[wf] updated acme_ca_handler workflow #318
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CA handler Tests - Insta ASA | |
| on: | |
| push: | |
| pull_request: | |
| branches: [ devel ] | |
| schedule: | |
| # * is a special character in YAML so you have to quote this string | |
| - cron: '0 2 * * 6' | |
| jobs: | |
| asa_handler_tests: | |
| name: "asa_handler_tests" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| max-parallel: 1 | |
| fail-fast: false | |
| matrix: | |
| websrv: ['apache2', 'nginx'] | |
| dbhandler: ['wsgi', 'django'] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "create folders" | |
| run: | | |
| mkdir lego | |
| mkdir acme-sh | |
| mkdir certbot | |
| - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" | |
| working-directory: examples/Docker/ | |
| run: | | |
| sudo mkdir -p data | |
| sed -i "s/wsgi/$DB_HANDLER/g" .env | |
| sed -i "s/apache2/$WEB_SRV/g" .env | |
| cat .env | |
| docker network create acme | |
| docker-compose up -d | |
| docker-compose logs | |
| env: | |
| WEB_SRV: ${{ matrix.websrv }} | |
| DB_HANDLER: ${{ matrix.dbhandler }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test if https://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048 | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature" | |
| # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Reconfiguration of a2c with a new profile" | |
| run: | | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo touch examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE2" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder" | |
| run: | | |
| sudo rm -rf certbot/* | |
| sudo rm -rf lego/* | |
| sudo rm -rf acme-sh/* | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048 | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke | |
| - name: "Header-info - Setup asa_ca_handler with header-info" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| - name: "Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "Header-info - Test http://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Header-info - Test if https://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - Setup asa_ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
| sudo chmod 777 examples/eab_handler/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
| sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} | |
| - name: "EAB without headerinfo - Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "EAB without headerinfo - Test http://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "EAB without headerinfo - Test if https://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 01 - Enroll lego without profile_name" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" | |
| - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail02.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail02.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" | |
| - name: "EAB with headerinfo - Setup asa_ca_handler" | |
| run: | | |
| sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
| sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
| sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
| sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
| sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
| sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json | |
| sudo chmod 777 examples/eab_handler/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json | |
| sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json | |
| sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} | |
| - name: "EAB with headerinfo - Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "EAB with headerinfo - Test http://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "EAB with headerinfo - Test if https://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
| - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB with headerinfo - 01 - Enroll lego without profile_name" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)" | |
| id: acmefail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.acmefail01.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)" | |
| id: legofail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.legofail01.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail021.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail021.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail021.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail021.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" | |
| id: acmefail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.acmefail03.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail03.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" | |
| id: legofail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.legofail03.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail03.outcome }}" | |
| exit 1 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ | |
| sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
| cd examples/Docker | |
| docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: asa-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| asa_handler_tests_rpm: | |
| name: "asa_handler_tests_rpm" | |
| runs-on: ubuntu-latest | |
| strategy: | |
| max-parallel: 1 | |
| fail-fast: false | |
| matrix: | |
| rhversion: [8, 9] | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: Retrieve Version from version.py | |
| run: | | |
| echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
| - run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
| - name: update version number in spec file | |
| run: | | |
| # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec | |
| sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec | |
| cat examples/install_scripts/rpm/acme2certifier.spec | |
| - name: build RPM package | |
| id: rpm | |
| uses: grindsa/rpmbuild@alma9 | |
| with: | |
| spec_file: "examples/install_scripts/rpm/acme2certifier.spec" | |
| - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" | |
| - name: "[ PREPARE ] setup environment for alma installation" | |
| run: | | |
| docker network create acme | |
| sudo mkdir -p data | |
| sudo chmod -R 777 data | |
| sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data | |
| sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data | |
| - name: "[ PREPARE ] create letsencrypt and lego folder" | |
| run: | | |
| mkdir certbot | |
| mkdir lego | |
| mkdir acme-sh | |
| - name: "Retrieve rpms from SBOM repo" | |
| run: | | |
| git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom | |
| cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data | |
| env: | |
| GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
| GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| mkdir -p data/acme_ca | |
| sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Almalinux instance" | |
| run: | | |
| sudo cp examples/Docker/almalinux-systemd/Dockerfile data | |
| sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile | |
| cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
| docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Execute install scipt" | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessible" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048 | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature" | |
| # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE2" >> data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder" | |
| run: | | |
| sudo rm -rf certbot/* | |
| sudo rm -rf lego/* | |
| sudo rm -rf acme-sh/* | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| # openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke via acme.sh" | |
| run: | | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - register certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048 | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem | |
| sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| # sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot" | |
| run: | | |
| docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke HTTP-01 single domain lego" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke | |
| - name: "Header-info - Setup asa_ca_handler with header-info" | |
| run: | | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| - name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail 'acme-sh@example.com' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| # sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - Setup asa_ca_handler" | |
| run: | | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg | |
| sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
| sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
| sudo chmod 777 data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
| sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} | |
| - name: "EAB without headerinfo - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "EAB without headerinfo - Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 01 - Enroll lego without profile_name" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" | |
| - name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail02.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail02 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail02.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail02.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" | |
| - name: "EAB with headerinfo - Setup asa_ca_handler" | |
| run: | | |
| sudo touch data/acme_srv.cfg | |
| sudo chmod 777 data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg | |
| sudo echo "eab_profiling: True" >> data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg | |
| sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
| sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg | |
| sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg | |
| sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json | |
| sudo chmod 777 data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json | |
| sudo sed -i '18,19d' data/acme_ca/kid_profiles.json | |
| sudo sed -i '8,9d' data/acme_ca/kid_profiles.json | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }} | |
| ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }} | |
| ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }} | |
| - name: "EAB without headerinfo - Reconfigure a2c " | |
| run: | | |
| docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart | |
| - name: "EAB without headerinfo - Sleep for 10s" | |
| uses: juliangruber/sleep-action@v2.0.3 | |
| with: | |
| time: 10s | |
| - name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB with headerinfo - 01 - Enroll lego without profile_name" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment" | |
| - name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)" | |
| id: acmefail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.acmefail01.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)" | |
| id: legofail01 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 02a - check result " | |
| if: steps.legofail01.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail01.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature" | |
| - name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)" | |
| id: acmefail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 04 - check result " | |
| if: steps.acmefail021.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail021.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)" | |
| id: legofail021 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 04a - check result " | |
| if: steps.legofail021.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail021.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg" | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}" | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature" | |
| - name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)" | |
| id: acmefail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf acme-sh/* | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
| docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.acmefail03.outcome != 'failure' | |
| run: | | |
| echo "acmefail outcome is ${{steps.acmefail03.outcome }}" | |
| exit 1 | |
| - name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)" | |
| id: legofail03 | |
| continue-on-error: true | |
| run: | | |
| sudo rm -rf lego/* | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run | |
| - name: "EAB with headerinfo - 06 - check result " | |
| if: steps.legofail03.outcome != 'failure' | |
| run: | | |
| echo "legofail outcome is ${{steps.legofail03.outcome }}" | |
| exit 1 | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
| sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
| sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
| sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
| docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
| docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
| docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: asa_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ | |
| asa_handler_headerinfo_tests: | |
| name: "asa_handler_headerinfo_tests" | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: "checkout GIT" | |
| uses: actions/checkout@v4 | |
| - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" | |
| working-directory: examples/Docker/ | |
| run: | | |
| sudo mkdir -p data | |
| docker network create acme | |
| docker-compose up -d | |
| docker-compose logs | |
| - name: "[ PREPARE ] create lego folder" | |
| run: | | |
| mkdir lego | |
| - name: "Test http://acme-srv/directory is accessable" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "[ PREPARE ] reconfiguration of a2c with a new profile" | |
| run: | | |
| sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem | |
| sudo touch examples/Docker/data/acme_srv.cfg | |
| sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
| sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg | |
| sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg | |
| sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg | |
| sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg | |
| cd examples/Docker/ | |
| docker-compose restart | |
| docker-compose logs | |
| env: | |
| ASA_API_HOST: ${{ secrets.ASA_API_HOST }} | |
| ASA_API_USER: ${{ secrets.ASA_API_USER }} | |
| ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }} | |
| ASA_API_KEY: ${{ secrets.ASA_API_KEY }} | |
| ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }} | |
| ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }} | |
| ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }} | |
| - name: "Test http://acme-srv/directory is accessable again" | |
| run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
| - name: "[ PREPARE ] prepare acme.sh container" | |
| run: | | |
| sudo mkdir acme-sh | |
| docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
| - name: "[ REGISTER] acme.sh" | |
| run: | | |
| docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 | |
| - name: "[ ENROLL] acme.sh with profileID ACME" | |
| run: | | |
| docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure | |
| awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "[ ENROLL ] lego with profileID ACME" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature" | |
| - name: "[ ENROLL] acme.sh with profileID ACME_2" | |
| run: | | |
| docker exec -i acme-sh acme.sh --server http://acme-srv --renew --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure | |
| openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer | |
| openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "[ ENROLL ] lego with profileID ACME_2" | |
| run: | | |
| docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run | |
| sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt | |
| sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment" | |
| - name: "[ * ] collecting test logs" | |
| if: ${{ failure() }} | |
| run: | | |
| mkdir -p ${{ github.workspace }}/artifact/upload | |
| sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
| sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
| cd examples/Docker | |
| docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
| sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego | |
| - name: "[ * ] uploading artificates" | |
| uses: actions/upload-artifact@v4 | |
| if: ${{ failure() }} | |
| with: | |
| name: asa_handler_headerinfo_tests.tar.gz | |
| path: ${{ github.workspace }}/artifact/upload/ |