Skip to content

Commit

Permalink
[wf] entrust workflow
Browse files Browse the repository at this point in the history
  • Loading branch information
@grindsa
grindsa committed Nov 2, 2024
1 parent b178d92 commit cbaca63
Show file tree
Hide file tree
Showing 4 changed files with 449 additions and 4 deletions.
21 changes: 17 additions & 4 deletions .github/actions/acme_clients/action.yml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
name: "acme_clients"
name: "acme_clients - enroll, renew and revoke certificates"
description: "Test if acme.sh, certbot and lego can enroll, renew and certificates"
inputs:
ACME_SERVER:
Expand Down Expand Up @@ -86,9 +86,9 @@ runs:
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll lego"
- name: "HTTP - Enroll lego"
run: |
echo "##### HTTPS - Enroll lego #####"
echo "##### HTTP - Enroll lego #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
Expand All @@ -105,6 +105,19 @@ runs:
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Revoke lego"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "#### HTTP - Revoke lego"
docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll acme.sh"
run: |
echo "##### HTTPS - Enroll acme.sh #####"
Expand Down Expand Up @@ -392,7 +405,7 @@ runs:
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "##### HTTPS - Revoke lego #####"
# docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s https://$ACME_SERVER:$HTTPS_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
Expand Down
237 changes: 237 additions & 0 deletions .github/actions/wf_specific/entrust_ca_handler/enroll/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
name: "acme_clients - enroll, renew and revoke certificates"
description: "Test if acme.sh, certbot and lego can enroll, renew and certificates"
inputs:
ACME_SERVER:
description: "ACME server URL"
required: true
default: "acme-srv"
REVOCATION:
description: "Revocation method"
required: true
default: "true"
USE_RSA:
description: "Use RSA"
required: true
default: "false"
HTTP_PORT:
description: "HTTP port"
required: true
default: "80"
HTTPS_PORT:
description: "HTTPS port"
required: true
default: "443"
HOSTNAME_SUFFIX:
description: "Hostname suffix"
required: true
NAME_SPACE:
description: "Namespace"
required: true
default: "acme"

runs:
using: "composite"
steps:

- name: "Create directories"
run: |
sudo mkdir -p certbot/
sudo mkdir -p lego/ca
sudo cp .github/acme2certifier_cabundle.pem certbot/
sudo cp .github/acme2certifier_cabundle.pem lego/
if [ -f cert-2.pem ]; then
echo "delete cert-2.pem"
rm -f cert-2.pem
fi
if [ -f cert-1.pem ]; then
echo "delete cert-1.pem"
rm -f cert-1.pem
fi
ls -la
shell: bash

- name: "Sleep for 5s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 5s

- name: "Test if http://acme-srv/directory is accessible"
run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://$ACME_SERVER:$HTTP_PORT/directory
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$ACME_SERVER:$HTTPS_PORT/directory
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Enroll lego"
run: |
echo "##### HTTP - Enroll lego #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
else
echo "use RSA"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
fi
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Revoke lego"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "#### HTTP - Revoke lego"
docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll acme.sh"
run: |
echo "##### HTTPS - Enroll acme.sh #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure
ECC="_ecc"
else
echo "use RSA"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --keylength 2048 --debug 1 --output-insecure --insecure
fi
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
if [ "$VERIFY_CERT" == "true" ]; then
if [ -f cert-2.pem ]; then
echo "Multiple CA certs"
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
else
echo "Single Root ca"
openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
fi
fi
shell: bash
env:
VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Revoke HTTP-01 single domain acme.sh"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "##### HTTPS - Revoke HTTP-01 single domain acme.sh #####"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server https://$ACME_SERVER:$HTTPS_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure --insecure
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Decativate acme.sh #####"
run: |
echo "##### HTTPS - Decativate acme.sh"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server https://$ACME_SERVER:$HTTPS_PORT --debug 2 --output-insecure --insecure
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll certbot"
run: |
echo "##### HTTPS - Enroll certbot #####"
if [ "$USE_RSA" == "false" ]; then
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
else
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
fi
if [ "$VERIFY_CERT" == "true" ]; then
if [ -f cert-2.pem ]; then
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
else
echo "single root ca"
sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem
fi
fi
shell: bash
env:
VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Revoke certbot"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "##### HTTPS - Revoke certbot #####"
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server https://$ACME_SERVER:$HTTPS_PORT --no-verify-ssl --delete-after-revoke --cert-name certbot
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Enroll lego with wrong domain - should fail"
id: legofail01
continue-on-error: true
run: |
echo "##### HTTP - Enroll lego #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.acme --tls run
else
echo "use RSA"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.acme --tls run
fi
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "Check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
shell: bash

- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
sudo rm -rf certbot/*
shell: bash
41 changes: 41 additions & 0 deletions .github/actions/wf_specific/entrust_ca_handler/enroll_eab/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
name: "enroll_eab"
description: "enroll_eab"

runs:
using: "composite"
steps:
- name: "Sleep for 5s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 5s

- name: "EAB - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network rm-rf.ninja curlimages/curl -f http://acme-srv/directory
shell: bash

- name: "EAB - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network rm-rf.ninja curlimages/curl --insecure -f https://acme-srv/directory
shell: bash

- name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.rm-rf.ninja --http run
sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.rm-rf.ninja revoke
shell: bash

- name: "EAB - 02 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail01
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network rm-rf.ninja goacme/lego -s http://acme-srv -a --email "lego@example.com" --key-type=rsa2048 --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.rm-rf.ninja --http run
shell: bash

- name: "EAB - 04a - check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
shell: bash

Loading

0 comments on commit cbaca63

Please sign in to comment.