[fix] openssl handler #1634
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: DNS-01 challenge tests | |
| on: | |
| push: | |
| pull_request: | |
| branches: [ devel ] | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 2 * * 6' | |
| jobs: | |
| dns_challenge_tests: | |
| name: "dns_challenge_tests" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" | |
| working-directory: examples/Docker/ | |
| run: | | |
| sudo apt-get install -y docker-compose | |
| sudo mkdir -p data | |
| sed -i "s/wsgi/$DB_HANDLER/g" .env | |
| sed -i "s/apache2/$WEB_SRV/g" .env | |
| cat .env | |
| docker network create acme | |
| docker-compose up -d | |
| docker-compose logs | |
| env: | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| - name: "Setup openssl ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py | |
| sudo mkdir -p examples/Docker/data/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: False\ndns_server_list: [\"DNS-IP\"]/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| - name: "Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Prepare acme.sh container" | |
| run: | | |
| docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
| sudo cp .github/dns_test.sh acme-sh/ | |
| docker exec -i acme-sh apk add dnsmasq | |
| docker exec -i acme-sh dnsmasq | |
| docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/ | |
| docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh | |
| - name: "Set DNS server" | |
| run: | | |
| cd examples/Docker/ | |
| docker-compose stop | |
| docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh | |
| sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg | |
| docker-compose start | |
| docker-compose logs | |
| - name: "Enroll acme.sh - single domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.single_ecc/acme-sh.single.cer | |
| - name: "Enroll acme.sh - two domains" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.first_ecc/acme-sh.first.cer | |
| - name: "Enroll acme.sh - single wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*acme-sh.wildcard_ecc/*acme-sh.wildcard.cer | |
| - name: "Enroll acme.sh - double wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*.acme-sh.first-wildcard_ecc/*.acme-sh.first-wildcard.cer | |
| - name: "Enroll acme.sh - domain and wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.fqdn-wildcard_ecc/acme-sh.fqdn-wildcard.cer | |
| - name: "Check TXT record exists" | |
| if: ${{ failure() }} | |
| run: | | |
| docker exec -i acme-sh ps -a | |
| docker exec -i acme-sh netstat -anu | |
| cd examples/Docker/ | |
| docker-compose logs | |
| dig -t TXT _acme-challenge.acme-sh.single @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.first @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.second @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.first-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.second-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
| cd examples/Docker | |
| docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: dns_challenge_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| dns_challenge_tests_rpm: | |
| name: "dns_challenge_tests_rpm" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| rhversion: [8, 9] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: Retrieve Version from version.py | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
| - name: update version number in spec file | |
| run: | | |
| # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec | |
| sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec | |
| cat examples/install_scripts/rpm/acme2certifier.spec | |
| - name: build RPM package | |
| id: rpm | |
| uses: grindsa/rpmbuild@alma9 | |
| with: | |
| spec_file: "examples/install_scripts/rpm/acme2certifier.spec" | |
| - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" | |
| - name: "[ PREPARE ] setup environment for alma installation" | |
| run: | | |
| docker network create acme | |
| sudo mkdir -p data | |
| sudo chmod -R 777 data | |
| sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data | |
| sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data | |
| - name: "Retrieve rpms from SBOM repo" | |
| run: | | |
| git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom | |
| cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data | |
| env: | |
| GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
| GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
| - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo mkdir -p examples/Docker/data/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg | |
| sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: False\ndns_server_list: [\"DNS-IP\"]/g" data/acme_srv.cfg | |
| sudo sed -i "s/\[CAhandler\]/\[CAhandler\]\nhandler_file: \/opt\/acme2certifier\/examples\/ca_handler\/openssl_ca_handler.py/g" data/acme_srv.cfg | |
| - name: "[ PREPARE ] prepare acme.sh container" | |
| run: | | |
| docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
| sudo cp .github/dns_test.sh acme-sh/ | |
| docker exec -i acme-sh apk add dnsmasq | |
| docker exec -i acme-sh dnsmasq | |
| docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/ | |
| docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh | |
| - name: "[ PREPARE ] set DNS server" | |
| run: | | |
| docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh | |
| sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg | |
| - name: "[ PREPARE ] Almalinux instance" | |
| run: | | |
| sudo cp examples/Docker/almalinux-systemd/Dockerfile data | |
| sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile | |
| cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
| docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd | |
| - name: "[ RUN ] Execute install scipt" | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
| - name: "Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "[ ENROLL ] acme.sh - single domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.single_ecc/acme-sh.single.cer | |
| - name: "[ ENROLL ] acme.sh - two domains" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.first_ecc/acme-sh.first.cer | |
| - name: "[ ENROLL ] acme.sh - single wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/*acme-sh.wildcard_ecc/*acme-sh.wildcard.cer | |
| - name: "[ ENROLL ] acme.sh - double wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/*.acme-sh.first-wildcard_ecc/*.acme-sh.first-wildcard.cer | |
| - name: "[ ENROLL ] acme.sh - domain and wildcard domain" | |
| run: | | |
| docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail '[email protected]' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force | |
| openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.fqdn-wildcard_ecc/acme-sh.fqdn-wildcard.cer | |
| - name: "[ Test ] check TXT record exists" | |
| if: ${{ failure() }} | |
| run: | | |
| docker exec -i acme-sh ps -a | |
| docker exec -i acme-sh netstat -anu | |
| cd examples/Docker/ | |
| docker-compose logs | |
| dig -t TXT _acme-challenge.acme-sh.single @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.first @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.second @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.first-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| dig -t TXT _acme-challenge.acme-sh.second-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
| sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
| sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
| docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
| docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: dns-rpm-rh${{ matrix.rhversion }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ |