[fix] openssl handler #487
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push images to dockerhub and ghcr.io | |
| on: | |
| push: | |
| branches: | |
| - "master" | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 4 * * 6' | |
| jobs: | |
| instance_start: | |
| name: instance_start | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "install awccli" | |
| run: | | |
| sudo apt-get update | |
| pip3 install awscli --upgrade --user | |
| pip3 install boto3 --upgrade --user | |
| export PATH=$PATH:$HOME/.local/bin | |
| - name: "configure awccli" | |
| run: | | |
| aws --version | |
| aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws configure set default.region ${{ secrets.AWS_REGION }} | |
| - name: "check instance status" | |
| run: | | |
| wget https://raw.githubusercontent.com/grindsa/aws_ec2_mgr/main/aws_ec_mgr.py | |
| chmod a+rx ./aws_ec_mgr.py | |
| python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | grep -i "stopped" | |
| - name: "start instance" | |
| run: | | |
| python3 ./aws_ec_mgr.py -a start -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | |
| - name: "[ WAIT ] Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "check instance status" | |
| run: | | |
| python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | grep -i "running" | |
| build_and_upload_images_to_hub: | |
| name: Push images to dockerhub and github | |
| runs-on: ubuntu-latest | |
| needs: instance_start | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "Get current version" | |
| uses: oprypin/find-latest-tag@v1 | |
| with: | |
| repository: ${{ github.repository }} # The repository to scan. | |
| releases-only: true # We know that all relevant tags have a GitHub release for them. | |
| id: acme2certifier_ver # The step ID to refer to later. | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: "Retrieve Version from version.py" | |
| run: | | |
| echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| echo BUILD_NAME=${{ matrix.websrv }}-${{ matrix.dbhandler }} >> $GITHUB_ENV | |
| - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" | |
| - run: echo "APP tag is ${{ env.APP_NAME }}" | |
| - run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
| - run: echo "BUILD_NAME is ${{ env.BUILD_NAME}}" | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: all | |
| - uses: docker/setup-buildx-action@v3 | |
| with: | |
| version: latest | |
| buildkitd-flags: --debug | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ secrets.GHCR_USER }} | |
| password: ${{ secrets.GHCR_TOKEN }} | |
| - name: Build with latest tag | |
| uses: docker/build-push-action@v5 | |
| if: ${{ env.BUILD_NAME == 'apache2-wsgi'}} | |
| with: | |
| push: true | |
| tags: grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:latest | |
| file: examples/Docker/${{ matrix.websrv }}/${{ matrix.dbhandler }}/Dockerfile | |
| platforms: linux/arm64, linux/amd64 | |
| - name: Build without latest tag | |
| uses: docker/build-push-action@v5 | |
| if: ${{ env.BUILD_NAME != 'apache2-wsgi'}} | |
| with: | |
| push: true | |
| tags: grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }}, grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} | |
| file: examples/Docker/${{ matrix.websrv }}/${{ matrix.dbhandler }}/Dockerfile | |
| platforms: linux/arm64, linux/amd64 | |
| - name: Push image with latest tag to GHCR | |
| if: ${{ env.BUILD_NAME == 'apache2-wsgi'}} | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag ghcr.io/grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} \ | |
| --tag ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} \ | |
| --tag ghcr.io/grindsa/acme2certifier:latest \ | |
| grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} | |
| - name: Push image without latest tag to GHCR | |
| if: ${{ env.BUILD_NAME != 'apache2-wsgi'}} | |
| run: | | |
| docker buildx imagetools create \ | |
| --tag ghcr.io/grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} \ | |
| --tag ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} \ | |
| grindsa/acme2certifier:${{ env.TAG_NAME }}-${{ matrix.websrv }}-${{ matrix.dbhandler }} | |
| amd64_pull_and_test: | |
| name: amd64_pull_and_test | |
| runs-on: ubuntu-latest | |
| needs: build_and_upload_images_to_hub | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "Get current version" | |
| uses: oprypin/find-latest-tag@v1 | |
| with: | |
| repository: ${{ github.repository }} # The repository to scan. | |
| releases-only: true # We know that all relevant tags have a GitHub release for them. | |
| id: acme2certifier_ver # The step ID to refer to later. | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: "Retrieve Version from version.py" | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" | |
| - run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
| - name: "Prepare environment" | |
| run: | | |
| docker network create acme | |
| sudo mkdir -p acme-sh | |
| sudo mkdir -p certbot | |
| sudo mkdir -p lego | |
| - name: "Setup openssl ca_handler" | |
| run: | | |
| sudo mkdir -p examples/Docker/data/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USER }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: "Pull images from dockerhub and setup container" | |
| run: | | |
| docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER | |
| env: | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| TAG_NAME: ${{ env.TAG_NAME }} | |
| - name: "[ WAIT ] Sleep for 5s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 5s | |
| - name: "Test if http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Prepare acme.sh container" | |
| run: | | |
| docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
| - name: "Enroll via acme.sh" | |
| run: | | |
| docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail '[email protected]' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| ls -la *.pem | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "Revoke via acme.sh" | |
| run: | | |
| docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "Enroll certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| - name: "Revoke via certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| - name: "Revoke via lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Install syft" | |
| run: | | |
| sudo curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin | |
| - name: "Retrieve SBOM repo" | |
| run: | | |
| git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom | |
| env: | |
| GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
| GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
| - name: "Generate SBOMs for acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}" | |
| run: | | |
| mkdir -p /tmp/sbom/sbom/acme2certifier | |
| syft grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} > /tmp/sbom/sbom/acme2certifier/acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}_sbom.txt | |
| syft grindsa/acme2certifier:${{ matrix.websrv }}-${{ matrix.dbhandler }} -o json > /tmp/sbom/sbom/acme2certifier/acme2certifier-${{ matrix.websrv }}-${{ matrix.dbhandler }}_sbom.json | |
| ls -la /tmp/sbom/sbom/acme2certifier | |
| - name: "Upload Changes" | |
| continue-on-error: true | |
| run: | | |
| cd /tmp/sbom | |
| git config --global user.email "[email protected]" | |
| git config --global user.name "SBOM Generator" | |
| git add sbom/acme2certifier/ | |
| git commit -a -m "SBOM update" | |
| git push | |
| - name: "Delete images from local repository" | |
| run: | | |
| docker stop acme-srv | |
| docker rmi $(docker images grindsa/acme2certifier -q) --no-prune --force | |
| - name: "[ * ] collecting test data" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
| # sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| cd examples/Docker | |
| docker logs acme-srv > ${{ github.workspace }}/artifact/acme-srv.log 2>&1 | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme-srv.log data # acme-sh | |
| - name: "[ * ] uploading artifacts" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: amd64_pull_and_test-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| arm64_pull_and_test: | |
| name: arm64_pull_and_test | |
| runs-on: ubuntu-latest | |
| needs: build_and_upload_images_to_hub | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "Get current version" | |
| uses: oprypin/find-latest-tag@v1 | |
| with: | |
| repository: ${{ github.repository }} # The repository to scan. | |
| releases-only: true # We know that all relevant tags have a GitHub release for them. | |
| id: acme2certifier_ver # The step ID to refer to later. | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: "Retrieve Version from version.py" | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| echo UUID=$(uuidgen) >> $GITHUB_ENV | |
| - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" | |
| - run: echo "UUID ${{ env.UUID }}" | |
| - name: "Prepare ssh environment in ramdisk" | |
| run: | | |
| sudo mkdir -p /tmp/rd | |
| sudo mount -t tmpfs -o size=5M none /tmp/rd | |
| sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp | |
| sudo chmod 600 /tmp/rd/ak.tmp | |
| sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts | |
| env: | |
| SSH_KEY: ${{ secrets.AWS_SSH_KEY }} | |
| KNOWN_HOSTS: ${{ secrets.AWS_SSH_KNOWN_HOSTS }} | |
| - name: "Create working directory on remote host" | |
| run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts mkdir -p /tmp/a2c/$UUID | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Prepare and data package" | |
| run: | | |
| sudo mkdir -p /tmp/data/acme_ca/certs | |
| sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /tmp/data/acme_ca/ | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /tmp/data/acme_srv.cfg | |
| sudo cp .github/acme2certifier.pem /tmp/data/acme2certifier.pem | |
| sudo cp .github/django_settings.py /tmp/data/settings.py | |
| sudo cp .github/acme2certifier_cert.pem /tmp/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem /tmp/data/acme2certifier_key.pem | |
| - name: "Copy data package to remote host" | |
