CA handler Tests - Certifier #1293
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CA handler Tests - Certifier | |
| on: | |
| push: | |
| pull_request: | |
| branches: [ devel ] | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 2 * * 6' | |
| jobs: | |
| certifier_handler_tests: | |
| name: "certifier_handler_tests" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| max-parallel: 2 | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "create folders" | |
| run: | | |
| mkdir lego | |
| mkdir acme-sh | |
| mkdir certbot | |
| - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" | |
| working-directory: examples/Docker/ | |
| run: | | |
| sudo apt-get install -y docker-compose | |
| sudo mkdir -p data | |
| sed -i "s/wsgi/$DB_HANDLER/g" .env | |
| sed -i "s/apache2/$WEB_SRV/g" .env | |
| cat .env | |
| docker network create acme | |
| docker-compose up -d | |
| docker-compose logs | |
| env: | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| - name: "No profile - Setup a2c with certifier_ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "No profile - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "No profile - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "No profile - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "No profile - Enroll acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "No profile - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "No profile - Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "No profile - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| - name: "No profile - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "No profile - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| - name: "No profile - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" | |
| run: | | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo touch examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_id: 101" >> examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "Profile 101 - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Profile 101 - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile 101 - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Profile 101 - Enroll acme.sh" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "Profile 101 - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile 101 - Register certbot" | |
| run: | | |
| sudo rm -rf certbot/* | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "Profile 101 - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Profile 101 - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile 101 - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Profile 101 - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Profile 102 - Setup a2c with certifier_ca_handler with Profile 102" | |
| run: | | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo touch examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_id: 102" >> examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "Profile 102 - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Profile 102 - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile 102 - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Profile 102 - Enroll acme.sh" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "Profile 102 - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile 102 - Register certbot" | |
| run: | | |
| sudo rm -rf certbot/* | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "Profile 102 - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Profile 102 - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile 102 - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Profile 102 - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Header-info - Setup a2c with certifier_ca_handler with header-info" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Header-info - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Header-info - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Header-info - 01 - Enroll acme.sh with profile_id 101" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Header-info - 01 - Enroll lego with profile_id 101" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Header-info - 02 - Enroll acme.sh with profile_id 102" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Header-info - 02 - Enroll lego with profile_id 102" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_id=102 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
| sudo chmod 777 examples/eab_handler/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
| sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "EAB without headerinfo - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "EAB without headerinfo - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "EAB without headerinfo - Enroll acme.sh without profile_id" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - Enroll lego without profile_id" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB without headerinfo - 04 - check result " | |
| if: steps.acmefail021.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail021.outcome }}" | |
| exit 1 | |
| - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
| - name: "EAB without headerinfo - 04a - check result " | |
| if: steps.legofail021.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail021.outcome }}" | |
| exit 1 | |
| - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" | |
| - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" | |
| - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_id: 100" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
| sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
| sudo chmod 777 examples/eab_handler/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
| sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "EAB with headerinfo - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "EAB with headerinfo - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 01 - Enroll lego without profile_id" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" | |
| id: acmefail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.acmefail01.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication" | |
| - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" | |
| id: legofail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.legofail01.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication" | |
| - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail02.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail02.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" | |
| - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" | |
| id: acmefail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.acmefail03.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail03.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" | |
| id: legofail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.legofail03.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail03.outcome }}" | |
| exit 1 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
| sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
| cd examples/Docker | |
| docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: ncm-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| certifier_handler_tests_rpm: | |
| name: "certifier_handler_tests_rpm" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| rhversion: [8, 9] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: Retrieve Version from version.py | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
| - name: update version number in spec file | |
| run: | | |
| # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec | |
| sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec | |
| cat examples/install_scripts/rpm/acme2certifier.spec | |
| - name: build RPM package | |
| id: rpm | |
| uses: grindsa/rpmbuild@alma9 | |
| with: | |
| spec_file: "examples/install_scripts/rpm/acme2certifier.spec" | |
| - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" | |
| - name: "Setup environment for alma installation" | |
| run: | | |
| docker network create acme | |
| sudo mkdir -p data | |
| sudo chmod -R 777 data | |
| sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data | |
| sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data | |
| - name: "Create letsencrypt and lego folder" | |
| run: | | |
| mkdir certbot | |
| mkdir lego | |
| - name: "Retrieve rpms from SBOM repo" | |
| run: | | |
| git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom | |
| cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data | |
| env: | |
| GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
| GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
| - name: "No profile - Setup a2c with certifier_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| - name: "Prepare Almalinux instance" | |
| run: | | |
| sudo cp examples/Docker/almalinux-systemd/Dockerfile data | |
| sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile | |
| cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
| docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd | |
| - name: "Execute install scipt" | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
| - name: "Profile 101 - Sleep for 5s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 5s | |
| - name: "No profile - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "No profile - Enroll acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "No profile - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "No profile - Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "No profile - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| - name: "No profile - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "No profile - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| - name: "No profile - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Profile 101 - Setup a2c with certifier_ca_handler with profile 101" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_id: 101" >> data/acme_srv.cfg | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "Profile 101 - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "Profile 101 - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Profile 101 - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile 101 - Enroll acme.sh" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "Profile 101 - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile 101 - Register certbot" | |
| run: | | |
| sudo rm -rf certbot/* | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "Profile 101 - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Profile 101 - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile 101 - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Profile 101 - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Profile 102 - Setup a2c with certifier_ca_handler with profile 101" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_id: 102" >> data/acme_srv.cfg | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "Profile 102 - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "Profile 102 - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "Profile 102 - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile 102 - Enroll acme.sh" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| - name: "Profile 102 - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile 102 - Register certbot" | |
| run: | | |
| sudo rm -rf certbot/* | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
| - name: "Profile 102 - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Profile 102 - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile 102 - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Profile 102 - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke | |
| - name: "Header-info - Setup a2c with certifier_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "Header-info - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "Header-info - Sleep for 5s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 5s | |
| - name: "Header-info - 01 - Enroll acme.sh with profile_id 101" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_id=101 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Header-info - 01 - Enroll lego with profile_id 101" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Client" | |
| - name: "Header-info - 02 - Enroll acme.sh with profile_id 102" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_id=102 -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "Header-info - 02 - Enroll lego with profile_id 102" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_id=102 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server" | |
| - name: "EAB without headerinfo - Setup a2c with certifier_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_id: 100" >> data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
| sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
| sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
| sudo chmod 777 data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
| sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "EAB without headerinfo - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "EAB without headerinfo - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "EAB without headerinfo - Enroll acme.sh without profile_id" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - Enroll lego without profile_id" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 02 - Enroll acme with a template_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 02 - Enroll lego with a template_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB without headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB without headerinfo - 04 - check result " | |
| if: steps.acmefail021.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail021.outcome }}" | |
| exit 1 | |
| - name: "EAB without headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
| - name: "EAB without headerinfo - 04a - check result " | |
| if: steps.legofail021.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail021.outcome }}" | |
| exit 1 | |
| - name: "EAB without headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" | |
| - name: "EAB without headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" | |
| - name: "EAB with headerinfo - Setup a2c with certifier_ca_handler" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $NCM_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $NCM_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $NCM_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $NCM_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_id: 100" >> data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
| sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
| sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
| sudo chmod 777 data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_id\"\: \[\"102\", \"101\"\, \"100\"]/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_id\"\: \"102\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"SubCA2\"/" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
| sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
| env: | |
| NCM_API_HOST: ${{ secrets.NCM_API_HOST }} | |
| NCM_API_USER: ${{ secrets.NCM_API_USER }} | |
| NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} | |
| NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} | |
| NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} | |
| PROFILE: ${{ secrets.PROFILE }} | |
| - name: "EAB with headerinfo - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "EAB with headerinfo - Sleep for 10s" | |
| uses: juliangruber/[email protected] | |
| with: | |
| time: 10s | |
| - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_id" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 01 - Enroll lego without profile_id" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | grep -i "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 02a - Enroll acme with a template_name taken from header_info NOT included in kid.json (to fail)" | |
| id: acmefail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=unknown -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.acmefail01.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll acme with a template_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Client Authentication" | |
| - name: "EAB with headerinfo - 02a - Enroll lego with a template_name taken from header_info NOT included in kid.json (to fail)" | |
| id: legofail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=unknown -d lego.acme --http run | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.legofail01.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll lego with a template_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_id=101 -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Client Authentication" | |
| - name: "EAB with headerinfo - 03 - Enroll acme with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 03 - Enroll lego with a template_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "TLS Web Server Authentication" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail02.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail02.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -ext extendedKeyUsage -noout | grep "Code Signing" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -d lego.acme --http run | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext extendedKeyUsage | grep "Code Signing" | |
| - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" | |
| id: acmefail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.acmefail03.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail03.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" | |
| id: legofail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.legofail03.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail03.outcome }}" | |
| exit 1 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
| sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
| sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
| docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
| docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: certifier_ca_handler_rpm-rh${{ matrix.rhversion }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |