Skip to content

CA handler tests - CMPv2 #1047

CA handler tests - CMPv2

CA handler tests - CMPv2 #1047

name: CA handler tests - CMPv2
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
cmp_handler_tests:
name: "cmp_handler_tests"
runs-on: ubuntu-latest
strategy:
max-parallel: 2
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Build container"
uses: ./.github/actions/container_prep
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "Create ssh environment on ramdisk"
run: |
sudo mkdir -p /tmp/rd
sudo mount -t tmpfs -o size=5M none /tmp/rd
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
sudo chmod 600 /tmp/rd/ak.tmp
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
env:
SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
- name: "Setup ssh forwarder"
run: |
docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
env:
SSH_USER: ${{ secrets.CMP_SSH_USER }}
SSH_HOST: ${{ secrets.CMP_SSH_HOST }}
SSH_PORT: ${{ secrets.CMP_SSH_PORT }}
CMP_HOST: ${{ secrets.CMP_HOST }}
- name: "Setup a2c with cmp_ca_handler with key-cert authentication"
run: |
sudo touch examples/Docker/data/ca_bundle.pem
sudo touch examples/Docker/data/ra_cert.pem
sudo touch examples/Docker/data/ra_key.pem
sudo chmod 777 examples/Docker/data/*.pem
sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem
sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem
sudo echo "$CMP_RA_KEY" > examples/Docker/data/ra_key.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg
# sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_server: ssh-forwarder.acme:8086" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }}
CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }}
CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
sudo rm -rf acme-sh/*
- name: "Setup a2c with cmp_ca_handler with PSK refnum authentication"
run: |
sudo touch examples/Docker/data/ca_bundle.pem
sudo touch examples/Docker/data/ra_cert.pem
sudo chmod 777 examples/Docker/data/*.pem
sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem
sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg
# sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_server: ssh-forwarder.acme:8086" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg
sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }}
CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }}
CMP_REF: ${{ secrets.CMP_REF }}
CMP_SECRET: ${{ secrets.CMP_SECRET }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "Check container configuration"
uses: ./.github/actions/container_check
with:
DB_HANDLER: ${{ matrix.dbhandler }}
WEB_SRV: ${{ matrix.websrv }}
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: cmp_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_cmp_handler_tests_keycert:
name: "rpm_cmp_handler_tests_keycert"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: 9
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Create ssh environment on ramdisk"
run: |
sudo mkdir -p /tmp/rd
sudo mount -t tmpfs -o size=5M none /tmp/rd
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
sudo chmod 600 /tmp/rd/ak.tmp
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
env:
SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
- name: "Setup ssh forwarder"
run: |
docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
env:
SSH_USER: ${{ secrets.CMP_SSH_USER }}
SSH_HOST: ${{ secrets.CMP_SSH_HOST }}
SSH_PORT: ${{ secrets.CMP_SSH_PORT }}
CMP_HOST: ${{ secrets.CMP_HOST }}
- name: "Sleep for 5s"
uses: juliangruber/[email protected]
with:
time: 5s
- name: "Setup a2c with cmp_ca_handler"
run: |
sudo mkdir data/acme_ca
sudo cp test/ca/root-ca-cert.pem data/acme_ca
sudo cp test/ca/sub-ca-cert.pem data/acme_ca
sudo touch data/acme_ca/ca_bundle.pem
sudo touch data/acme_ca/ra_cert.pem
sudo touch data/acme_ca/ra_key.pem
sudo chmod 777 data/acme_ca/*.pem
sudo echo "$CMP_TRUSTED" > data/acme_ca/ca_bundle.pem
sudo echo "$CMP_RA_CERT" > data/acme_ca/ra_cert.pem
sudo echo "$CMP_RA_KEY" > data/acme_ca/ra_key.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> data/acme_srv.cfg
sudo echo "cmp_path: pkix/" >> data/acme_srv.cfg
sudo echo "cmp_ignore_keyusage: True" >> data/acme_srv.cfg
sudo echo "cmp_msg_timeout: 3" >> data/acme_srv.cfg
sudo echo "cmp_total_timeout: 5" >> data/acme_srv.cfg
sudo echo "cmp_server: ssh-forwarder.acme:8086" >> data/acme_srv.cfg
sudo echo "cmp_cert: /opt/acme2certifier/volume/acme_ca/ra_cert.pem" >> data/acme_srv.cfg
sudo echo "cmp_key: /opt/acme2certifier/volume/acme_ca/ra_key.pem" >> data/acme_srv.cfg
sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }}
CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }}
CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_cmp_handler_tests_keycert.tar.gz
path: ${{ github.workspace }}/artifact/upload/
rpm_cmp_handler_tests_refpsk:
name: "rpm_cmp_handler_tests_refpsk"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "Prepare Alma environment"
uses: ./.github/actions/rpm_prep
with:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
RH_VERSION: 9
- name: "Get runner ip"
run: |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV
- run: echo "runner IP is ${{ env.RUNNER_IP }}"
- name: "Create ssh environment on ramdisk"
run: |
sudo mkdir -p /tmp/rd
sudo mount -t tmpfs -o size=5M none /tmp/rd
sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp
sudo chmod 600 /tmp/rd/ak.tmp
sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts
env:
SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }}
KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }}
- name: "Setup ssh forwarder"
run: |
docker run -d --rm --network acme --name=ssh-forwarder.acme -e "MAPPINGS=8086:$CMP_HOST:8086" -e "SSH_HOST=$SSH_HOST" -e "SSH_PORT=$SSH_PORT" -e "SSH_USER=$SSH_USER" -p 443:443 -p 445:445 -p 88:88 -v "/tmp/rd/ak.tmp:/ssh_key:ro" davidlor/ssh-port-forward-client:dev
env:
SSH_USER: ${{ secrets.CMP_SSH_USER }}
SSH_HOST: ${{ secrets.CMP_SSH_HOST }}
SSH_PORT: ${{ secrets.CMP_SSH_PORT }}
CMP_HOST: ${{ secrets.CMP_HOST }}
- name: "[ PREPARE ] Sleep for 5s"
uses: juliangruber/[email protected]
with:
time: 5s
- name: "Setup a2c with cmp_ca_handler"
run: |
sudo mkdir data/acme_ca
sudo cp test/ca/root-ca-cert.pem data/acme_ca
sudo cp test/ca/sub-ca-cert.pem data/acme_ca
sudo touch data/acme_ca/ca_bundle.pem
sudo touch data/acme_ca/ra_cert.pem
sudo chmod 777 data/acme_ca/*.pem
sudo echo "$CMP_TRUSTED" > data/acme_ca/ca_bundle.pem
sudo echo "$CMP_RA_CERT" > data/acme_ca/ra_cert.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> data/acme_srv.cfg
sudo echo "cmp_path: pkix/" >> data/acme_srv.cfg
sudo echo "cmp_ignore_keyusage: True" >> data/acme_srv.cfg
sudo echo "cmp_msg_timeout: 3" >> data/acme_srv.cfg
sudo echo "cmp_total_timeout: 5" >> data/acme_srv.cfg
sudo echo "cmp_server: ssh-forwarder.acme:8086" >> data/acme_srv.cfg
sudo echo "cmp_cert: /opt/acme2certifier/volume/acme_ca/ra_cert.pem" >> data/acme_srv.cfg
sudo echo "cmp_trusted: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
sudo echo "cmp_recipient: $CMP_RECIPIENT" >> data/acme_srv.cfg
sudo echo "cmp_ref: $CMP_REF" >> data/acme_srv.cfg
sudo echo "cmp_secret: $CMP_SECRET" >> data/acme_srv.cfg
env:
RUNNER_IP: ${{ env.RUNNER_IP }}
CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }}
CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }}
CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }}
CMP_REF: ${{ secrets.CMP_REF }}
CMP_SECRET: ${{ secrets.CMP_SECRET }}
- name: "Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: rpm_cmp_handler_tests_refpsk.tar_rpm.gz
path: ${{ github.workspace }}/artifact/upload/