CAhandler] +handler_file: examples/ca_handler/digicert_ca_handler.py +api_key: +organization_name: + +allowed_domainlist: +api_url: +organization_id: +cert_type: +signature_hash: +order_validity: +request_timeout: +eab_profiling: +``` + +- api_key - required - API key to access the API +- organization_name - required - Organization name as specified in DigiCert CertCentral +- allowed_domainlist: list of domain-names allowed for enrollment in json format (example: ["bar.local$, bar.foo.local]) +- api_url - optional - URL of the CertCentral API +- organization_id - optional - organization id - configuration prevents additional rest-lookups +- cert_type - optional - [certificte type](https://dev.digicert.com/en/certcentral-apis/services-api/orders.html) to be isused. (default: ssl_basic) +- signature_hash - optional - hash algorithm used for certificate signing - (default: sha256) +- order_validity - optional - oder validity (default: 1 year) +- request_timeout - optional - requests timeout in seconds for requests (default: 5s) +- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False) + +Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the [disclaimer section of our README file](../README.md) + +*Important:* the DigiCert API expectes a CommonName to be set. Hence, certbot cannot be used for certificate enrollment. + +## Passing a cert_type from client to server + +The handler makes use of the [header_info_list feature](header_info.md) allowing an acme-client to specify a [certificate type](https://dev.digicert.com/en/certcentral-apis/services-api/orders.html) to be used during certificate enrollment. This feature is disabled by default and must be activate in `acme_srv.cfg` as shown below + +```config +[Order] +... +header_info_list: ["HTTP_USER_AGENT"] +``` + +The acme-client can then specify the cert_type as part of its user-agent string. + +Example for acme.sh: + +```bash +docker exec -i acme-sh acme.sh --server http:// --issue -d --standalone --useragent cert_type=ssl_securesite_pro --debug 3 --output-insecure +``` + +Example for lego: + +```bash +docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http:// -a --email "lego@example.com" --user-agent cert_type=ssl_securesite_pro -d --http run +``` + +# eab profiling + +This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg` + +```cfg +[EABhandler] +eab_handler_file: examples/eab_handler/kid_profile_handler.py +key_file: + +[CAhandler] +eab_profiling: True +``` + +below an example key-file used during regression testing: + +```json +{ + "keyid_00": { + "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw", + "cahandler": { + "cert_type": ["ssl_basic", "ssl_securesite_pro", "ssl_securesite_flex"], + "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"], + "organization_name": "acme2certifier" + } + }, + "keyid_01": { + "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg", + "cahandler": { + "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"], + "cert_type": "ssl_securesite_pro" + } + }, + "keyid_02": { + "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM", + "cahandler": { + "allowed_domainlist": ["www.example.com", "www.example.org"] + } + }, + "keyid_03": { + "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr" + } +} +``` diff --git a/docs/eab_profiling.md b/docs/eab_profiling.md index 2603b3a5..02fa0fbe 100644 --- a/docs/eab_profiling.md +++ b/docs/eab_profiling.md @@ -10,6 +10,8 @@ Currently the following ca-handlers had been modified and do support this featur - [EJBCA](ejbca.md) - [Insta ActiveCMS](asa.md) - [Insta certifier/NetGuard Certificate manager](certifier.md) +- [Microsoft Certificate Enrollment Web Services](mscertsrv.md) +- [Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM](mswcce.md) - [XCA](xca.md) In case you need support for a different ca-handler feel free to raise an [issue](https://github.com/grindsa/acme2certifier/issues/new). @@ -24,12 +26,12 @@ eab_handler_file: examples/eab_handler/kid_profile_handler.py key_file: volume/kid_profiles.json ``` -The `key_file` allows the specification enrollmenmt parameters per (external) acme-account. Main identifier is the key_id to be used during account registration. Any parameter used in the [CAhandler] configuration section of a handler can be customized. Below an example configuration to be used for [Insta Certifier](certifier.md) with some explaination: +The `key_file` allows the specification enrollmenmt parameters per (external) acme-account. Main identifier is the key_id to be used during account registration. Any parameter used in the [CAhandler] configuration section of a handler can be customized. Below an example configuration to be used for [Insta Certifier](certifier.md) with some explanation: ```json { "keyid_00": { - "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw", + "hmac": "hmac-key", "cahandler": { "profile_id": "profile_1", "allowed_domainlist": ["*.example.com", "*.example.org", "*.example.fi"], @@ -39,14 +41,14 @@ The `key_file` allows the specification enrollmenmt parameters per (external) ac } }, "keyid_01": { - "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg", + "hmac": "hmac-key", "cahandler": { "profile_id": ["profile_1", "profile_2", "profile_3"], - "allowed_domainlist": ["*.example.fi", "*.acme"], + "allowed_domainlist": ["*.example.fi", "*.acme"] } }, "keyid_02": { - "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr" + "hmac": "hmac-key" } } ``` @@ -55,6 +57,75 @@ The `key_file` allows the specification enrollmenmt parameters per (external) ac - Acme-accounts created with keyid "keyid_01" and can specify 3 different profile_ids by using the [header_info feature](header_info.md). Enrollment requests having other profile_ids will be rejected. In case no profile_id get specified the first profile_id in the list ("profile_1") will be used. SAN/CNs to be used are restricted to "example.fi" and ".local" All other enrollment paramters will be taken from acme_srv.cfg - Acme-accounts created with keyid "keyid_02" do not have any restriction. Enrolment parameters will be taken from the [CAhandler] section in ´acme_srv.cfg` +Starting from v0.36 acme2certifier does support profile configuration in yaml format. Below a configuration example providing the same level of functionality than the above json configuration + +```yaml +--- +{ +--- +keyid_00: + hmac: "hmac-key" + cahandler: + profile_id: "profile_1" + allowed_domainlist: + - "*.example.com" + - "*.example.org" + - "*.example.fi" + ca_name: "non_default_ca" + api_user: "non_default_api_user" + api_password: "api_password" +keyid_01: + hmac: "hmac-key" + cahandler: + profile_id: + - "profile_1" + - "profile_2" + - "profile_3" + allowed_domainlist: + - "*.example.fi" + - "*.acme" +keyid_02: + hmac: "hmac-key" +``` + +## subject profiling + +Starting from v0.36 the eab-profiling feature can be used to check and white-list the certificate subject DN. + +Attribute names must follow [RFC3039](https://www.rfc-editor.org/rfc/rfc3039.html#section-3.1.2); every RDN can be white-listed as: + +- string - attribute in CSR DN must match this value +- list - attribute in CSR DN must match one of the list entries +- "*" - any value matches as long as the attribute is present + +The below example configuration will only allow CSR matching the following ciriterias: + +- serial number can be of any value but must be included +- organizationalUnitName must be either "acme1" or "acme2" +- organizationName must be "acme corp" +- countryName must be "AC" +- additional CSR DN such as localityName or stateOrProvinceName are not allowed + +```json +... +{ + "keyid_00": { + "hmac": "hmac-key", + "cahandler": { + "template_name": ["template", "acme"], + "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"], + "subject": { + "serialNumber": "*", + "organizationName": "acme corp", + "organizationalUnitName": ["acme1", "acme2"], + "countryName": "AC" + } + } + } +} +... +``` + ## Profile verification In the keyfile can be checked for consistency by using the `tools/eab_chk.py` utility. diff --git a/docs/install_apache2_wsgi.md b/docs/install_apache2_wsgi.md index 9defb4c1..8fbf72cb 100644 --- a/docs/install_apache2_wsgi.md +++ b/docs/install_apache2_wsgi.md @@ -26,14 +26,18 @@ sudo pip3 install -r requirements.txt 5. copy the file `examples/apache2/apache_wsgi.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to you needs. -6. in case you would like to activate TLS copy the file `examples/acme_wsgi_ssl.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to your needs. Do not forget to place the key-bundle. This - -file must contain the following certificate data in pem format: +6. in case you would like to activate TLS copy the file `examples/acme_wsgi_ssl.conf` to `/etc/apache2/sites-available/acme2certifier.conf` and modify it according to your needs. Do not forget to place the key-bundle. This file must contain the following certificate data in pem format: - the private key - the end-entity certificate - intermediate CA certificates, sorted from leaf to root (root CA certificate should not be included for security reasons) +Further, the ssl module needs to be activated + +```bash +sudo a2enmod ssl +``` + 7. activate the virtual server(s) ```bash diff --git a/docs/mscertsrv.md b/docs/mscertsrv.md index 81347fe2..c5566ca8 100644 --- a/docs/mscertsrv.md +++ b/docs/mscertsrv.md @@ -80,6 +80,7 @@ auth_method: template: allowed_domainlist: ["example.com", "*.example2.com"] krb5_config: /krb5.conf +eab_profiling: False ``` - host - hostname of the system providing the Web enrollment service @@ -93,6 +94,7 @@ krb5_config: /krb5.conf - krb5_config - *optional* - path to individual krb5.conf - template - certificate template used for enrollment - allowed_domainlist - *optional* - list of domain-names allowed for enrollment in json format example: ["bar.local$, bar.foo.local] +- eab_profiling - optional - [activate eab profiling](eab_profiling.md) (default: False) ## Passing a template from client to server @@ -117,3 +119,48 @@ Example for lego: ```bash docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http:// -a --email "lego@example.com" --user-agent template=foo -d --http run ``` + +# eab profiling + +This handler can use the [eab profiling feture](eab_profiling.md) to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in `acme_srv.cfg` + +```cfg +[EABhandler] +eab_handler_file: examples/eab_handler/kid_profile_handler.py +key_file: + +[CAhandler] +eab_profiling: True +``` + +below an example key-file used during regression testing: + +```json +{ + "keyid_00": { + "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw", + "cahandler": { + "template": ["WebServerModified", "WebServer"], + "allowed_domainlist": ["www.example.com", "www.example.org", "*.local"], + "unknown_key": "unknown_value" + } + }, + "keyid_01": { + "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg", + "cahandler": { + "template": "WebServerModified", + "allowed_domainlist": ["www.example.com", "www.example.org", "*.local"], + "unknown_key": "unknown_value" + } + }, + "keyid_02": { + "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM", + "cahandler": { + "allowed_domainlist": ["www.example.com", "www.example.org"] + } + }, + "keyid_03": { + "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr" + } +} +``` diff --git a/docs/mswcce.md b/docs/mswcce.md index 8c85d16a..5483001d 100644 --- a/docs/mswcce.md +++ b/docs/mswcce.md @@ -16,14 +16,42 @@ When using the handler please be aware of the following limitations: 3. (optional): In case you are installing from RPM or DEB and plan to use kerberos authentication you need an updated [impacket modules of version 0.11 or higher](https://github.com/fortra/impacket) as older versions have issues with the handling of utf8-encoded passwords. If you have no clue from where to get these packaages feel free to use the one being part of [the a2c github repository](https://github.com/grindsa/sbom/tree/main/rpm-repo/RPMs) 4. You need to have a set of credentials with permissions to access the service and enrollment templates -## Installation +## Local Installation -- install the [impacket](https://github.com/SecureAuthCorp/impacket) via pip (the module is already part of the docker images) +- install the [impacket](https://github.com/fortra/impacket) module + +*IMPORTANT*: + +Some malware scanners like Microsoft Defender classify the impacket module as hacking-tool (see [forta/impacket#1762](https://github.com/fortra/impacket/issues/1762) or [forta/impacket#1271](https://github.com/fortra/impacket/issues/1271#issuecomment-1058729047)). Main reason for the alarms are not the library itself but rather the example script coming along with it. To avoid hazzle with your CSIRT team I suggest to install a strip-down version of impacket which which do not contain the scripts flagged by the scanners. Packages for [RH8](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel8/python3-impacket-0.11.0-2grindsa.el8.noarch.rpm) and [RH9](https://github.com/grindsa/sbom/raw/main/rpm-repo/RPMs/rhel9/python3-impacket-0.11.0-2grindsa.el9.noarch.rpm) can be found in my [SBOM repo](https://github.com/grindsa/sbom/tree/main/rpm-repo) + +In case you install impacket from pip or form sources I suggest to: + +- download the impacket package: ```bash -root@rlh:~# pip install impacket +pip3 download impacket --no-deps ``` +- unpack the archive + +```bash + tar xvfz impacket-0.11.0.tar.gz +``` + +- delete all files and subdirectories in `examples` sub-directory + +```bash +rm -rf impacket-0.11.0/examples/* +``` + +- install the package + +```bash +python3 setup.py install +``` + +## Configuration + - modify the server configuration (acme_srv/acme_srv.cfg) and add the following parameters ```config @@ -40,6 +68,7 @@ template: