From d7f82fbfb14c737f3569a39fdaad8b5914749d09 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 08:38:40 +0100 Subject: [PATCH 01/22] [foo] --- .../workflows/acme_sh-application-test.yml | 471 ---------- .github/workflows/alpn-test.yml | 77 -- .github/workflows/ca_handler_tests_acme.yml | 84 -- .../workflows/ca_handler_tests_certifier.yml | 102 --- .github/workflows/ca_handler_tests_cmp.yml | 284 ------- .github/workflows/ca_handler_tests_msca.yml | 230 ----- .github/workflows/ca_handler_tests_nclm.yml | 124 --- .../workflows/ca_handler_tests_openssl.yml | 89 -- .../workflows/ca_handler_tests_pkcs7_soap.yml | 244 ------ .github/workflows/ca_handler_tests_xca.yml | 104 --- .../workflows/certbot-application-test.yml | 377 --------- .../certmanager-application-test.yml | 801 ------------------ .github/workflows/codecov.yml | 30 - .github/workflows/codeql-analysis.yml | 61 -- .github/workflows/container-tests.yml | 293 ------- .github/workflows/create_release.yml | 48 -- .github/workflows/django_tests..yml | 522 ------------ .github/workflows/dns-test.yml | 118 --- .github/workflows/eab-test.yml | 130 --- .github/workflows/enrollment-timeout.yml | 110 --- .github/workflows/hooks-test.yml | 267 ------ .github/workflows/ipv6-test.yml | 207 ----- .github/workflows/lego-application-test.yml | 356 -------- .github/workflows/manual-install-test.yml | 105 +-- .github/workflows/markdown-check.yml | 30 - .github/workflows/ossar-analysis.yml | 53 -- .github/workflows/phonito_security_scan.yml | 128 --- .github/workflows/proxy-test.yml | 258 ------ .../workflows/push_images_to_dockerhub.yml | 319 ------- .github/workflows/python-test.yml | 78 -- .github/workflows/tnauth-test.yml | 70 -- .github/workflows/wiki-update.yml | 26 - .../workflows/winacme-application-test.yml | 121 --- .github/workflows/wsgi_handler-test.yml | 153 ---- examples/Docker/alamalinux-systemd/Dockerfile | 15 + 35 files changed, 20 insertions(+), 6465 deletions(-) delete mode 100644 .github/workflows/acme_sh-application-test.yml delete mode 100644 .github/workflows/alpn-test.yml delete mode 100644 .github/workflows/ca_handler_tests_acme.yml delete mode 100644 .github/workflows/ca_handler_tests_certifier.yml delete mode 100644 .github/workflows/ca_handler_tests_cmp.yml delete mode 100644 .github/workflows/ca_handler_tests_msca.yml delete mode 100644 .github/workflows/ca_handler_tests_nclm.yml delete mode 100644 .github/workflows/ca_handler_tests_openssl.yml delete mode 100644 .github/workflows/ca_handler_tests_pkcs7_soap.yml delete mode 100644 .github/workflows/ca_handler_tests_xca.yml delete mode 100644 .github/workflows/certbot-application-test.yml delete mode 100644 .github/workflows/certmanager-application-test.yml delete mode 100644 .github/workflows/codecov.yml delete mode 100644 .github/workflows/codeql-analysis.yml delete mode 100644 .github/workflows/container-tests.yml delete mode 100644 .github/workflows/create_release.yml delete mode 100644 .github/workflows/django_tests..yml delete mode 100644 .github/workflows/dns-test.yml delete mode 100644 .github/workflows/eab-test.yml delete mode 100644 .github/workflows/enrollment-timeout.yml delete mode 100644 .github/workflows/hooks-test.yml delete mode 100644 .github/workflows/ipv6-test.yml delete mode 100644 .github/workflows/lego-application-test.yml delete mode 100644 .github/workflows/markdown-check.yml delete mode 100644 .github/workflows/ossar-analysis.yml delete mode 100644 .github/workflows/phonito_security_scan.yml delete mode 100644 .github/workflows/proxy-test.yml delete mode 100644 .github/workflows/push_images_to_dockerhub.yml delete mode 100644 .github/workflows/python-test.yml delete mode 100644 .github/workflows/tnauth-test.yml delete mode 100644 .github/workflows/wiki-update.yml delete mode 100644 .github/workflows/winacme-application-test.yml delete mode 100644 .github/workflows/wsgi_handler-test.yml create mode 100644 examples/Docker/alamalinux-systemd/Dockerfile diff --git a/.github/workflows/acme_sh-application-test.yml b/.github/workflows/acme_sh-application-test.yml deleted file mode 100644 index 18e51492..00000000 --- a/.github/workflows/acme_sh-application-test.yml +++ /dev/null @@ -1,471 +0,0 @@ -name: Application Tests - acme_sh - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - acme_sh_apache2_wsgi: - name: "acme_sh_apache2_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - accountkeylength: [2048, ec-256, ec-521] - keylength: [2048, 4096, ec-521] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] HTTP-01 single domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure - - - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: acme_sh_apache2_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - acme_sh_apache2_django: - name: "acme_sh_apache2_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - accountkeylength: [2048, ec-256, ec-521] - keylength: [2048, 4096, ec-521] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] HTTP-01 single domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure - - - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: acme_sh_apache2_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - acme_sh_nginx_wsgi: - name: "acme_sh_nginx_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - accountkeylength: [2048, ec-256, ec-521] - keylength: [2048, 4096, ec-521] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] HTTP-01 single domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure - - - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: acme_sh_nginx_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - acme_sh_nginx_django: - name: "acme_sh_nginx_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - accountkeylength: [2048, ec-256, ec-521] - keylength: [2048, 4096, ec-521] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] HTTP-01 single domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 single domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure - - - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ RENEW ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="_ecc" - fi - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" - run: | - if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then - ECC="--ecc" - fi - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: acme_sh_nginx_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/alpn-test.yml b/.github/workflows/alpn-test.yml deleted file mode 100644 index 5ef6f489..00000000 --- a/.github/workflows/alpn-test.yml +++ /dev/null @@ -1,77 +0,0 @@ -name: TLS-ALPN-01 challenge tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - alpn_apache2_wsgi: - name: "alpn_apache2_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: alpn-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_acme.yml b/.github/workflows/ca_handler_tests_acme.yml deleted file mode 100644 index 61f40382..00000000 --- a/.github/workflows/ca_handler_tests_acme.yml +++ /dev/null @@ -1,84 +0,0 @@ -name: CA handler tests - ACME - -on: - push: - pull_request: - branches: [ devel ] - schedule: - - cron: '0 2 * * 6' - -jobs: - acme_ca_handler_test: - name: "ACME CAhandler Tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] setup le-sim" - run: | - sudo mkdir -p examples/Docker/data-le - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py - sudo mkdir -p examples/Docker/data-le/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg - sudo chmod 777 examples/Docker/data-le/acme_srv.cfg - docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - - - name: "Test http://acme-le-sim/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ TEST ] enroll from le-sim" - run: | - docker exec -i acme-sh acme.sh --server http://acme-le-sim --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ PREPARE ] setup acme_ca_handler" - run: | - sudo mkdir -p examples/Docker/data/acme - sudo chmod -R 777 examples/Docker/data/acme - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg - sudo echo "acme_url: http://acme-le-sim" >> examples/Docker/data/acme_srv.cfg - sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg - - - name: "[ ENROLL ] via acme_ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile acme-sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - # docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log - docker logs acme-le-sim - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: ca_handler.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_certifier.yml b/.github/workflows/ca_handler_tests_certifier.yml deleted file mode 100644 index 76866707..00000000 --- a/.github/workflows/ca_handler_tests_certifier.yml +++ /dev/null @@ -1,102 +0,0 @@ -name: CA handler tests - Certifier - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - certifier_handler_tests: - name: "certifier_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with certifier_ca_handler" - run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - NCM_API_HOST: ${{ secrets.NCM_API_HOST }} - NCM_API_USER: ${{ secrets.NCM_API_USER }} - NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} - NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} - NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: ncm.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml deleted file mode 100644 index 26c3c3cb..00000000 --- a/.github/workflows/ca_handler_tests_cmp.yml +++ /dev/null @@ -1,284 +0,0 @@ -name: CA handler tests - CMPv2 - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - cmp_handler_tests_keycert: - name: "cmp_handler_tests_keycert" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - #- name: "[ PREPARE ] patch docker file to ubuntu 22.04" - # run: | - # sudo sed -i "s/FROM ubuntu:20.04/FROM ubuntu:22.04/g" examples/Docker/apache2/wsgi/Dockerfile - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with cmp_ca_handler" - run: | - sudo touch examples/Docker/data/ca_bundle.pem - sudo touch examples/Docker/data/ra_cert.pem - sudo touch examples/Docker/data/ra_key.pem - sudo chmod 777 examples/Docker/data/*.pem - sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem - sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem - sudo echo "$CMP_RA_KEY" > examples/Docker/data/ra_key.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} - CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }} - CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} - CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ PREPARE ] ssh environment on ramdisk" - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "[ PREPARE ] establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 8086:$CMP_HOST:8086 -g ping -c 120 $CMP_HOST & - env: - SSH_USER: ${{ secrets.CMP_SSH_USER }} - SSH_HOST: ${{ secrets.CMP_SSH_HOST }} - SSH_PORT: ${{ secrets.CMP_SSH_PORT }} - CMP_HOST: ${{ secrets.CMP_HOST }} - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - #- name: "[ ENROLL ] HTTP-01 single domain certbot" - # run: | - # docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - # sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cmpkeycert.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - cmp_handler_tests_refpsk: - name: "cmp_handler_tests_refpsk" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] patch docker file to ubuntu 22.04" - run: | - sudo sed -i "s/FROM ubuntu:20.04/FROM ubuntu:22.04/g" examples/Docker/apache2/wsgi/Dockerfile - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with cmp_ca_handler" - run: | - sudo touch examples/Docker/data/ca_bundle.pem - sudo touch examples/Docker/data/ra_cert.pem - sudo chmod 777 examples/Docker/data/*.pem - sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem - sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg - sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} - CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} - CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} - CMP_REF: ${{ secrets.CMP_REF }} - CMP_SECRET: ${{ secrets.CMP_SECRET }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ PREPARE ] ssh environment on ramdisk" - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "[ PREPARE ] establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 8086:$CMP_HOST:8086 -g ping -c 120 $CMP_HOST & - env: - SSH_USER: ${{ secrets.CMP_SSH_USER }} - SSH_HOST: ${{ secrets.CMP_SSH_HOST }} - SSH_PORT: ${{ secrets.CMP_SSH_PORT }} - CMP_HOST: ${{ secrets.CMP_HOST }} - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - #- name: "[ ENROLL ] HTTP-01 single domain certbot" - # run: | - # docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - # sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cmprefpsk.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_msca.yml b/.github/workflows/ca_handler_tests_msca.yml deleted file mode 100644 index acd3d081..00000000 --- a/.github/workflows/ca_handler_tests_msca.yml +++ /dev/null @@ -1,230 +0,0 @@ -name: CA handler tests - Microsoft CA - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - wcce_handler_tests: - name: "wcce_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with ms_wcce_ca_handler" - run: | - sudo touch examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/ca_certs.pem - sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - RUNNER_IP: ${{ env.RUNNER_IP }} - WCCE_USER: ${{ secrets.WCCE_USER }} - WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} - WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} - WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} - WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} - WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ PREPARE ] ssh environment on ramdisk " - run: | - sudo mkdir -p /tmp/rd - sudo mount -t tmpfs -o size=5M none /tmp/rd - sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp - sudo chmod 600 /tmp/rd/ak.tmp - sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts - env: - SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} - KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} - - - name: "[ PREPARE ] establish SSH connection" - run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 445:$WCCE_HOST:445 -g ping -c 75 $WCCE_HOST & - env: - SSH_USER: ${{ secrets.WCCE_SSH_USER }} - SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} - SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} - WCCE_HOST: ${{ secrets.WCCE_HOST }} - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: wcce.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - wes_handler_tests: - name: "wes_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with mscertsrv_ca_handler" - run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "host: $WES_HOST" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "auth_method: $WES_AUTHMETHOD" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - WES_HOST: ${{ secrets.WES_HOST }} - WES_USER: ${{ secrets.WES_USER }} - WES_PASSWORD: ${{ secrets.WES_PASSWORD }} - WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} - WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: wse.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml deleted file mode 100644 index 923fdadb..00000000 --- a/.github/workflows/ca_handler_tests_nclm.yml +++ /dev/null @@ -1,124 +0,0 @@ -name: CA handler tests - NCLM - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - nclm_handler_tests: - name: "nclm_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with nclm_ca_handler" - run: | - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_host: $NCLM_API_HOST" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: $NCLM_API_USER" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: $NCLM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg - sudo echo "tsg_name: $NCLM_TSG_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: $NCLM_CA_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} - NCLM_API_USER: ${{ secrets.NCLM_API_USER }} - NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} - NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer - # openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt - - - name: "[ PREPARE ] reconfigure nclm handler" - run: | - sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg - sudo rm -rf lego/* - env: - NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} - NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} - NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} - - - name: "[ PREPARE ] restart a2c" - working-directory: examples/Docker/ - run: | - docker-compose restart - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile lego/certificates/lego.acme.issuer.crt lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: nclm.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_openssl.yml b/.github/workflows/ca_handler_tests_openssl.yml deleted file mode 100644 index 8ebedad5..00000000 --- a/.github/workflows/ca_handler_tests_openssl.yml +++ /dev/null @@ -1,89 +0,0 @@ -name: CA handler tests - OpenSSL - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - openssl_handler_tests: - name: "openssl_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with openssl_ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: openssl.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_pkcs7_soap.yml b/.github/workflows/ca_handler_tests_pkcs7_soap.yml deleted file mode 100644 index 5e0e7584..00000000 --- a/.github/workflows/ca_handler_tests_pkcs7_soap.yml +++ /dev/null @@ -1,244 +0,0 @@ -name: CA handler tests - PKCS#7-SOAP handler - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - pkcs7_soap_handler_signint_tests: - name: "pkcs7_soap_handler_tests internal signer" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] SOAP server" - run: | - sudo mkdir -p examples/Docker/data - docker network create acme - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo touch examples/Docker/data/soap_srv.cfg - sudo chmod 777 examples/Docker/data/soap_srv.cfg - sudo echo "[CAhandler]" >> examples/Docker/data/soap_srv.cfg - sudo echo "xdb_file: /etc/soap-srv/xca/$XCA_DB_NAME" >> examples/Docker/data/soap_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg - sudo echo "issuing_ca_key: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/soap_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/soap_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/soap_srv.cfg - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "[ PREPARE ] Build and start SOAP server" - working-directory: examples/Docker/ - run: | - docker-compose -f soap_srv.yml up -d - docker-compose -f soap_srv.yml logs - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" - run: | - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp test/ca/sub-ca-key.pem examples/Docker/data/key.pem - sudo cp test/ca/sub-ca-cert.pem examples/Docker/data/cert.pem - sudo cp test/ca/certs.pem examples/Docker/data/ca_bundle.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/pkcs7_soap_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "soap_srv: http://soap-srv.acme:8888" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_cert: /var/www/acme2certifier/volume/cert.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_key: /var/www/acme2certifier/volume/key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "profilename: foo" >> examples/Docker/data/acme_srv.cfg - sudo echo "email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg - cat examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose -f soap_srv.yml logs > ${{ github.workspace }}/artifact/soap-srv.log - docker-compose logs > ${{ github.workspace }}/artifact/a2c.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz a2c.log data soap-srv.log acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: pkcs7soap-int.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - pkcs7_soap_handler_signext_tests: - name: "pkcs7_soap_handler_tests external signer" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] SOAP server" - run: | - sudo mkdir -p examples/Docker/data - docker network create acme - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo touch examples/Docker/data/soap_srv.cfg - sudo chmod 777 examples/Docker/data/soap_srv.cfg - sudo echo "[CAhandler]" >> examples/Docker/data/soap_srv.cfg - sudo echo "xdb_file: /etc/soap-srv/xca/$XCA_DB_NAME" >> examples/Docker/data/soap_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg - sudo echo "issuing_ca_key: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/soap_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/soap_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/soap_srv.cfg - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "[ PREPARE ] Build and start SOAP server" - working-directory: examples/Docker/ - run: | - docker-compose -f soap_srv.yml up -d - docker-compose -f soap_srv.yml logs - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" - run: | - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo cp examples/soap/mock_signer.py examples/Docker/data/ - sudo chmod 755 examples/Docker/data/mock_signer.py - sudo cp test/ca/sub-ca-key.pem examples/Docker/data/key.pem - sudo cp test/ca/sub-ca-cert.pem examples/Docker/data/cert.pem - sudo cp test/ca/certs.pem examples/Docker/data/ca_bundle.pem - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/pkcs7_soap_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "soap_srv: http://soap-srv.acme:8888" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_script: /var/www/acme2certifier/volume/mock_signer.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_alias: /var/www/acme2certifier/volume/cert.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_config_variant: /var/www/acme2certifier/volume/key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "signing_csr_path: /var/www/acme2certifier/volume" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "profilename: foo" >> examples/Docker/data/acme_srv.cfg - sudo echo "email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg - cat examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose -f soap_srv.yml logs > ${{ github.workspace }}/artifact/soap-srv.log - docker-compose logs > ${{ github.workspace }}/artifact/a2c.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz a2c.log data soap-srv.log acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: pkcs7soap-ext.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_xca.yml b/.github/workflows/ca_handler_tests_xca.yml deleted file mode 100644 index 47adcd75..00000000 --- a/.github/workflows/ca_handler_tests_xca.yml +++ /dev/null @@ -1,104 +0,0 @@ -name: CA handler tests - XCA - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - xca_handler_tests: - name: "xca_handler_tests" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt and lego folder" - run: | - mkdir certbot - mkdir lego - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup a2c with xca_ca_handler" - run: | - sudo mkdir -p examples/Docker/data/xca - sudo chmod -R 777 examples/Docker/data/xca - sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo touch examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg - sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg - sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg - sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} - XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} - XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} - XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir acme-sh - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: xca.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/certbot-application-test.yml b/.github/workflows/certbot-application-test.yml deleted file mode 100644 index c8e4ac37..00000000 --- a/.github/workflows/certbot-application-test.yml +++ /dev/null @@ -1,377 +0,0 @@ -name: Application Tests - Certbot - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - - certbot_apache2_wsgi: - name: "certbot_apache2_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048, 4096] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "[ ENROLL ] HTTP-01 2x domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: certbot_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certbot_apache2_django: - name: "certbot_apache2_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048, 4096] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "[ ENROLL ] HTTP-01 2x domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: certbot_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certbot_nginx_wsgi: - name: "certbot_nginx_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048, 4096] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "[ ENROLL ] HTTP-01 2x domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: certbot_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certbot_nginx_django: - name: "certbot_nginx_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048, 4096] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot - - - name: "[ ENROLL ] HTTP-01 2x domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ RENEW ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ REVOKE ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: certbot_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/certmanager-application-test.yml b/.github/workflows/certmanager-application-test.yml deleted file mode 100644 index 3ddee661..00000000 --- a/.github/workflows/certmanager-application-test.yml +++ /dev/null @@ -1,801 +0,0 @@ -name: Application Tests - cert-manager - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - certmgr_http01_apwsgi: - name: "apache2 wsgi - certmgr http01 challenge tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] install microk8s" - run: | - sudo snap install microk8s --classic - sudo microk8s status --wait-ready - sudo microk8s enable helm3 - sudo microk8s enable ingress - - name: "[ PREPARE ] install dnsmasq" - run: | - sudo mkdir -p data - sudo cp .github/dnsmasq.conf data - sudo cp .github/dnsmasq.yml data - sudo chmod -R 777 data/dnsmasq.conf - sudo chmod -R 777 data/dnsmasq.yml - sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf - sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml - cat data/dnsmasq.conf - cat data/dnsmasq.yml - docker pull gigantuar/dnsmasq:latest-amd64 - docker save gigantuar/dnsmasq -o dnsmasq.tar - sudo microk8s ctr image import dnsmasq.tar - sudo microk8s ctr images ls | grep -i gigantuar - - name: "[ PREPARE ] deploy dnsmasq pod" - run: | - sudo microk8s.kubectl apply -f data/dnsmasq.yml - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status dnsmasq pod and grab ip" - run: | - sudo microk8s.kubectl get pods -n dnsmasq - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq - sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 - echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" - - - name: "[ PREPARE ] change and test dns" - run: | - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo chmod -R 777 /etc/resolv.conf - sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf - sudo cat /etc/resolv.conf - host www.heise.de - host www.bar.local - - name: "[ PREPARE ] install cert-manager charts" - run: | - sudo microk8s.kubectl create namespace cert-manager - sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io - sudo microk8s.helm3 repo update - sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true - echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV - - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - run: | - cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache - # docker pull grindsa/acme2certifier:devel - docker save grindsa/acme2certifier > a2c.tar - sudo microk8s ctr image import a2c.tar - sudo microk8s ctr images ls | grep -i grindsa - - name: "[ PREPARE ] Create a2c configuration" - run: | - sudo mkdir -p data - sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - - name: "[ DEPLOY ] deploy a2c pod" - run: | - sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml - sudo microk8s.kubectl get pods -n cert-manager-acme - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" - run: | - sudo microk8s.kubectl get pods -n cert-manager-acme - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier - sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 - echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "a2c pod IP is ${{ env.ACME_IP }}" - - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo cp .github/k8s-cert-mgr-http-01.yml data - sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml - sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - sudo microk8s.kubectl describe certificate - sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cert-manager-http-apwsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certmgr_http01_apdjango: - name: "apache2 django - certmgr http01 challenge tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] install microk8s" - run: | - sudo snap install microk8s --classic - sudo microk8s status --wait-ready - sudo microk8s enable helm3 - sudo microk8s enable ingress - - name: "[ PREPARE ] install dnsmasq" - run: | - sudo mkdir -p data - sudo cp .github/dnsmasq.conf data - sudo cp .github/dnsmasq.yml data - sudo chmod -R 777 data/dnsmasq.conf - sudo chmod -R 777 data/dnsmasq.yml - sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf - sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml - cat data/dnsmasq.conf - cat data/dnsmasq.yml - docker pull gigantuar/dnsmasq:latest-amd64 - docker save gigantuar/dnsmasq -o dnsmasq.tar - sudo microk8s ctr image import dnsmasq.tar - sudo microk8s ctr images ls | grep -i gigantuar - - name: "[ PREPARE ] deploy dnsmasq pod" - run: | - sudo microk8s.kubectl apply -f data/dnsmasq.yml - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status dnsmasq pod and grab ip" - run: | - sudo microk8s.kubectl get pods -n dnsmasq - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq - sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 - echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" - - - name: "[ PREPARE ] change and test dns" - run: | - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo chmod -R 777 /etc/resolv.conf - sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf - sudo cat /etc/resolv.conf - host www.heise.de - host www.bar.local - - name: "[ PREPARE ] install cert-manager charts" - run: | - sudo microk8s.kubectl create namespace cert-manager - sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io - sudo microk8s.helm3 repo update - sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true - echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV - - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_django)" - run: | - cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache - docker save grindsa/acme2certifier > a2c.tar - sudo microk8s ctr image import a2c.tar - sudo microk8s ctr images ls | grep -i grindsa - - name: "[ PREPARE ] Create a2c configuration" - run: | - sudo mkdir -p data - sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/django_settings.py data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - - name: "[ DEPLOY ] deploy a2c pod" - run: | - sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml - sudo microk8s.kubectl get pods -n cert-manager-acme - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" - run: | - sudo microk8s.kubectl get pods -n cert-manager-acme - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier - sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 - echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "a2c pod IP is ${{ env.ACME_IP }}" - - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo cp .github/k8s-cert-mgr-http-01.yml data - sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml - sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - sudo microk8s.kubectl describe certificate - sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cert-manager-http-apwsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certmgr_dns01_apwsgi: - name: "apache2 wsgi - certmgr dns01 challenge tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] change dns" - run: | - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo chmod -R 777 /etc/resolv.conf - sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf - sudo cat /etc/resolv.conf - - name: "[ PREPARE ] install microk8s" - run: | - sudo snap install microk8s --classic - sudo microk8s status --wait-ready - sudo microk8s enable helm3 - - name: "[ PREPARE ] install cert-manager charts" - run: | - sudo microk8s.kubectl create namespace cert-manager - sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io - sudo microk8s.helm3 repo update - sudo microk8s.helm3 install \ - cert-manager jetstack/cert-manager \ - --namespace cert-manager \ - --set installCRDs=true - echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV - - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - run: | - cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache - # docker pull grindsa/acme2certifier:devel - docker save grindsa/acme2certifier > a2c.tar - sudo microk8s ctr image import a2c.tar - sudo microk8s ctr images ls | grep -i grindsa - - name: "[ PREPARE ] Create a2c configuration" - run: | - sudo mkdir -p data - sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - - name: "[ DEPLOY ] deploy a2c pod" - run: | - sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml - sudo microk8s.kubectl get pods -n cert-manager-acme - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" - run: | - sudo microk8s.kubectl get pods -n cert-manager-acme - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier - sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 - echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "a2c pod IP is ${{ env.ACME_IP }}" - - - name: "[ DEPLOY ] deploy cert-manager" - run: | - sudo cp .github/k8s-cert-mgr-dns-01.yml data - sudo chmod -R 777 data/k8s-cert-mgr-dns-01.yml - sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-dns-01.yml - sudo sed -i "s/CF_TOKEN/${{ secrets.CF_TOKEN }}/g" data/k8s-cert-mgr-dns-01.yml - sudo sed -i "s/MY_EMAIL/${{ secrets.EMAIL }}/g" data/k8s-cert-mgr-dns-01.yml - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 30s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 60s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 60s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check challenge and certificate" - run: | - sudo microk8s.kubectl describe challenge -n cert-manager-acme - sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme - sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued" - - name: "[ PREPARE ] reconfigure YAML to wildcard domain" - run: | - sudo microk8s.kubectl delete -f data/k8s-cert-mgr-dns-01.yml - sudo sed -i "s/commonName: k8.acme.dynamop.de/commonName: '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml - sudo sed -i "s/- k8.acme.dynamop.de/- '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 30s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 60s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme - sudo