Skip to content

Commit

Permalink
Merge branch 'devel' into nclm_handler
Browse files Browse the repository at this point in the history
  • Loading branch information
@grindsa
grindsa committed Nov 19, 2024
2 parents 6317e62 + 209e44b commit fe9dad2
Show file tree
Hide file tree
Showing 45 changed files with 5,596 additions and 394 deletions.
132 changes: 84 additions & 48 deletions .github/actions/acme_clients/action.yml
View file

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions .github/actions/deb_build/action.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,13 +28,13 @@ runs:
Pin: origin packages.mozilla.org
Pin-Priority: 1000
' | sudo tee /etc/apt/preferences.d/mozilla
sudo apt update && sudo apt install firefox
sudo apt update && sudo apt install -y firefox --allow-downgrades
shell: bash

- name: "Prepare environment to build deb package"
run: |
sudo apt-get update && sudo apt-get -y upgrade
sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper
sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper --allow-downgrades
rm setup.py
rm -f examples/ngnix/acme2certifier.te
rm -f examples/nginx/supervisord.conf
Expand Down
98 changes: 98 additions & 0 deletions .github/actions/wf_specific/digicert_ca_handler/enroll_eab/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
name: "enroll_eab"
description: "enroll_eab"

runs:
using: "composite"
steps:
- name: "Sleep for 5s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 5s

- name: "EAB - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme.dynamop.de curlimages/curl -f http://acme-srv/directory
shell: bash

- name: "EAB - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme.dynamop.de curlimages/curl --insecure -f https://acme-srv/directory
shell: bash

- name: "EAB - 01 - Enroll lego with a template_name taken from list in kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt
sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -text -noout
sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
shell: bash

- name: "EAB - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)"
id: legofail01
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=unknown -d lego.acme.dynamop.de --http run
shell: bash

- name: "EAB - 02a - check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
shell: bash

- name: "EAB - 02b - Enroll lego with a template_name taken from header_info included in kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run
sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -ext extendedKeyUsage -noout
sudo openssl x509 -in lego/certificates/lego.acme.dynamop.de.crt -issuer --noout
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt
sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
shell: bash

- name: "EAB - 03 - Enroll lego with a template_name/ca_name taken from kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme.dynamop.de --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt
sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
shell: bash

- name: "EAB - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail02
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme1.dynamop.de --http run
shell: bash

- name: "EAB - 04a - check result "
if: steps.legofail02.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail02.outcome }}"
exit 1
shell: bash

- name: "EAB - 05 - Enroll lego with default values from acme.cfg"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme.dynamop.de --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.dynamop.de.crt
sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme.dynamop.de revoke
shell: bash

- name: "EAB - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
id: legofail03
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme.dynamop.de goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent cert_type=ssl_securesite_pro -d lego.acme.dynamop.de --http run
shell: bash

- name: "EAB - 06 - check result "
if: steps.legofail03.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail03.outcome }}"
exit 1
shell: bash
237 changes: 237 additions & 0 deletions .github/actions/wf_specific/entrust_ca_handler/enroll/action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,237 @@
name: "acme_clients - enroll, renew and revoke certificates"
description: "Test if acme.sh, certbot and lego can enroll, renew and certificates"
inputs:
ACME_SERVER:
description: "ACME server URL"
required: true
default: "acme-srv"
REVOCATION:
description: "Revocation method"
required: true
default: "true"
USE_RSA:
description: "Use RSA"
required: true
default: "false"
HTTP_PORT:
description: "HTTP port"
required: true
default: "80"
HTTPS_PORT:
description: "HTTPS port"
required: true
default: "443"
HOSTNAME_SUFFIX:
description: "Hostname suffix"
required: true
NAME_SPACE:
description: "Namespace"
required: true
default: "acme"

runs:
using: "composite"
steps:

- name: "Create directories"
run: |
sudo mkdir -p certbot/
sudo mkdir -p lego/ca
sudo cp .github/acme2certifier_cabundle.pem certbot/
sudo cp .github/acme2certifier_cabundle.pem lego/
if [ -f cert-2.pem ]; then
echo "delete cert-2.pem"
rm -f cert-2.pem
fi
if [ -f cert-1.pem ]; then
echo "delete cert-1.pem"
rm -f cert-1.pem
fi
ls -la
shell: bash

- name: "Sleep for 5s"
uses: juliangruber/sleep-action@v2.0.3
with:
time: 5s

- name: "Test if http://acme-srv/directory is accessible"
run: docker run -i --rm --network $NAME_SPACE curlimages/curl -f http://$ACME_SERVER:$HTTP_PORT/directory
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network $NAME_SPACE curlimages/curl --insecure -f https://$ACME_SERVER:$HTTPS_PORT/directory
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Enroll lego"
run: |
echo "##### HTTP - Enroll lego #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
else
echo "use RSA"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.$NAME_SPACE --tls run
fi
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Revoke lego"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "#### HTTP - Revoke lego"
docker run -i -v $PWD/lego:/.lego/ --rm --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.$NAME_SPACE revoke
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll acme.sh"
run: |
echo "##### HTTPS - Enroll acme.sh #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --debug 1 --output-insecure --insecure
ECC="_ecc"
else
echo "use RSA"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network $NAME_SPACE --name acme-sh$HOSTNAME_SUFFIX neilpang/acme.sh:latest --issue --server https://$ACME_SERVER:$HTTPS_PORT --accountemail 'acme-sh@example.com' -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --alpn --standalone --keylength 2048 --debug 1 --output-insecure --insecure
fi
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/ca.cer
if [ "$VERIFY_CERT" == "true" ]; then
if [ -f cert-2.pem ]; then
echo "Multiple CA certs"
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
else
echo "Single Root ca"
openssl verify -CAfile cert-1.pem acme-sh/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE${ECC}/acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE.cer
fi
fi
shell: bash
env:
VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Revoke HTTP-01 single domain acme.sh"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "##### HTTPS - Revoke HTTP-01 single domain acme.sh #####"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --revoke --server https://$ACME_SERVER:$HTTPS_PORT --revoke -d acme-sh$HOSTNAME_SUFFIX.$NAME_SPACE --standalone --debug 2 --output-insecure --insecure
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Decativate acme.sh #####"
run: |
echo "##### HTTPS - Decativate acme.sh"
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --name acme-sh$HOSTNAME_SUFFIX --network $NAME_SPACE neilpang/acme.sh:latest --deactivate-account --server https://$ACME_SERVER:$HTTPS_PORT --debug 2 --output-insecure --insecure
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Enroll certbot"
run: |
echo "##### HTTPS - Enroll certbot #####"
if [ "$USE_RSA" == "false" ]; then
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
else
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server https://$ACME_SERVER:$HTTPS_PORT --standalone --preferred-challenges http --no-verify-ssl --agree-tos -m 'certbot@example.com' --key-type rsa -d certbot$HOSTNAME_SUFFIX.$NAME_SPACE --cert-name certbot --issuance-timeout 120
fi
if [ "$VERIFY_CERT" == "true" ]; then
if [ -f cert-2.pem ]; then
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
else
echo "single root ca"
sudo openssl verify -CAfile cert-1.pem certbot/live/certbot/cert.pem
fi
fi
shell: bash
env:
VERIFY_CERT: ${{ inputs.VERIFY_CERT }}
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTPS - Revoke certbot"
if: ${{ inputs.REVOCATION == 'true' }}
run: |
echo "##### HTTPS - Revoke certbot #####"
docker run -i --rm --name certbot$HOSTNAME_SUFFIX --network $NAME_SPACE -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --server https://$ACME_SERVER:$HTTPS_PORT --no-verify-ssl --delete-after-revoke --cert-name certbot
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "HTTP - Enroll lego with wrong domain - should fail"
id: legofail01
continue-on-error: true
run: |
echo "##### HTTP - Enroll lego #####"
if [ "$USE_RSA" == "false" ]; then
echo "use ECC"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" -d lego$HOSTNAME_SUFFIX.acme --tls run
else
echo "use RSA"
docker run -i --rm -e LEGO_CA_CERTIFICATES=.lego/acme2certifier_cabundle.pem -v $PWD/lego:/.lego/ --name lego$HOSTNAME_SUFFIX --network $NAME_SPACE goacme/lego -s http://$ACME_SERVER:$HTTP_PORT -a --email "lego@example.com" --key-type=rsa2048 -d lego$HOSTNAME_SUFFIX.acme --tls run
fi
shell: bash
env:
ACME_SERVER: ${{ inputs.ACME_SERVER }}
HTTP_PORT: ${{ inputs.HTTP_PORT }}
HTTPS_PORT: ${{ inputs.HTTPS_PORT }}
USE_RSA: ${{ inputs.USE_RSA }}
HOSTNAME_SUFFIX: ${{ inputs.HOSTNAME_SUFFIX }}
NAME_SPACE: ${{ inputs.NAME_SPACE }}

- name: "Check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
shell: bash

- name: "Delete acme-sh, letsencypt and lego folders"
run: |
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
sudo rm -rf certbot/*
shell: bash
Loading

0 comments on commit fe9dad2

Please sign in to comment.