| run: sudo scp -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts -r /tmp/data $SSH_USER@$SSH_HOST:/tmp/a2c/$UUID/ | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| UUID: ${{ env.UUID }} | |
| - run: echo "Image name - grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER" | |
| env: | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| TAG_NAME: ${{ env.TAG_NAME }} | |
| - name: "Pull images from dockerhub and setup container" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker network create $UUID" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -d --rm -id --network $UUID --name=acme-srv-$UUID -v "/tmp/a2c/$UUID/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| TAG_NAME: ${{ env.TAG_NAME }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Sleep for 5s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 5s | |
| - name: "Test http://acme-srv/directory internally" | |
| run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --network $UUID curlimages/curl -f http://acme-srv-$UUID/directory" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Test if https://acme-srv/directory internally" | |
| run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --network $UUID curlimages/curl --insecure -f https://acme-srv-$UUID/directory" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "acme.sh enroll" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/acme-sh" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run --rm -id -v /tmp/a2c/$UUID/acme-sh:/acme.sh --network $UUID --name=acme-sh-$UUID neilpang/acme.sh:latest daemon" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker exec -i acme-sh-$UUID acme.sh --server http://acme-srv-$UUID --accountemail '[email protected]' --issue -d acme-sh-$UUID --standalone --debug 3 --output-insecure --force" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "acme.sh revoke" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker exec -i acme-sh-$UUID acme.sh --server http://acme-srv-$UUID --revoke -d acme-sh-$UUID --standalone --debug 3 --output-insecure" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Certbot enroll" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/certbot" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv-$UUID --no-eff-email" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv-$UUID --standalone --preferred-challenges http -d certbot-$UUID --cert-name certbot-$UUID" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Certbot revoke" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i --rm --name certbot-$UUID --network $UUID -v /tmp/a2c/$UUID/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv-$UUID -d certbot-$UUID --cert-name certbot-$UUID" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Lego enroll" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "mkdir -p /tmp/a2c/$UUID/lego" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i -v /tmp/a2c/$UUID/lego:/.lego/ --rm --name lego-$UUID --network $UUID goacme/lego -s http://acme-srv-$UUID/directory -a --email [email protected] -d lego-$UUID --http run" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Lego revoke" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker run -i -v /tmp/a2c/$UUID/lego:/.lego/ --rm --name lego-$UUID --network $UUID goacme/lego -s http://acme-srv-$UUID -a --email "[email protected]" -d lego-$UUID revoke" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| UUID: ${{ env.UUID }} | |
| - name: "Cleanup on remote host" | |
| run: | | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker stop acme-sh-$UUID" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker stop acme-srv-$UUID" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker network rm $UUID" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "docker image rm grindsa/acme2certifier:$TAG_NAME-$WEB_SRV-$DB_HANDLER" | |
| sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -o UserKnownHostsFile=/tmp/rd/known_hosts "sudo rm -rf /tmp/a2c/$UUID" | |
| env: | |
| SSH_USER: ${{ secrets.AWS_SSH_USER }} | |
| SSH_HOST: ${{ secrets.AWS_SSH_HOST }} | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| UUID: ${{ env.UUID }} | |
| instance_stop: | |
| name: instance_stop | |
| runs-on: ubuntu-latest | |
| needs: arm64_pull_and_test | |
| steps: | |
| - name: "install awccli" | |
| run: | | |
| sudo apt-get update | |
| pip3 install awscli --upgrade --user | |
| pip3 install boto3 --upgrade --user | |
| export PATH=$PATH:$HOME/.local/bin | |
| - name: "configure awccli" | |
| run: | | |
| aws --version | |
| aws configure set aws_access_key_id ${{ secrets.AWS_ACCESS_KEY_ID }} | |
| aws configure set aws_secret_access_key ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
| aws configure set default.region ${{ secrets.AWS_REGION }} | |
| - name: "stop instance" | |
| run: | | |
| wget https://raw.githubusercontent.com/grindsa/aws_ec2_mgr/main/aws_ec_mgr.py | |
| chmod a+rx ./aws_ec_mgr.py | |
| python3 ./aws_ec_mgr.py -a stop -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} | |
| python3 ./aws_ec_mgr.py -a state -r ${{ secrets.AWS_REGION }} -i ${{ secrets.AWS_INSTANCE_ID }} |