microk8s.kubectl describe challenge -n cert-manager-acme - - name: "[ WAIT ] Sleep for 60s" - uses: juliangruber/sleep-action@v1 - with: - time: 60s - - - name: "[ CHECK ] check challenge and certificate" - run: | - sudo microk8s.kubectl describe challenge -n cert-manager-acme - sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme - sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued" - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cert-manager-dns-apwsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - - certmgr_http01_nginxwsgi: - name: "nginx wsgi - certmgr http01 challenge tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] install microk8s" - run: | - sudo snap install microk8s --classic - sudo microk8s status --wait-ready - sudo microk8s enable helm3 - sudo microk8s enable ingress - - name: "[ PREPARE ] install dnsmasq" - run: | - sudo mkdir -p data - sudo cp .github/dnsmasq.conf data - sudo cp .github/dnsmasq.yml data - sudo chmod -R 777 data/dnsmasq.conf - sudo chmod -R 777 data/dnsmasq.yml - sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf - sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml - cat data/dnsmasq.conf - cat data/dnsmasq.yml - docker pull gigantuar/dnsmasq:latest-amd64 - docker save gigantuar/dnsmasq -o dnsmasq.tar - sudo microk8s ctr image import dnsmasq.tar - sudo microk8s ctr images ls | grep -i gigantuar - - name: "[ PREPARE ] deploy dnsmasq pod" - run: | - sudo microk8s.kubectl apply -f data/dnsmasq.yml - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status dnsmasq pod and grab ip" - run: | - sudo microk8s.kubectl get pods -n dnsmasq - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq - sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 - echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" - - - name: "[ PREPARE ] change and test dns" - run: | - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo chmod -R 777 /etc/resolv.conf - sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf - sudo cat /etc/resolv.conf - host www.heise.de - host www.bar.local - - name: "[ PREPARE ] install cert-manager charts" - run: | - sudo microk8s.kubectl create namespace cert-manager - sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io - sudo microk8s.helm3 repo update - sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true - echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV - - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" - - - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" - run: | - cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache - # docker pull grindsa/acme2certifier:devel - docker save grindsa/acme2certifier > a2c.tar - sudo microk8s ctr image import a2c.tar - sudo microk8s ctr images ls | grep -i grindsa - - name: "[ PREPARE ] Create a2c configuration" - run: | - sudo mkdir -p data - sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - - name: "[ DEPLOY ] deploy a2c pod" - run: | - sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml - sudo microk8s.kubectl get pods -n cert-manager-acme - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" - run: | - sudo microk8s.kubectl get pods -n cert-manager-acme - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier - sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 - echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "a2c pod IP is ${{ env.ACME_IP }}" - - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo cp .github/k8s-cert-mgr-http-01.yml data - sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml - sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - sudo microk8s.kubectl describe certificate - sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cert-manager-http-nginxwsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - certmgr_http01_nginxdjango: - name: "nginx wsgi - certmgr http01 challenge tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: "[ PREPARE ] install microk8s" - run: | - sudo snap install microk8s --classic - sudo microk8s status --wait-ready - sudo microk8s enable helm3 - sudo microk8s enable ingress - - name: "[ PREPARE ] install dnsmasq" - run: | - sudo mkdir -p data - sudo cp .github/dnsmasq.conf data - sudo cp .github/dnsmasq.yml data - sudo chmod -R 777 data/dnsmasq.conf - sudo chmod -R 777 data/dnsmasq.yml - sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf - sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml - cat data/dnsmasq.conf - cat data/dnsmasq.yml - docker pull gigantuar/dnsmasq:latest-amd64 - docker save gigantuar/dnsmasq -o dnsmasq.tar - sudo microk8s ctr image import dnsmasq.tar - sudo microk8s ctr images ls | grep -i gigantuar - - name: "[ PREPARE ] deploy dnsmasq pod" - run: | - sudo microk8s.kubectl apply -f data/dnsmasq.yml - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status dnsmasq pod and grab ip" - run: | - sudo microk8s.kubectl get pods -n dnsmasq - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq - sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running - sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 - echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" - - - name: "[ PREPARE ] change and test dns" - run: | - sudo systemctl disable systemd-resolved - sudo systemctl stop systemd-resolved - sudo chmod -R 777 /etc/resolv.conf - sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf - sudo cat /etc/resolv.conf - host www.heise.de - host www.bar.local - - name: "[ PREPARE ] install cert-manager charts" - run: | - sudo microk8s.kubectl create namespace cert-manager - sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io - sudo microk8s.helm3 repo update - sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true - echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV - - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - run: | - cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache - # docker pull grindsa/acme2certifier:devel - docker save grindsa/acme2certifier > a2c.tar - sudo microk8s ctr image import a2c.tar - sudo microk8s ctr images ls | grep -i grindsa - - name: "[ PREPARE ] Create a2c configuration" - run: | - sudo mkdir -p data - sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py - sudo mkdir -p data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ - sudo cp .github/django_settings.py data/settings.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - - name: "[ DEPLOY ] deploy a2c pod" - run: | - sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml - sudo microk8s.kubectl get pods -n cert-manager-acme - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" - run: | - sudo microk8s.kubectl get pods -n cert-manager-acme - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier - sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running - sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 - echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV - - run: echo "a2c pod IP is ${{ env.ACME_IP }}" - - - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" - run: | - sudo cp .github/k8s-cert-mgr-http-01.yml data - sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml - sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml - sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - - name: "[ WAIT ] Sleep for 20s" - uses: juliangruber/sleep-action@v1 - with: - time: 20s - - - name: "[ CHECK ] check issuer and challenge" - run: | - sudo microk8s.kubectl describe ClusterIssuer acme2certifier - sudo microk8s.kubectl describe challenge - sudo microk8s.kubectl describe certificate - sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ - sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: cert-manager-http-nginxwsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml deleted file mode 100644 index 3ae57deb..00000000 --- a/.github/workflows/codecov.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Codecov -on: - push: - branches: - - 'master' - - 'devel' -jobs: - codecov: - name: Codecov Workflow - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v1 - - name: Set up Python - uses: actions/setup-python@master - with: - python-version: 3.8 - - name: Generate coverage report - run: | - python -m pip install --upgrade pip - pip install pytest - pip install pytest-cov - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - pytest --cov=./ --cov-report=xml - - name: Upload coverage to Codecov - uses: codecov/codecov-action@v1 - with: - token: ${{ secrets.CODECOV_TOKEN }} - file: ./coverage.xml - flags: unittests diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml deleted file mode 100644 index 594a2eb2..00000000 --- a/.github/workflows/codeql-analysis.yml +++ /dev/null @@ -1,61 +0,0 @@ -name: "CodeQL" - -on: - push: - branches: [ devel ] - pull_request: - branches: [ devel ] - schedule: - - cron: '0 2 * * 6' - -jobs: - analyze: - name: Analyze - runs-on: ubuntu-latest - - strategy: - fail-fast: false - matrix: - # Override automatic language detection by changing the below list - # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] - language: ['python'] - # Learn more... - # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection - - steps: - - name: Checkout repository - uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Initializes the CodeQL tools for scanning. - - name: Initialize CodeQL - uses: github/codeql-action/init@v1 - with: - languages: ${{ matrix.language }} - - # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). - # If this step fails, then you should remove it and run the build manually (see below) - - name: Autobuild - uses: github/codeql-action/autobuild@v1 - - # ℹ️ Command-line programs to run using the OS shell. - # 📚 https://git.io/JvXDl - - # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines - # and modify them (or add more) to build your code if your project - # uses a compiled language - - #- run: | - # make bootstrap - # make release - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/container-tests.yml b/.github/workflows/container-tests.yml deleted file mode 100644 index 1985c3a0..00000000 --- a/.github/workflows/container-tests.yml +++ /dev/null @@ -1,293 +0,0 @@ -name: Container Deployment Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - docker-compose_apache2_wsgi: - name: "Docker compose - apache2 wsgi" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: "Build the stack" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] enable tls" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - name: "[ PREPARE ] test ca_handler_migration" - run: | - sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py - cd examples/Docker/ - docker-compose restart - head -n 13 data/ca_handler.py - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ ENROLL ] enroll certificate to verify handler migration" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: docker-compose_apache2_wsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - docker-compose_nginx_wsgi: - name: "Docker compose - nginx wsgi" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: "Build the stack" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] enable tls" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - name: "[ PREPARE ] test ca_handler_migration" - run: | - sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py - cd examples/Docker/ - docker-compose restart - head -n 13 data/ca_handler.py - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ ENROLL ] enroll certificate to verify handler migration" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: docker-compose_nginx_wsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - docker-compose_apache2_django: - name: "Docker compose - apache2 django" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: "Build the stack" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] enable tls" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - name: "[ PREPARE ] test ca_handler_migration" - run: | - sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py - cd examples/Docker/ - docker-compose restart - head -n 13 data/ca_handler.py - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ ENROLL ] enroll certificate to verify handler migration" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: docker-compose_apache2_django.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - docker-compose_nginx_django: - name: "Docker compose - nginx django" - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2 - - name: "Build the stack" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] enable tls" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - name: "[ PREPARE ] test ca_handler_migration" - run: | - sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py - cd examples/Docker/ - docker-compose restart - head -n 13 data/ca_handler.py - docker-compose logs - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ ENROLL ] enroll certificate to verify handler migration" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: docker-compose_nginx_django.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml deleted file mode 100644 index a9334a05..00000000 --- a/.github/workflows/create_release.yml +++ /dev/null @@ -1,48 +0,0 @@ -on: - push: - branches: - - "master" - -name: Create Release - -jobs: - build: - name: Create Release - runs-on: ubuntu-latest - - steps: - - - name: "Get current version" - uses: oprypin/find-latest-tag@v1 - with: - repository: ${{ github.repository }} # The repository to scan. - releases-only: true # We know that all relevant tags have a GitHub release for them. - id: acme2certifier_ver # The step ID to refer to later. - - - name: Checkout code - uses: actions/checkout@v2 - - - name: Retrieve Version from version.py - run: | - echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" - - run: echo "APP tag is ${{ env.APP_NAME }}" - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: Create Release - id: create_release - if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME - uses: actions/create-release@v1 - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token - with: - tag_name: ${{ env.TAG_NAME }} - release_name: ${{ env.APP_NAME }} ${{ env.TAG_NAME }} - # release_name: hahohe ${{ env.TAG_NAME }} - # body_path: body.txt - body: | - [Changelog](https://github.com/grindsa/acme2certifier/blob/master/CHANGES.md) - draft: false - prerelease: false diff --git a/.github/workflows/django_tests..yml b/.github/workflows/django_tests..yml deleted file mode 100644 index e18a89d8..00000000 --- a/.github/workflows/django_tests..yml +++ /dev/null @@ -1,522 +0,0 @@ -name: Django Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - apache_django_mariadb: - name: "apache_django_mariadb" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build environment" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data/mysql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "[ PREPARE ] configure acme2certifier" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - cd examples/Docker/ - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose restart - docker-compose logs - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: django-mariadb.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - apache_django_psql: - name: "apache_django_psql" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build environment" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data/mysql - sudo mkdir -p data/pgsql - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] postgres environment" - run: | - sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql - sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass - sudo chmod 600 examples/Docker/data/pgsql/pgpass - - - name: "[ PREPARE ] install postgres" - working-directory: examples/Docker/ - run: | - docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] configure postgres" - working-directory: examples/Docker/ - run: | - docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] configure acme2certifier" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - cd examples/Docker/ - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - docker-compose logs - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: django-psql.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - django_mig_apache2: - name: "django_mig_apache2" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme - sudo mkdir -p data/mysql - - - name: "[ PREPARE ] install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "[ PREPARE ] configure acme2certifier" - run: | - # sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo chmod 777 examples/Docker/data/settings.py - sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py - sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - echo "" >> examples/Docker/data/acme_srv.cfg - echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] install a2c 0.16" - run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.16-apache2-django - docker logs acme-srv - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh" - docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] Upgrade to latest a2c build" - working-directory: examples/Docker/ - run: | - docker stop acme-srv - sudo chmod -R 777 data - sed -i "s/wsgi/django/g" .env - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: apache2-django-mig.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - django_mig_nginx: - name: "django_mig_nginx" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] prepare environment" - working-directory: examples/Docker/ - run: | - docker network create acme - sudo mkdir -p data/mysql - - - name: "[ PREPARE ] install mariadb" - working-directory: examples/Docker/ - run: | - # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] configure mariadb" - working-directory: examples/Docker/ - run: | - docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" - docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" - docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" - - - name: "[ PREPARE ] configure acme2certifier" - run: | - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py - sudo chmod 777 examples/Docker/data/settings.py - sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py - sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem - sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - echo "" >> examples/Docker/data/acme_srv.cfg - echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] install a2c 0.16" - run: | - docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.16-nginx-django - docker logs acme-srv - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh" - docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] Upgrade to latest a2c build" - working-directory: examples/Docker/ - run: | - docker stop acme-srv - sudo chmod -R 777 data - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - docker-compose up -d - docker-compose logs - - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "Test if http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "Test if https://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory - - - name: "[ ENROLL ] register via http" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 - - - name: "[ ENROLL ] register via https" - run: | - docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure - - - name: "[ REGISTER] certbot" - run: | - sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2" - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem - - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - docker logs acme2certifier_acme-srv_1 - docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: nginx-django-mig.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/dns-test.yml b/.github/workflows/dns-test.yml deleted file mode 100644 index 3e07f4b9..00000000 --- a/.github/workflows/dns-test.yml +++ /dev/null @@ -1,118 +0,0 @@ -name: DNS-01 challenge tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - dns_challenge_tests: - name: "dns_challenge_tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [2048] - acme-sh-version: [2.8.8, latest] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:${{ matrix.acme-sh-version }} daemon - sudo cp .github/dns_test.sh acme-sh/ - docker exec -i acme-sh apk add dnsmasq - docker exec -i acme-sh dnsmasq - docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/ - docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh - - - name: "[ PREPARE ] set DNS server" - run: | - cd examples/Docker/ - docker-compose stop - docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh - sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg - docker-compose start - docker-compose logs - - - name: "[ ENROLL ] acme.sh - single domain" - run: | - docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.single/acme-sh.single.cer - - - name: "[ ENROLL ] acme.sh - two domains" - run: | - docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.first/acme-sh.first.cer - - - name: "[ ENROLL ] acme.sh - single wildcard domain" - run: | - docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*acme-sh.wildcard/*acme-sh.wildcard.cer - - - name: "[ ENROLL ] acme.sh - double wildcard domain" - run: | - docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*.acme-sh.first-wildcard/*.acme-sh.first-wildcard.cer - - - name: "[ ENROLL ] acme.sh - domain and wildcard domain" - run: | - docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.fqdn-wildcard/acme-sh.fqdn-wildcard.cer - - - name: "[ Test ] check TXT record exists" - if: ${{ failure() }} - run: | - docker exec -i acme-sh ps -a - docker exec -i acme-sh netstat -anu - cd examples/Docker/ - docker-compose logs - dig -t TXT _acme-challenge.acme-sh.single @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - dig -t TXT _acme-challenge.acme-sh.first @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - dig -t TXT _acme-challenge.acme-sh.second @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - dig -t TXT _acme-challenge.acme-sh.wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - dig -t TXT _acme-challenge.acme-sh.first-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - dig -t TXT _acme-challenge.acme-sh.second-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: eab-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/eab-test.yml b/.github/workflows/eab-test.yml deleted file mode 100644 index 08e3f257..00000000 --- a/.github/workflows/eab-test.yml +++ /dev/null @@ -1,130 +0,0 @@ -name: EAB Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - eab_apache2_wsgi: - name: "eab_apache2_wsgi" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg - sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg - # sudo cat examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ FAIL ] certbot without eab-credentials" - id: certbotfail - continue-on-error: true - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ CHECK ] certbot result " - if: steps.certbotfail.outcome != 'failure' - run: | - echo "certbot outcome is ${{steps.certbotfail.outcome }}" - exit 1 - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=bWFjXzAy - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ FAIL] acme.sh" - id: acmeshfail - continue-on-error: true - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ CHECK ] acme.sh result " - if: steps.acmeshfail.outcome != 'failure' - run: | - echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" - exit 1 - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key bWFjXzAy --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ FAIL ] lego" - id: legofail - continue-on-error: true - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - - - name: "[ CHECK ] lego result " - if: steps.legofail.outcome != 'failure' - run: | - echo "legofail outcome is ${{steps.legofail.outcome }}" - exit 1 - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac bWFjXzAy -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: eab-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/enrollment-timeout.yml b/.github/workflows/enrollment-timeout.yml deleted file mode 100644 index a3ffa93c..00000000 --- a/.github/workflows/enrollment-timeout.yml +++ /dev/null @@ -1,110 +0,0 @@ -name: Asynchronous enrollment and certificate reusage - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - async_enrollment_cert_reusage: - name: "Async_enrollment_cert_reusage" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo chmod 777 examples/Docker/data/ca_handler.py - sudo sed -i "s/import uuid/import uuid\\nimport time/g" examples/Docker/data/ca_handler.py - sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(30)/g" examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 300/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - - name: "[ VERIFY ] Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "[ VERIFY ] Check certificate reusage" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate._enroll_and_store(): reuse existing certificate" - - - name: "[ ENROL] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 150 --http run - - - name: "[ VERIFY ] Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - - - name: "[ REGISTER ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - - - name: "[ VERIFY ] Check timeout" - working-directory: examples/Docker/ - run: | - docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: timeout.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/hooks-test.yml b/.github/workflows/hooks-test.yml deleted file mode 100644 index a56eeffd..00000000 --- a/.github/workflows/hooks-test.yml +++ /dev/null @@ -1,267 +0,0 @@ -name: Hooks Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - hooks_test: - name: "hooks_test" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data/hooks - sudo chmod -R 777 data/hooks - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg - sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/cn_dump_hooks.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "save_path: volume/hooks" >> examples/Docker/data/acme_srv.cfg - sudo echo "$HOOKS_CHECKSUM" > examples/Docker/data/hooks/checksums.sha256 - # sudo cat examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] create letsencrypt folder" - run: | - mkdir certbot - - - name: "[ REGISTER] certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email - - - name: "[ ENROLL ] HTTP-01 single domain certbot" - run: | - docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ CHECK ] compare checksums to validate hook file content" - working-directory: examples/Docker/data/hooks - run: | - sha256sum -c checksums.sha256 - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: hooks.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - hooks_exception_handling: - name: "hooks_exception_handling" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data/hooks - sudo chmod -R 777 data/hooks - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg - sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/exception_test_hooks.py" >> examples/Docker/data/acme_srv.cfg - sudo echo "raise_pre_hook_exception: False" >> examples/Docker/data/acme_srv.cfg - sudo echo "raise_post_hook_exception: False" >> examples/Docker/data/acme_srv.cfg - sudo echo "raise_success_hook_exception: False" >> examples/Docker/data/acme_srv.cfg - # sudo cat examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - env: - HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured " - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception " - run: | - sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)" - id: prehookfailure - continue-on-error: true - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - - - name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception " - if: steps.prehookfailure.outcome != 'failure' - run: | - echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}" - exit 1 - - - name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures " - run: | - sudo echo "ignore_pre_hook_failure: True" >> examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ ENROLL] acme.sh - ignore pre_hook_failures " - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception " - run: | - sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) " - id: successhookfailure - continue-on-error: true - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - - - name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception " - if: steps.successhookfailure.outcome != 'failure' - run: | - echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}" - exit 1 - - - name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures " - run: | - sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ ENROLL] acme.sh - ignore sucess_hook_failures " - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception " - run: | - sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" examples/Docker/data/acme_srv.cfg - sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) " - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ PREPARE ] reconfigure a2c to detect success-hook failures " - run: | - sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) - docker-compose restart - - - name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception " - id: posthookfailure - continue-on-error: true - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure - - - name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception " - if: steps.posthookfailure.outcome != 'failure' - run: | - echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}" - exit 1 - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: hooks_exception_handling.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ipv6-test.yml b/.github/workflows/ipv6-test.yml deleted file mode 100644 index 55a1a702..00000000 --- a/.github/workflows/ipv6-test.yml +++ /dev/null @@ -1,207 +0,0 @@ -name: ipv6-test - -on: - push: - pull_request: - branches: [ devel ] - -jobs: - ipv6_apache2_wsgi: - name: "ipv6_apache2_wsgi" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - docker-compose up -d - docker-compose logs - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - ipv6_nginx_wsgi: - name: "ipv6_nginx_wsgi" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - ipv6_apache2_django: - name: "ipv6_apache2_django" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - name: "[ PREPARE ] Build docker-compose (apache2_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - ipv6_nginx_django: - name: "ipv6_nginx_django" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" - docker-compose up -d - docker-compose logs - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/lego-application-test.yml b/.github/workflows/lego-application-test.yml deleted file mode 100644 index 63246588..00000000 --- a/.github/workflows/lego-application-test.yml +++ /dev/null @@ -1,356 +0,0 @@ -name: Application Tests - lego - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - - lego_apache2_wsgi: - name: "lego_apache2_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [rsa2048, rsa4096, ec256] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "create lego folder" - run: | - mkdir lego - - - name: "[ ENROLL ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ ENROLL ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - lego_apache2_django: - name: "lego_apache2_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [rsa2048, rsa4096, ec256] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "create lego folder" - run: | - mkdir lego - - - name: "[ ENROLL ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ ENROLL ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - lego_nginx_wsgi: - name: "lego_nginx_wsgi" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [rsa2048, rsa4096, ec256] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "create lego folder" - run: | - mkdir lego - - - name: "[ ENROLL ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ ENROLL ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - lego_nginx_django: - name: "lego_nginx_django" - runs-on: ubuntu-latest - strategy: - fail-fast: false - matrix: - keylength: [rsa2048, rsa4096, ec256] - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_django)" - working-directory: examples/Docker/ - run: | - sed -i "s/wsgi/django/g" .env - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "[ WAIT ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "create lego folder" - run: | - mkdir lego - - - name: "[ ENROLL ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 single domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ ENROLL ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ RENEW ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ REVOKE ] HTTP-01 2x domain lego" - run: | - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index db16b391..b2498594 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -9,8 +9,8 @@ on: - cron: '0 2 * * 6' jobs: - apache2_wsgi: - name: "apache2_wsgi" + alma_nginx_wsgi: + name: "alma_nginx_wsgi" runs-on: ubuntu-latest steps: - name: "checkout GIT" @@ -25,109 +25,14 @@ jobs: - name: Branch name run: echo running on branch ${GITHUB_REF##*/} - - name: "Run install script" + - name: "[ PREPARE ] Almalinux instance" run: | - sudo mkdir -p data - chmod a+rx examples/install_scripts/a2c-ubuntu22-apache2.sh - examples/install_scripts/a2c-ubuntu22-apache2.sh ${GITHUB_REF##*/} + cat examples/Docker/alamalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - - name: "Local modification to get a2c running" - run: | - sudo apt-get install -y socat - sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf - sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf - sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo service apache2 restart - - - name: "Test http://acme-srv/directory is accessable" - run: curl -f http://127.0.0.1:8080/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: apache.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - nginx_wsgi: - name: "nginx_wsgi" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get runner ip" - run: | - echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV - echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV - - run: echo "runner IP is ${{ env.RUNNER_IP }}" - - - name: Branch name - run: echo running on branch ${GITHUB_REF##*/} - - - name: "Run install script" - run: | - sudo mkdir -p data - sh examples/install_scripts/a2c-ubuntu22-nginx.sh - - - name: "Local modification to get a2c running" - run: | - sudo apt-get install -y socat - sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf - sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf - sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg - sudo service nginx restart - - - name: "Test http://acme-srv/directory is accessable" - run: curl -f http://127.0.0.1:8080/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ REGISTER] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 - - - name: "[ ENROLL] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure - openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 if: ${{ failure() }} with: - name: nginx.tar.gz + name: alma_nginx_wsgi.tar.gz path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml deleted file mode 100644 index 3cb45b18..00000000 --- a/.github/workflows/markdown-check.yml +++ /dev/null @@ -1,30 +0,0 @@ -# workflow to run the acme2certifier unittest suite - -name: Markdown check - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - markdown-check: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@master - - uses: gaurav-nelson/github-action-markdown-link-check@v1 - - name: Lint changelog file root - uses: avto-dev/markdown-lint@v1 - with: - args: '*.md' - - name: Lint changelog file docs - uses: avto-dev/markdown-lint@v1 - with: - args: './docs/*.md' - - name: Lint changelog file docker - uses: avto-dev/markdown-lint@v1 - with: - args: './examples/Docker/*.md' diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml deleted file mode 100644 index f5d68f9a..00000000 --- a/.github/workflows/ossar-analysis.yml +++ /dev/null @@ -1,53 +0,0 @@ -# This workflow integrates a collection of open source static analysis tools -# with GitHub code scanning. For documentation, or to provide feedback, visit -# https://github.com/github/ossar-action -name: OSSAR - -on: - push: - branches: [ devel ] - pull_request: - branches: [ devel ] - schedule: - - cron: '0 2 * * 6' - -jobs: - OSSAR-Scan: - # OSSAR runs on windows-latest. - # ubuntu-latest and macos-latest support coming soon - runs-on: windows-latest - - steps: - # Checkout your code repository to scan - - name: Checkout repository - uses: actions/checkout@v2 - with: - # We must fetch at least the immediate parents so that if this is - # a pull request then we can checkout the head. - fetch-depth: 2 - - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - - # Ensure a compatible version of dotnet is installed. - # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. - # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. - # Remote agents already have a compatible version of dotnet installed and this step may be skipped. - # For local agents, ensure dotnet version 3.1.201 or later is installed by including this action: - # - name: Install .NET - # uses: actions/setup-dotnet@v1 - # with: - # dotnet-version: '3.1.x' - - # Run open source static analysis tools - - name: Run OSSAR - uses: github/ossar-action@v1 - id: ossar - - # Upload results to the Security tab - - name: Upload OSSAR results - uses: github/codeql-action/upload-sarif@v1 - with: - sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/phonito_security_scan.yml b/.github/workflows/phonito_security_scan.yml deleted file mode 100644 index 5d6774c2..00000000 --- a/.github/workflows/phonito_security_scan.yml +++ /dev/null @@ -1,128 +0,0 @@ -name: phonito security scans -on: - # temporarily disable - push: - branches-ignore: - - '**' - #schedule: - # # * daily checks at 05:00am - # - cron: '0 5 * * *' -jobs: - - apache2_wsgi: - name: Scan acme2certifier:apache2-wsgi - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] apache2 django container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - - - name: "[ SCAN ] Phonito Security Scan" - uses: phonito/phonito-scanner-action@master - with: - image: grindsa/acme2certifier:apache2-wsgi - fail-level: MEDIUM - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - apache2_django: - name: Scan acme2certifier:apache2-django - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - - - name: "[ PREPARE ] apache2 wsgi container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-django - docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py - sudo chmod a+w examples/Docker/data/db.sqlite3 - - - name: "[ SCAN ] Phonito Security Scan" - uses: phonito/phonito-scanner-action@master - with: - image: grindsa/acme2certifier:apache2-django - fail-level: MEDIUM - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - nginx_wsgi: - name: Scan acme2certifier:nginx-wsgi - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] nginx wsgi container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-wsgi - - - name: "[ SCAN ] Phonito Security Scan" - uses: phonito/phonito-scanner-action@master - with: - image: grindsa/acme2certifier:nginx-wsgi - fail-level: MEDIUM - phonito-token: '${{ secrets.PHONITO_TOKEN }}' - - nginx_django: - name: Scan acme2certifier:nginx-django - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - - - name: "[ PREPARE ] nginx django container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-django - # docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py - # sudo chmod a+w examples/Docker/data/db.sqlite3 - - - name: "[ SCAN ] Phonito Security Scan" - uses: phonito/phonito-scanner-action@master - with: - image: grindsa/acme2certifier:nginx-django - fail-level: MEDIUM - phonito-token: '${{ secrets.PHONITO_TOKEN }}' diff --git a/.github/workflows/proxy-test.yml b/.github/workflows/proxy-test.yml deleted file mode 100644 index f5590bf9..00000000 --- a/.github/workflows/proxy-test.yml +++ /dev/null @@ -1,258 +0,0 @@ -name: Proxy tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - proxy_tests: - name: "proxy_tests" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] create network" - run: | - docker network create acme - - - name: "[ PREPARE ] proxy container" - run: | - docker pull mosajjal/pproxy:latest - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 10s - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/proxy.acme:8080\", \"acme-sh.\$\": \"http\:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh - http challenge validation" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep socks5 | grep -- "->" - docker logs proxy | grep http | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ ENROLL ] acme.sh - alpn challenge validation" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep socks5 | grep -- "->" - docker logs proxy | grep http | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] setup certifier ca_handler for proxy usage" - run: | - sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ ENROLL ] via certifier ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ REVOKE ] via certifier ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep socks5 | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] setup msca ca_handler for proxy usage" - run: | - sudo cp examples/ca_handler/mscertsrv_ca_handler.py examples/Docker/data/ca_handler.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "host: ${{ secrets.MSCA_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "auth_method: ${{ secrets.MSCA_AUTHMETHOD }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "template: ${{ secrets.MSCA_TEMPLATE }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ ENROLL ] via msca ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep socks5 | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] patch est_ca handler for testrfc7030.com" - run: | - sudo apt-get install curl openssl patch - sudo cp examples/ca_handler/est_ca_handler.py examples/Docker/data/ca_handler.py - # sudo patch examples/Docker/data/ca_handler.py .github/est_handler.patch - - - name: "[ PREPARE ] setup using http-basic-auth for proxy usage" - run: | - sudo mkdir -p examples/Docker/data/est - sudo chmod -R 777 examples/Docker/data/est - sudo touch $HOME/.rnd - sudo openssl ecparam -genkey -name prime256v1 -out examples/Docker/data/est/est_client_key.pem - sudo openssl req -new -key examples/Docker/data/est/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' - sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem - sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/ca_bundle.pem - sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr - sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ ENROLL ] via EST using http-basic-auth" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep socks5 | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] setup using tls-client-auth" - run: | - sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "est_host: https://testrfc7030.com:9443" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_client_key: volume/est/est_client_key.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "est_client_cert: volume/est/est_client_cert.pem" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ ENROLL ] via est using tls-client-auth" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep http | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ PREPARE ] setup nclm ca_handler for proxy usage" - run: | - sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo chmod 777 examples/Docker/data/acme_srv.cfg - sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg - sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg - sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg - sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ ENROLL ] via nclm ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ CHECK ] proxy logs" - run: | - docker logs proxy | grep http | grep -- "->" - docker stop proxy - docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & - - - name: "[ stop ] proxy container" - run: | - docker stop proxy - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: proxy.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/push_images_to_dockerhub.yml b/.github/workflows/push_images_to_dockerhub.yml deleted file mode 100644 index 8ff3078c..00000000 --- a/.github/workflows/push_images_to_dockerhub.yml +++ /dev/null @@ -1,319 +0,0 @@ -name: Push images to dockerhub and ghcr.io -on: - push: - branches: - - "master" - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 4 * * 6' -jobs: - - #update_docker_hub_description: - # runs-on: ubuntu-latest - # steps: - # - uses: actions/checkout@v2 - # - name: Docker Hub Description - # uses: peter-evans/dockerhub-description@v2 - # env: - # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USER }} - # DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} - # DOCKERHUB_REPOSITORY: grindsa/acme2certifier - - - build_and_upload_images_to_hub: - name: Push images to dockerhub and github - runs-on: ubuntu-latest - steps: - - name: "Get current version" - uses: oprypin/find-latest-tag@v1 - with: - repository: ${{ github.repository }} # The repository to scan. - releases-only: true # We know that all relevant tags have a GitHub release for them. - id: acme2certifier_ver # The step ID to refer to later. - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "Retrieve Version from version.py" - run: | - echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV - echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV - - - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" - - run: echo "APP tag is ${{ env.APP_NAME }}" - - run: echo "Latest tag is ${{ env.TAG_NAME }}" - - - name: "Create images" - run: | - cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:apache2-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -t ghcr.io/grindsa/acme2certifier:apache2-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -f - . --no-cache - cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:apache2-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -t ghcr.io/grindsa/acme2certifier:apache2-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -f - . --no-cache - cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:nginx-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -t ghcr.io/grindsa/acme2certifier:nginx-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -f - . --no-cache - cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:nginx-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -t ghcr.io/grindsa/acme2certifier:nginx-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -f - . --no-cache - - - name: "upload images to hub.docker.com" - run: | - docker login -u ${{ secrets.DOCKERHUB_USER }} -p ${{ secrets.DOCKERHUB_TOKEN }} - docker push -a grindsa/acme2certifier - - - name: "upload images to ghcr.io" - run: | - docker login ghcr.io -u ${{ secrets.GHCR_USER }} -p ${{ secrets.GHCR_TOKEN }} - docker push -a ghcr.io/grindsa/acme2certifier - - - name: "Install syft" - run: | - sudo curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin - - - name: "Retrieve SBOM repo" - run: | - git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom - env: - GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} - GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} - - - name: "Generate SBOMs for a2c images " - run: | - mkdir -p /tmp/sbom/acme2certifier - syft grindsa/acme2certifier:apache2-wsgi > /tmp/sbom/acme2certifier/acme2certifier-apache2-wsgi_sbom.txt - syft grindsa/acme2certifier:apache2-wsgi -o json > /tmp/sbom/acme2certifier/acme2certifier_apache2-wsgi_sbom.json - syft grindsa/acme2certifier:apache2-django > /tmp/sbom/acme2certifier/acme2certifier-apache2-django_sbom.txt - syft grindsa/acme2certifier:apache2-django -o json > /tmp/sbom/acme2certifier/acme2certifier_apache2-django_sbom.json - syft grindsa/acme2certifier:nginx-wsgi > /tmp/sbom/acme2certifier/acme2certifier-nginx-wsgi_sbom.txt - syft grindsa/acme2certifier:nginx-wsgi -o json > /tmp/sbom/acme2certifier/acme2certifier_nginx-wsgi_sbom.json - syft grindsa/acme2certifier:nginx-django > /tmp/sbom/acme2certifier/acme2certifier-nginx-django_sbom.txt - syft grindsa/acme2certifier:nginx-django -o json > /tmp/sbom/acme2certifier/acme2certifier_nginx-django_sbom.json - - - name: "Upload Changes" - run: | - cd /tmp/sbom - git config --global user.email "grindelsack@gmail.com" - git config --global user.name "SBOM Generator" - git add acme2certifier/ - git commit -a -m "SBOM update" - git push - - - name: "delete images from local repository" - run: | - docker rmi $(docker images grindsa/acme2certifier -q) --no-prune --force - - apache2_wsgi: - name: Test acme2certifier:apache2-wsgi image - needs: [build_and_upload_images_to_hub] - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] apache2 django container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] via openssl ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: apache_wsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - test_apache2_django: - name: Test acme2certifier:apache2-django image - needs: [build_and_upload_images_to_hub] - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - - - name: "[ PREPARE ] apache2 wsgi container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-django - - - name: "[ PREPARE ] Sleep for 10s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ PREPARE ] django update" - run: | - docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py - sudo chmod a+w examples/Docker/data/db.sqlite3 - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] via openssl ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: apache_django.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - nginx_wsgi: - name: Test acme2certifier:nginx-wsgi image - needs: [build_and_upload_images_to_hub] - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - - - name: "[ PREPARE ] nginx wsgi container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-wsgi - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] via openssl ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: nginx_wsgi.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - test_nginx_django: - name: Test acme2certifier:nginx-django image - needs: [build_and_upload_images_to_hub] - runs-on: ubuntu-latest - steps: - - - name: Checkout code - uses: actions/checkout@v2 - - - name: "[ PREPARE ] setup openssl ca_handler and django config" - run: | - docker network create acme - sudo mkdir -p examples/Docker/data - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo cp .github/django_settings.py examples/Docker/data/settings.py - - - name: "[ PREPARE ] nginx django container" - run: | - docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-django - # docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py - # sudo chmod a+w examples/Docker/data/db.sqlite3 - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] via openssl ca_handler" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ DEACTIVATE ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure - - - name: "[ * ] collecting test data" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ - cd examples/Docker - docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh - - - name: "[ * ] uploading artifacts" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: nginx_django.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml deleted file mode 100644 index 69433b3b..00000000 --- a/.github/workflows/python-test.yml +++ /dev/null @@ -1,78 +0,0 @@ -# workflow to run the acme2certifier unittest suite - -name: Python Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' -jobs: - unittest: - runs-on: ubuntu-latest - strategy: - matrix: - python_version: ['3.x', '3.10', '3.9', '3.8', '3.7' ] - name: Python Unittest (${{ matrix.python_version }}) - steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python_version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install pytest - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - - name: cp - run: | - cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py - cp examples/acme_srv.cfg acme_srv/ - - name: Python test - run: | - pytest - pylint: - runs-on: ubuntu-latest - strategy: - matrix: - python_version: [3.x, 3.8] - name: Pylint test (${{ matrix.python_version }}) - steps: - - uses: actions/checkout@v2 - - name: Set up Python ${{ matrix.python_version }} - uses: actions/setup-python@v2 - with: - python-version: ${{ matrix.python_version }} - - name: Install dependencies - run: | - python -m pip install --upgrade pip - pip install pylint pylint-exit - if [ -f requirements.txt ]; then pip install -r requirements.txt; fi - - name: cp - run: | - cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py - cp examples/db_handler/wsgi_handler.py acme_srv/db_handler.py - cp examples/acme_srv.cfg acme_srv/ - - name: "Pylint folder: acme" - run: | - pylint --rcfile=".github/pylintrc" acme_srv/ || pylint-exit $? - - name: "Pylint folder: tools" - run: | - pylint --rcfile=".github/pylintrc" tools/*.py || pylint-exit $? - - name: "Pylint folder: examples/db_handler" - run: | - pylint --rcfile=".github/pylintrc" examples/db_handler/*.py || pylint-exit $? - - name: "Pylint folder: examples/ca_handler" - run: | - pylint --rcfile=".github/pylintrc" examples/ca_handler/*.py || pylint-exit $? - - - name: "Linting with pycodestyle" - run: | - pip install pycodestyle - cp .github/pycodestyle ~/.config/pycodestyle - pycodestyle --show-source examples/. - pycodestyle --show-source acme_srv/. - pycodestyle --show-source tools/. diff --git a/.github/workflows/tnauth-test.yml b/.github/workflows/tnauth-test.yml deleted file mode 100644 index 5590de6c..00000000 --- a/.github/workflows/tnauth-test.yml +++ /dev/null @@ -1,70 +0,0 @@ -name: Tnauth Tests - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - tnauth_acme_sh: - name: "tnauth_acme_sh" - runs-on: ubuntu-latest - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg - sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" examples/Docker/data/acme_srv.cfg - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "[ CURL ] install curl and socat and test connction" - run: | - sudo apt-get install -y curl socat - curl -f http://localhost:22280 - - - name: "[ ACME.SH ] install acme.sh" - run: | - mkdir /tmp/acme_sh - curl -kL https://github.com/grindsa/acme.sh/archive/tnauth_list_support.tar.gz | tar xz -C /tmp/acme_sh --strip-components=1 - - - name: "[ ACME.SH ] enroll certificate using tnauth identifier" - run: | - cd /tmp/acme_sh - /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2 - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: lego_key-${{ matrix.keylength }}.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/wiki-update.yml b/.github/workflows/wiki-update.yml deleted file mode 100644 index 832fb156..00000000 --- a/.github/workflows/wiki-update.yml +++ /dev/null @@ -1,26 +0,0 @@ -# workflow to update wiki - -name: wiki-update - -on: - push: - branches: [ master ] - -jobs: - wiki-update: - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v1 - # Additional steps to generate documentation in "Documentation" directory - - name: Upload docs to Wiki - uses: grindsa/github-wiki-publish-action@customize_wiki_title - with: - path: "docs" - env: - GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} - - name: Upload Docker to Wiki - uses: grindsa/github-wiki-publish-action@customize_wiki_title - with: - path: "examples/Docker" - env: - GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/winacme-application-test.yml b/.github/workflows/winacme-application-test.yml deleted file mode 100644 index 9df2f9ae..00000000 --- a/.github/workflows/winacme-application-test.yml +++ /dev/null @@ -1,121 +0,0 @@ -name: Application Tests - win-acme - -on: - push: - pull_request: - branches: [ devel ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - - win_acme: - name: "win_acme" - runs-on: windows-latest - - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] get RunnerIP" - run: | - $runner_ip=(Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias 'Ethernet 3').IPAddress - echo RUNNER_IP=$runner_ip >> $env:GITHUB_ENV - - - name: "[ PREPARE ] echo RunnerIP" - run: echo $env:RUNNER_IP - - - name: "[ PREPARE ] Create DNS entries " - run: | - Invoke-RestMethod -ContentType "application/json" -Method PUT -Uri ${{ secrets.CF_DYNAMOP_URL }} -Headers @{Authorization="Bearer ${{ secrets.CF_TOKEN }}"} -UseBasicParsing -Body '{"type":"A","name":"${{ secrets.CF_WINACME1_NAME }}","content":"${{ env.RUNNER_IP }}","ttl":120,"proxied":false}' - - - name: "[ PREPARE ] Build local acme2certifier environment" - run: | - python -m pip install --upgrade pip - pip install -r requirements.txt - pip install django==3.2 - pip install django-sslserver - pip install pyyaml - cp examples/db_handler/django_handler.py acme_srv/db_handler.py - cp examples/django/* .\ -Recurse -Force - (Get-Content .github/django_settings.py) -replace '/var/www/acme2certifier/volume/db.sqlite3', 'volume/db.sqlite3' | Set-Content acme2certifier/settings.py - (Get-Content acme2certifier/settings.py) -replace 'django.contrib.staticfiles', 'sslserver' | Set-Content acme2certifier/settings.py - cat acme2certifier/settings.py - cp examples/ca_handler/openssl_ca_handler.py acme2certifier/ca_handler.py - cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg acme_srv/acme_srv.cfg - cp .github/acme2certifier_cert.pem acme2certifier/acme2certifier_cert.pem - cp .github/acme2certifier_key.pem acme2certifier/acme2certifier_key.pem - mkdir .\volume/acme_ca/certs - cp test/ca/*.pem volume/acme_ca/ - certutil -addstore -enterprise -f -v root volume\acme_ca\root-ca-cert.pem - certutil -addstore -enterprise -f -v root volume\acme_ca\sub-ca-cert.pem - - - name: "[ PREPARE ] configure server" - run: | - python manage.py makemigrations - python manage.py migrate - python manage.py loaddata acme_srv/fixture/status.yaml - - - name: "[ PREPARE ] try to get up the server" - run: | - Start-Process powershell {python .\manage.py runserver 0.0.0.0:8080 3>&1 2>&1 > volume\redirection.log} - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ TEST ] Test if directory ressource is accessable" - run: | - get-Process python - Invoke-RestMethod -Uri http://127.0.0.1:8080/directory -NoProxy -TimeoutSec 5 - [System.Net.Dns]::GetHostByName('localhost').HostName - ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname - - - name: "[ PREPARE ] Download win-acme" - run: | - Invoke-RestMethod -Uri https://github.com/win-acme/win-acme/releases/download/v2.1.20.1/win-acme.v2.1.20.1185.x64.trimmed.zip -OutFile win-acme.zip - Expand-Archive .\win-acme.zip - mkdir win-acme\certs - dir win-acme\* - - - name: "[ ENROLL ] Enroll certificate via win-acme" - run: | - .\win-acme\wacs.exe --baseuri http://127.0.0.1:8080 --emailaddress=grindsa@bar.local --pemfilespath win-acme\certs --source manual --host ${{ secrets.CF_WINACME1_NAME }},${{ secrets.CF_WINACME2_NAME }} --store pemfiles --force - - - name: "[ PREPARE ] try to get up the sslserver" - run: | - Start-Process powershell {python .\manage.py runsslserver 0.0.0.0:443 --certificate acme2certifier/acme2certifier_cert.pem --key acme2certifier/acme2certifier_key.pem 3>&1 2>&1 > volume\redirection_ssl.log} - - name: "[ PREPARE ] Sleep for 5s" - uses: juliangruber/sleep-action@v1 - with: - time: 5s - - - name: "[ TEST ] Test if directory ressource is accessable" - run: | - get-Process python - Invoke-RestMethod -SkipCertificateCheck -Uri https://localhost -NoProxy -TimeoutSec 5 - [System.Net.Dns]::GetHostByName('localhost').HostName - ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname - - - name: "[ PREPARE ] Install and configure Posh-ACME" - run: | - Install-Module -Name Posh-ACME -Scope CurrentUser -Force - - name: "[ ENROLL ] Enroll Certificate via Posh-ACME" - run: | - set-PAServer -DirectoryUrl https://localhost/directory -SkipCertificateCheck - New-PACertificate ${{ secrets.CF_WINACME1_NAME }} -AcceptTOS -Contact 'foo@bar.local' -Plugin WebSelfHost -PluginArgs @{} -Force - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir ${{ github.workspace }}\artifact\upload - cp volume ${{ github.workspace }}\artifact\upload/ -Recurse -Force - cp acme_srv\acme_srv.cfg ${{ github.workspace }}\artifact\upload - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: win-acme.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/wsgi_handler-test.yml b/.github/workflows/wsgi_handler-test.yml deleted file mode 100644 index de17a57f..00000000 --- a/.github/workflows/wsgi_handler-test.yml +++ /dev/null @@ -1,153 +0,0 @@ -name: WSGI handler tests - -on: - push: - pull_request: - branches: [ devel, db_file_customization ] - schedule: - # * is a special character in YAML so you have to quote this string - - cron: '0 2 * * 6' - -jobs: - a2_cust_db_file: - name: "a2_cust_db_file" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" - working-directory: examples/Docker/ - run: | - sudo mkdir -p data - docker network create acme - sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[DBhandler]" >> data/acme_srv.cfg - sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose up -d - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - cd examples/Docker/ - docker-compose restart - docker-compose logs - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: a2_custdb.tar.gz - path: ${{ github.workspace }}/artifact/upload/ - - nginx_cust_db_file: - name: "nginx_cust__db_file" - runs-on: ubuntu-latest - strategy: - fail-fast: false - steps: - - name: "checkout GIT" - uses: actions/checkout@v2 - - - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" - working-directory: examples/Docker/ - run: | - sed -i "s/apache2/nginx/g" .env - sudo mkdir -p data - docker network create acme - sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg - sudo chmod 777 data/acme_srv.cfg - sudo echo "" >> data/acme_srv.cfg - sudo echo "[DBhandler]" >> data/acme_srv.cfg - sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg - sudo echo "[Directory]" >> data/acme_srv.cfg - sudo echo "url_prefix: /foo" >> data/acme_srv.cfg - docker-compose up -d - docker-compose logs - sleep 5 - - - name: "Test http://acme-srv/directory is accessable" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] setup openssl ca_handler" - run: | - sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py - sudo mkdir -p examples/Docker/data/acme_ca/certs - sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ - cd examples/Docker/ - docker-compose restart - docker-compose logs - sleep 5 - - - name: "Test http://acme-srv/directory is accessable again" - run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory - - - name: "[ PREPARE ] prepare acme.sh container" - run: | - docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon - - - name: "[ ENROLL ] acme.sh" - run: | - docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force - openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer - - - name: "[ ENROLL ] lego" - run: | - mkdir lego - docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run - sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt - - - name: "[ * ] collecting test logs" - if: ${{ failure() }} - run: | - mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ - cd examples/Docker - docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log - sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data - - - name: "[ * ] uploading artificates" - uses: actions/upload-artifact@v2 - if: ${{ failure() }} - with: - name: nginx_cust_db.tar.gz - path: ${{ github.workspace }}/artifact/upload/ diff --git a/examples/Docker/alamalinux-systemd/Dockerfile b/examples/Docker/alamalinux-systemd/Dockerfile new file mode 100644 index 00000000..930f6b2f --- /dev/null +++ b/examples/Docker/alamalinux-systemd/Dockerfile @@ -0,0 +1,15 @@ +FROM almalinux:9 +ENV container docker + +RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in ; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); + +RUN rm -rf /lib/systemd/system/multi-user.target.wants/ \ +&& rm -rf /etc/systemd/system/.wants/ \ +&& rm -rf /lib/systemd/system/local-fs.target.wants/ \ +&& rm -f /lib/systemd/system/sockets.target.wants/udev \ +&& rm -f /lib/systemd/system/sockets.target.wants/initctl \ +&& rm -rf /lib/systemd/system/basic.target.wants/ \ +&& rm -f /lib/systemd/system/anaconda.target.wants/* + +VOLUME [ “/sys/fs/cgroup” ] +CMD ["/usr/sbin/init"] From 24c05d85827f0276fe9be305a98cf8fedddfb162 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 08:44:01 +0100 Subject: [PATCH 02/22] foo2 --- .github/workflows/manual-install-test.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index b2498594..7e0e54e0 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -1,4 +1,4 @@ -name: Manuall Installation test +name: Manual Installation test on: push: @@ -25,10 +25,14 @@ jobs: - name: Branch name run: echo running on branch ${GITHUB_REF##*/} + - name: "[ PREPARE ] environment" + run: | + docker network create acme + - name: "[ PREPARE ] Almalinux instance" run: | cat examples/Docker/alamalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - + docker run -d -id --privileged --network acme --name=acme_srv -v "./":/tmp/acme2certifier almalinux-systemd - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 From 640776135c0b17df9944ccb06fcdc4953cedce16 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 08:45:45 +0100 Subject: [PATCH 03/22] foo3 --- .github/workflows/manual-install-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 7e0e54e0..5860c4e7 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -32,7 +32,7 @@ jobs: - name: "[ PREPARE ] Almalinux instance" run: | cat examples/Docker/alamalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme_srv -v "./":/tmp/acme2certifier almalinux-systemd + docker run -d -id --privileged --network acme --name=acme_srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 From 3e53f4a1c50cf185f89b305d1dd2329df5c149d5 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 10:02:24 +0100 Subject: [PATCH 04/22] foo3 --- .github/workflows/manual-install-test.yml | 4 ++++ examples/Docker/alamalinux-systemd/script_tester.sh | 5 +++++ 2 files changed, 9 insertions(+) create mode 100644 examples/Docker/alamalinux-systemd/script_tester.sh diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 5860c4e7..55f9eb88 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -34,6 +34,10 @@ jobs: cat examples/Docker/alamalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme --name=acme_srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd + - name: "[ RUN ] exceute installation" + run: | + docker exec acme_srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh + - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 if: ${{ failure() }} diff --git a/examples/Docker/alamalinux-systemd/script_tester.sh b/examples/Docker/alamalinux-systemd/script_tester.sh new file mode 100644 index 00000000..64f3c513 --- /dev/null +++ b/examples/Docker/alamalinux-systemd/script_tester.sh @@ -0,0 +1,5 @@ +#!/bin/bash + +echo "install missing packages" + +yum install sudo checkpolicy python3-pip procps \ No newline at end of file From 3c87f6c2b82361c5231499ab8f2e619bd728b6ff Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 10:02:50 +0100 Subject: [PATCH 05/22] foo4 --- examples/Docker/alamalinux-systemd/script_tester.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/Docker/alamalinux-systemd/script_tester.sh b/examples/Docker/alamalinux-systemd/script_tester.sh index 64f3c513..8e0b0cf5 100644 --- a/examples/Docker/alamalinux-systemd/script_tester.sh +++ b/examples/Docker/alamalinux-systemd/script_tester.sh @@ -2,4 +2,4 @@ echo "install missing packages" -yum install sudo checkpolicy python3-pip procps \ No newline at end of file +yum install -y sudo checkpolicy python3-pip procps \ No newline at end of file From 160522b3f0dc45137c63364a1f4f5f21ee34551e Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 10:07:11 +0100 Subject: [PATCH 06/22] foo5 --- .github/workflows/manual-install-test.yml | 6 +++--- .../{alamalinux-systemd => alamlinux-systemd}/Dockerfile | 0 .../script_tester.sh | 0 3 files changed, 3 insertions(+), 3 deletions(-) rename examples/Docker/{alamalinux-systemd => alamlinux-systemd}/Dockerfile (100%) rename examples/Docker/{alamalinux-systemd => alamlinux-systemd}/script_tester.sh (100%) diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 55f9eb88..d1cf93ba 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -31,12 +31,12 @@ jobs: - name: "[ PREPARE ] Almalinux instance" run: | - cat examples/Docker/alamalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache + cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache docker run -d -id --privileged --network acme --name=acme_srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd - - name: "[ RUN ] exceute installation" + - name: "[ RUN ] Execute install scipt" run: | - docker exec acme_srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh + docker exec acme_srv /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 diff --git a/examples/Docker/alamalinux-systemd/Dockerfile b/examples/Docker/alamlinux-systemd/Dockerfile similarity index 100% rename from examples/Docker/alamalinux-systemd/Dockerfile rename to examples/Docker/alamlinux-systemd/Dockerfile diff --git a/examples/Docker/alamalinux-systemd/script_tester.sh b/examples/Docker/alamlinux-systemd/script_tester.sh similarity index 100% rename from examples/Docker/alamalinux-systemd/script_tester.sh rename to examples/Docker/alamlinux-systemd/script_tester.sh From c87f2e8069192f5a9b96d27327ebfd81cbd1e2b1 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 14:03:14 +0100 Subject: [PATCH 07/22] [wf] alma install worflow --- .../workflows/acme_sh-application-test.yml | 471 ++++++++++ .github/workflows/alpn-test.yml | 77 ++ .github/workflows/ca_handler_tests_acme.yml | 84 ++ .../workflows/ca_handler_tests_certifier.yml | 102 +++ .github/workflows/ca_handler_tests_cmp.yml | 284 +++++++ .github/workflows/ca_handler_tests_msca.yml | 230 +++++ .github/workflows/ca_handler_tests_nclm.yml | 124 +++ .../workflows/ca_handler_tests_openssl.yml | 89 ++ .../workflows/ca_handler_tests_pkcs7_soap.yml | 244 ++++++ .github/workflows/ca_handler_tests_xca.yml | 104 +++ .../workflows/certbot-application-test.yml | 377 +++++++++ .../certmanager-application-test.yml | 801 ++++++++++++++++++ .github/workflows/codecov.yml | 30 + .github/workflows/codeql-analysis.yml | 61 ++ .github/workflows/container-tests.yml | 293 +++++++ .github/workflows/create_release.yml | 48 ++ .github/workflows/django_tests..yml | 522 ++++++++++++ .github/workflows/dns-test.yml | 118 +++ .github/workflows/eab-test.yml | 130 +++ .github/workflows/enrollment-timeout.yml | 110 +++ .github/workflows/hooks-test.yml | 267 ++++++ .github/workflows/ipv6-test.yml | 207 +++++ .github/workflows/lego-application-test.yml | 356 ++++++++ .github/workflows/markdown-check.yml | 30 + .github/workflows/ossar-analysis.yml | 53 ++ .github/workflows/phonito_security_scan.yml | 128 +++ .github/workflows/proxy-test.yml | 258 ++++++ .../workflows/push_images_to_dockerhub.yml | 319 +++++++ .github/workflows/python-test.yml | 78 ++ .github/workflows/tnauth-test.yml | 70 ++ .github/workflows/wiki-update.yml | 26 + .../workflows/winacme-application-test.yml | 121 +++ .github/workflows/wsgi_handler-test.yml | 153 ++++ 33 files changed, 6365 insertions(+) create mode 100644 .github/workflows/acme_sh-application-test.yml create mode 100644 .github/workflows/alpn-test.yml create mode 100644 .github/workflows/ca_handler_tests_acme.yml create mode 100644 .github/workflows/ca_handler_tests_certifier.yml create mode 100644 .github/workflows/ca_handler_tests_cmp.yml create mode 100644 .github/workflows/ca_handler_tests_msca.yml create mode 100644 .github/workflows/ca_handler_tests_nclm.yml create mode 100644 .github/workflows/ca_handler_tests_openssl.yml create mode 100644 .github/workflows/ca_handler_tests_pkcs7_soap.yml create mode 100644 .github/workflows/ca_handler_tests_xca.yml create mode 100644 .github/workflows/certbot-application-test.yml create mode 100644 .github/workflows/certmanager-application-test.yml create mode 100644 .github/workflows/codecov.yml create mode 100644 .github/workflows/codeql-analysis.yml create mode 100644 .github/workflows/container-tests.yml create mode 100644 .github/workflows/create_release.yml create mode 100644 .github/workflows/django_tests..yml create mode 100644 .github/workflows/dns-test.yml create mode 100644 .github/workflows/eab-test.yml create mode 100644 .github/workflows/enrollment-timeout.yml create mode 100644 .github/workflows/hooks-test.yml create mode 100644 .github/workflows/ipv6-test.yml create mode 100644 .github/workflows/lego-application-test.yml create mode 100644 .github/workflows/markdown-check.yml create mode 100644 .github/workflows/ossar-analysis.yml create mode 100644 .github/workflows/phonito_security_scan.yml create mode 100644 .github/workflows/proxy-test.yml create mode 100644 .github/workflows/push_images_to_dockerhub.yml create mode 100644 .github/workflows/python-test.yml create mode 100644 .github/workflows/tnauth-test.yml create mode 100644 .github/workflows/wiki-update.yml create mode 100644 .github/workflows/winacme-application-test.yml create mode 100644 .github/workflows/wsgi_handler-test.yml diff --git a/.github/workflows/acme_sh-application-test.yml b/.github/workflows/acme_sh-application-test.yml new file mode 100644 index 00000000..18e51492 --- /dev/null +++ b/.github/workflows/acme_sh-application-test.yml @@ -0,0 +1,471 @@ +name: Application Tests - acme_sh + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + acme_sh_apache2_wsgi: + name: "acme_sh_apache2_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + accountkeylength: [2048, ec-256, ec-521] + keylength: [2048, 4096, ec-521] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] HTTP-01 single domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure + + - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: acme_sh_apache2_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + acme_sh_apache2_django: + name: "acme_sh_apache2_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + accountkeylength: [2048, ec-256, ec-521] + keylength: [2048, 4096, ec-521] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] HTTP-01 single domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure + + - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: acme_sh_apache2_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + acme_sh_nginx_wsgi: + name: "acme_sh_nginx_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + accountkeylength: [2048, ec-256, ec-521] + keylength: [2048, 4096, ec-521] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] HTTP-01 single domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure + + - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: acme_sh_nginx_wsgi-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + acme_sh_nginx_django: + name: "acme_sh_nginx_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + accountkeylength: [2048, ec-256, ec-521] + keylength: [2048, 4096, ec-521] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] HTTP-01 single domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --accountkeylength ${{ matrix.accountkeylength }} --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 single domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme --standalone --debug 2 --output-insecure + + - name: "[ ENROLL ] HTTP-01 2x domain acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ RENEW ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength ${{ matrix.keylength }} --renew --force ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="_ecc" + fi + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ REVOKE ] HTTP-01 2x domain acme.sh" + run: | + if ([ "${{ matrix.keylength }}" == "ec-256" ] || [ "${{ matrix.keylength }}" == "ec-384" ] || [ "${{ matrix.keylength }}" == "ec-521" ]) ; then + ECC="--ecc" + fi + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke ${ECC} -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: acme_sh_nginx_django-${{ matrix.accountkeylength }}_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/alpn-test.yml b/.github/workflows/alpn-test.yml new file mode 100644 index 00000000..5ef6f489 --- /dev/null +++ b/.github/workflows/alpn-test.yml @@ -0,0 +1,77 @@ +name: TLS-ALPN-01 challenge tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + alpn_apache2_wsgi: + name: "alpn_apache2_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ ENROLL ] lego" + run: | + mkdir lego + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --tls run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: alpn-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_acme.yml b/.github/workflows/ca_handler_tests_acme.yml new file mode 100644 index 00000000..61f40382 --- /dev/null +++ b/.github/workflows/ca_handler_tests_acme.yml @@ -0,0 +1,84 @@ +name: CA handler tests - ACME + +on: + push: + pull_request: + branches: [ devel ] + schedule: + - cron: '0 2 * * 6' + +jobs: + acme_ca_handler_test: + name: "ACME CAhandler Tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] setup le-sim" + run: | + sudo mkdir -p examples/Docker/data-le + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data-le/ca_handler.py + sudo mkdir -p examples/Docker/data-le/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data-le/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data-le/acme_srv.cfg + sudo chmod 777 examples/Docker/data-le/acme_srv.cfg + docker run -d -p 80:80 --rm -id --network acme --name=acme-le-sim -v "$(pwd)/examples/Docker/data-le":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + + - name: "Test http://acme-le-sim/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-le-sim/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ TEST ] enroll from le-sim" + run: | + docker exec -i acme-sh acme.sh --server http://acme-le-sim --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile acme-sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ PREPARE ] setup acme_ca_handler" + run: | + sudo mkdir -p examples/Docker/data/acme + sudo chmod -R 777 examples/Docker/data/acme + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/acme_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "acme_keyfile: volume/acme/le_staging_private_key.json" >> examples/Docker/data/acme_srv.cfg + sudo echo "acme_url: http://acme-le-sim" >> examples/Docker/data/acme_srv.cfg + sudo echo "acme_account_email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" examples/Docker/data/acme_srv.cfg + + - name: "[ ENROLL ] via acme_ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-srv.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile acme-sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + # docker logs acme-le-sim > ${{ github.workspace }}/artifact/acme-le-sim.log + docker logs acme-le-sim + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data docker-compose.log acme-le-sim.log + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: ca_handler.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_certifier.yml b/.github/workflows/ca_handler_tests_certifier.yml new file mode 100644 index 00000000..76866707 --- /dev/null +++ b/.github/workflows/ca_handler_tests_certifier.yml @@ -0,0 +1,102 @@ +name: CA handler tests - Certifier + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + certifier_handler_tests: + name: "certifier_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with certifier_ca_handler" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/certifier_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $NCM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: $NCM_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + NCM_API_HOST: ${{ secrets.NCM_API_HOST }} + NCM_API_USER: ${{ secrets.NCM_API_USER }} + NCM_API_PASSWORD: ${{ secrets.NCM_API_PASSWORD }} + NCM_CA_NAME: ${{ secrets.NCM_CA_NAME }} + NCM_CA_BUNDLE: ${{ secrets.NCM_CA_BUNDLE }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER ] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: ncm.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_cmp.yml b/.github/workflows/ca_handler_tests_cmp.yml new file mode 100644 index 00000000..26c3c3cb --- /dev/null +++ b/.github/workflows/ca_handler_tests_cmp.yml @@ -0,0 +1,284 @@ +name: CA handler tests - CMPv2 + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + cmp_handler_tests_keycert: + name: "cmp_handler_tests_keycert" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + #- name: "[ PREPARE ] patch docker file to ubuntu 22.04" + # run: | + # sudo sed -i "s/FROM ubuntu:20.04/FROM ubuntu:22.04/g" examples/Docker/apache2/wsgi/Dockerfile + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with cmp_ca_handler" + run: | + sudo touch examples/Docker/data/ca_bundle.pem + sudo touch examples/Docker/data/ra_cert.pem + sudo touch examples/Docker/data/ra_key.pem + sudo chmod 777 examples/Docker/data/*.pem + sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem + sudo echo "$CMP_RA_KEY" > examples/Docker/data/ra_key.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_key: volume/ra_key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_KEY: ${{ secrets.CMP_RA_KEY }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ PREPARE ] ssh environment on ramdisk" + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "[ PREPARE ] establish SSH connection" + run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 8086:$CMP_HOST:8086 -g ping -c 120 $CMP_HOST & + env: + SSH_USER: ${{ secrets.CMP_SSH_USER }} + SSH_HOST: ${{ secrets.CMP_SSH_HOST }} + SSH_PORT: ${{ secrets.CMP_SSH_PORT }} + CMP_HOST: ${{ secrets.CMP_HOST }} + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER ] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + #- name: "[ ENROLL ] HTTP-01 single domain certbot" + # run: | + # docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + # sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cmpkeycert.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + cmp_handler_tests_refpsk: + name: "cmp_handler_tests_refpsk" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] patch docker file to ubuntu 22.04" + run: | + sudo sed -i "s/FROM ubuntu:20.04/FROM ubuntu:22.04/g" examples/Docker/apache2/wsgi/Dockerfile + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with cmp_ca_handler" + run: | + sudo touch examples/Docker/data/ca_bundle.pem + sudo touch examples/Docker/data/ra_cert.pem + sudo chmod 777 examples/Docker/data/*.pem + sudo echo "$CMP_TRUSTED" > examples/Docker/data/ca_bundle.pem + sudo echo "$CMP_RA_CERT" > examples/Docker/data/ra_cert.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/cmp_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_path: pkix/" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ignore_keyusage: True" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_msg_timeout: 3" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_total_timeout: 5" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_server: $RUNNER_IP:8086" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_cert: volume/ra_cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_trusted: volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_recipient: $CMP_RECIPIENT" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_ref: $CMP_REF" >> examples/Docker/data/acme_srv.cfg + sudo echo "cmp_secret: $CMP_SECRET" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + CMP_RECIPIENT: ${{ secrets.CMP_RECIPIENT }} + CMP_RA_CERT: ${{ secrets.CMP_RA_CERT }} + CMP_TRUSTED: ${{ secrets.CMP_TRUSTED }} + CMP_REF: ${{ secrets.CMP_REF }} + CMP_SECRET: ${{ secrets.CMP_SECRET }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ PREPARE ] ssh environment on ramdisk" + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "[ PREPARE ] establish SSH connection" + run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 8086:$CMP_HOST:8086 -g ping -c 120 $CMP_HOST & + env: + SSH_USER: ${{ secrets.CMP_SSH_USER }} + SSH_HOST: ${{ secrets.CMP_SSH_HOST }} + SSH_PORT: ${{ secrets.CMP_SSH_PORT }} + CMP_HOST: ${{ secrets.CMP_HOST }} + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER ] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + #- name: "[ ENROLL ] HTTP-01 single domain certbot" + # run: | + # docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + # sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cmprefpsk.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_msca.yml b/.github/workflows/ca_handler_tests_msca.yml new file mode 100644 index 00000000..acd3d081 --- /dev/null +++ b/.github/workflows/ca_handler_tests_msca.yml @@ -0,0 +1,230 @@ +name: CA handler tests - Microsoft CA + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + wcce_handler_tests: + name: "wcce_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with ms_wcce_ca_handler" + run: | + sudo touch examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/ca_certs.pem + sudo echo "$WCCE_CA_BUNDLE" > examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/mswcce_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $RUNNER_IP" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WCCE_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WCCE_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WCCE_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $WCCE_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "target_domain: $WCCE_ADS_DOMAIN" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + RUNNER_IP: ${{ env.RUNNER_IP }} + WCCE_USER: ${{ secrets.WCCE_USER }} + WCCE_PASSWORD: ${{ secrets.WCCE_PASSWORD }} + WCCE_TEMPLATE: ${{ secrets.WCCE_TEMPLATE }} + WCCE_CA_NAME: ${{ secrets.WCCE_CA_NAME }} + WCCE_ADS_DOMAIN: ${{ secrets.WCCE_ADS_DOMAIN }} + WCCE_CA_BUNDLE: ${{ secrets.WCCE_CA_BUNDLE }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ PREPARE ] ssh environment on ramdisk " + run: | + sudo mkdir -p /tmp/rd + sudo mount -t tmpfs -o size=5M none /tmp/rd + sudo echo "$SSH_KEY" > /tmp/rd/ak.tmp + sudo chmod 600 /tmp/rd/ak.tmp + sudo echo "$KNOWN_HOSTS" > /tmp/rd/known_hosts + env: + SSH_KEY: ${{ secrets.WCCE_SSH_ACCESS_KEY }} + KNOWN_HOSTS: ${{ secrets.WCCE_SSH_KNOWN_HOSTS }} + + - name: "[ PREPARE ] establish SSH connection" + run: sudo ssh $SSH_USER@$SSH_HOST -i /tmp/rd/ak.tmp -p $SSH_PORT -o UserKnownHostsFile=/tmp/rd/known_hosts -L 445:$WCCE_HOST:445 -g ping -c 75 $WCCE_HOST & + env: + SSH_USER: ${{ secrets.WCCE_SSH_USER }} + SSH_HOST: ${{ secrets.WCCE_SSH_HOST }} + SSH_PORT: ${{ secrets.WCCE_SSH_PORT }} + WCCE_HOST: ${{ secrets.WCCE_HOST }} + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: wcce.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + wes_handler_tests: + name: "wes_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with mscertsrv_ca_handler" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/mscertsrv_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "host: $WES_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: $WES_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: $WES_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: $WES_AUTHMETHOD" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: $WES_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + WES_HOST: ${{ secrets.WES_HOST }} + WES_USER: ${{ secrets.WES_USER }} + WES_PASSWORD: ${{ secrets.WES_PASSWORD }} + WES_AUTHMETHOD: ${{ secrets.WES_AUTHMETHOD }} + WES_TEMPLATE: ${{ secrets.WES_TEMPLATE }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/ca_certs.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/ca_certs.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: wse.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_nclm.yml b/.github/workflows/ca_handler_tests_nclm.yml new file mode 100644 index 00000000..923fdadb --- /dev/null +++ b/.github/workflows/ca_handler_tests_nclm.yml @@ -0,0 +1,124 @@ +name: CA handler tests - NCLM + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + nclm_handler_tests: + name: "nclm_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with nclm_ca_handler" + run: | + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: examples/ca_handler/nclm_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_host: $NCLM_API_HOST" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: $NCLM_API_USER" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: $NCLM_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg + sudo echo "tsg_name: $NCLM_TSG_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: $NCLM_CA_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_id_list: [$NCLM_CA_ID_LIST]" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + NCLM_API_HOST: ${{ secrets.NCLM_API_HOST }} + NCLM_API_USER: ${{ secrets.NCLM_API_USER }} + NCLM_API_PASSWORD: ${{ secrets.NCLM_API_PASSWORD }} + NCLM_TSG_NAME: ${{ secrets.NCLM_TSG_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + NCLM_CA_ID_LIST: ${{ secrets.NCLM_CA_ID_LIST }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer + # openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt + + - name: "[ PREPARE ] reconfigure nclm handler" + run: | + sudo sed -i "s/ca_name: $NCLM_CA_NAME/ca_name: $NCLM_MSCA_NAME/g" examples/Docker/data/acme_srv.cfg + sudo echo "template_name: $NCLM_MSCA_TEMPLATE_NAME" >> examples/Docker/data/acme_srv.cfg + sudo rm -rf lego/* + env: + NCLM_MSCA_TEMPLATE_NAME: ${{ secrets.NCLM_MSCA_TEMPLATE_NAME }} + NCLM_MSCA_NAME: ${{ secrets.NCLM_MSCA_NAME }} + NCLM_CA_NAME: ${{ secrets.NCLM_CA_NAME }} + + - name: "[ PREPARE ] restart a2c" + working-directory: examples/Docker/ + run: | + docker-compose restart + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile lego/certificates/lego.acme.issuer.crt lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nclm.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_openssl.yml b/.github/workflows/ca_handler_tests_openssl.yml new file mode 100644 index 00000000..8ebedad5 --- /dev/null +++ b/.github/workflows/ca_handler_tests_openssl.yml @@ -0,0 +1,89 @@ +name: CA handler tests - OpenSSL + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + openssl_handler_tests: + name: "openssl_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with openssl_ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: openssl.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_pkcs7_soap.yml b/.github/workflows/ca_handler_tests_pkcs7_soap.yml new file mode 100644 index 00000000..5e0e7584 --- /dev/null +++ b/.github/workflows/ca_handler_tests_pkcs7_soap.yml @@ -0,0 +1,244 @@ +name: CA handler tests - PKCS#7-SOAP handler + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + pkcs7_soap_handler_signint_tests: + name: "pkcs7_soap_handler_tests internal signer" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] SOAP server" + run: | + sudo mkdir -p examples/Docker/data + docker network create acme + sudo mkdir -p examples/Docker/data/xca + sudo chmod -R 777 examples/Docker/data/xca + sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME + sudo touch examples/Docker/data/soap_srv.cfg + sudo chmod 777 examples/Docker/data/soap_srv.cfg + sudo echo "[CAhandler]" >> examples/Docker/data/soap_srv.cfg + sudo echo "xdb_file: /etc/soap-srv/xca/$XCA_DB_NAME" >> examples/Docker/data/soap_srv.cfg + sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg + sudo echo "issuing_ca_key: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/soap_srv.cfg + sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/soap_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/soap_srv.cfg + env: + XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} + XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} + XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} + XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} + + - name: "[ PREPARE ] Build and start SOAP server" + working-directory: examples/Docker/ + run: | + docker-compose -f soap_srv.yml up -d + docker-compose -f soap_srv.yml logs + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" + run: | + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp test/ca/sub-ca-key.pem examples/Docker/data/key.pem + sudo cp test/ca/sub-ca-cert.pem examples/Docker/data/cert.pem + sudo cp test/ca/certs.pem examples/Docker/data/ca_bundle.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/pkcs7_soap_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "soap_srv: http://soap-srv.acme:8888" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_cert: /var/www/acme2certifier/volume/cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_key: /var/www/acme2certifier/volume/key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "profilename: foo" >> examples/Docker/data/acme_srv.cfg + sudo echo "email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg + cat examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose -f soap_srv.yml logs > ${{ github.workspace }}/artifact/soap-srv.log + docker-compose logs > ${{ github.workspace }}/artifact/a2c.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz a2c.log data soap-srv.log acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: pkcs7soap-int.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + pkcs7_soap_handler_signext_tests: + name: "pkcs7_soap_handler_tests external signer" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] SOAP server" + run: | + sudo mkdir -p examples/Docker/data + docker network create acme + sudo mkdir -p examples/Docker/data/xca + sudo chmod -R 777 examples/Docker/data/xca + sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME + sudo touch examples/Docker/data/soap_srv.cfg + sudo chmod 777 examples/Docker/data/soap_srv.cfg + sudo echo "[CAhandler]" >> examples/Docker/data/soap_srv.cfg + sudo echo "xdb_file: /etc/soap-srv/xca/$XCA_DB_NAME" >> examples/Docker/data/soap_srv.cfg + sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg + sudo echo "issuing_ca_key: $XCA_ISSUING_CA" >> examples/Docker/data/soap_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/soap_srv.cfg + sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/soap_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/soap_srv.cfg + env: + XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} + XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} + XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} + XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} + + - name: "[ PREPARE ] Build and start SOAP server" + working-directory: examples/Docker/ + run: | + docker-compose -f soap_srv.yml up -d + docker-compose -f soap_srv.yml logs + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with pkcs7_ca_handler" + run: | + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo cp examples/soap/mock_signer.py examples/Docker/data/ + sudo chmod 755 examples/Docker/data/mock_signer.py + sudo cp test/ca/sub-ca-key.pem examples/Docker/data/key.pem + sudo cp test/ca/sub-ca-cert.pem examples/Docker/data/cert.pem + sudo cp test/ca/certs.pem examples/Docker/data/ca_bundle.pem + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/pkcs7_soap_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "soap_srv: http://soap-srv.acme:8888" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_script: /var/www/acme2certifier/volume/mock_signer.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_alias: /var/www/acme2certifier/volume/cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_config_variant: /var/www/acme2certifier/volume/key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "signing_csr_path: /var/www/acme2certifier/volume" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: /var/www/acme2certifier/volume/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "profilename: foo" >> examples/Docker/data/acme_srv.cfg + sudo echo "email: grindsa@foo.bar" >> examples/Docker/data/acme_srv.cfg + cat examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose -f soap_srv.yml logs > ${{ github.workspace }}/artifact/soap-srv.log + docker-compose logs > ${{ github.workspace }}/artifact/a2c.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz a2c.log data soap-srv.log acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: pkcs7soap-ext.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ca_handler_tests_xca.yml b/.github/workflows/ca_handler_tests_xca.yml new file mode 100644 index 00000000..47adcd75 --- /dev/null +++ b/.github/workflows/ca_handler_tests_xca.yml @@ -0,0 +1,104 @@ +name: CA handler tests - XCA + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + xca_handler_tests: + name: "xca_handler_tests" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt and lego folder" + run: | + mkdir certbot + mkdir lego + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup a2c with xca_ca_handler" + run: | + sudo mkdir -p examples/Docker/data/xca + sudo chmod -R 777 examples/Docker/data/xca + sudo cp test/ca/acme2certifier-clean.xdb examples/Docker/data/xca/$XCA_DB_NAME + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo touch examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "handler_file: /var/www/acme2certifier/examples/ca_handler/xca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "xdb_file: volume/xca/$XCA_DB_NAME" >> examples/Docker/data/acme_srv.cfg + sudo echo "issuing_ca_name: $XCA_ISSUING_CA" >> examples/Docker/data/acme_srv.cfg + sudo echo "passphrase: $XCA_PASSPHRASE" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_cert_chain_list: [\"root-ca\"]" >> examples/Docker/data/acme_srv.cfg + sudo echo "template_name: $XCA_TEMPLATE" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + XCA_PASSPHRASE: ${{ secrets.XCA_PASSPHRASE }} + XCA_ISSUING_CA: ${{ secrets.XCA_ISSUING_CA }} + XCA_TEMPLATE: ${{ secrets.XCA_TEMPLATE }} + XCA_DB_NAME: ${{ secrets.XCA_DB_NAME }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: xca.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/certbot-application-test.yml b/.github/workflows/certbot-application-test.yml new file mode 100644 index 00000000..c8e4ac37 --- /dev/null +++ b/.github/workflows/certbot-application-test.yml @@ -0,0 +1,377 @@ +name: Application Tests - Certbot + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + + certbot_apache2_wsgi: + name: "certbot_apache2_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048, 4096] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + + - name: "[ ENROLL ] HTTP-01 2x domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: certbot_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certbot_apache2_django: + name: "certbot_apache2_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048, 4096] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + + - name: "[ ENROLL ] HTTP-01 2x domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: certbot_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certbot_nginx_wsgi: + name: "certbot_nginx_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048, 4096] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + + - name: "[ ENROLL ] HTTP-01 2x domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: certbot_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certbot_nginx_django: + name: "certbot_nginx_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048, 4096] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot + + - name: "[ ENROLL ] HTTP-01 2x domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ RENEW ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --rsa-key-size ${{ matrix.keylength }} --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme -d certbot. --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ REVOKE ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme -d certbot. --cert-name certbot + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data certbot + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: certbot_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/certmanager-application-test.yml b/.github/workflows/certmanager-application-test.yml new file mode 100644 index 00000000..3ddee661 --- /dev/null +++ b/.github/workflows/certmanager-application-test.yml @@ -0,0 +1,801 @@ +name: Application Tests - cert-manager + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + certmgr_http01_apwsgi: + name: "apache2 wsgi - certmgr http01 challenge tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] install microk8s" + run: | + sudo snap install microk8s --classic + sudo microk8s status --wait-ready + sudo microk8s enable helm3 + sudo microk8s enable ingress + - name: "[ PREPARE ] install dnsmasq" + run: | + sudo mkdir -p data + sudo cp .github/dnsmasq.conf data + sudo cp .github/dnsmasq.yml data + sudo chmod -R 777 data/dnsmasq.conf + sudo chmod -R 777 data/dnsmasq.yml + sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf + sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml + cat data/dnsmasq.conf + cat data/dnsmasq.yml + docker pull gigantuar/dnsmasq:latest-amd64 + docker save gigantuar/dnsmasq -o dnsmasq.tar + sudo microk8s ctr image import dnsmasq.tar + sudo microk8s ctr images ls | grep -i gigantuar + - name: "[ PREPARE ] deploy dnsmasq pod" + run: | + sudo microk8s.kubectl apply -f data/dnsmasq.yml + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status dnsmasq pod and grab ip" + run: | + sudo microk8s.kubectl get pods -n dnsmasq + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq + sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 + echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" + + - name: "[ PREPARE ] change and test dns" + run: | + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo chmod -R 777 /etc/resolv.conf + sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf + sudo cat /etc/resolv.conf + host www.heise.de + host www.bar.local + - name: "[ PREPARE ] install cert-manager charts" + run: | + sudo microk8s.kubectl create namespace cert-manager + sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io + sudo microk8s.helm3 repo update + sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true + echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV + - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + run: | + cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache + # docker pull grindsa/acme2certifier:devel + docker save grindsa/acme2certifier > a2c.tar + sudo microk8s ctr image import a2c.tar + sudo microk8s ctr images ls | grep -i grindsa + - name: "[ PREPARE ] Create a2c configuration" + run: | + sudo mkdir -p data + sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + - name: "[ DEPLOY ] deploy a2c pod" + run: | + sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml + sudo microk8s.kubectl get pods -n cert-manager-acme + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" + run: | + sudo microk8s.kubectl get pods -n cert-manager-acme + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier + sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 + echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "a2c pod IP is ${{ env.ACME_IP }}" + + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo cp .github/k8s-cert-mgr-http-01.yml data + sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml + sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + sudo microk8s.kubectl describe certificate + sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cert-manager-http-apwsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certmgr_http01_apdjango: + name: "apache2 django - certmgr http01 challenge tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] install microk8s" + run: | + sudo snap install microk8s --classic + sudo microk8s status --wait-ready + sudo microk8s enable helm3 + sudo microk8s enable ingress + - name: "[ PREPARE ] install dnsmasq" + run: | + sudo mkdir -p data + sudo cp .github/dnsmasq.conf data + sudo cp .github/dnsmasq.yml data + sudo chmod -R 777 data/dnsmasq.conf + sudo chmod -R 777 data/dnsmasq.yml + sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf + sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml + cat data/dnsmasq.conf + cat data/dnsmasq.yml + docker pull gigantuar/dnsmasq:latest-amd64 + docker save gigantuar/dnsmasq -o dnsmasq.tar + sudo microk8s ctr image import dnsmasq.tar + sudo microk8s ctr images ls | grep -i gigantuar + - name: "[ PREPARE ] deploy dnsmasq pod" + run: | + sudo microk8s.kubectl apply -f data/dnsmasq.yml + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status dnsmasq pod and grab ip" + run: | + sudo microk8s.kubectl get pods -n dnsmasq + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq + sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 + echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" + + - name: "[ PREPARE ] change and test dns" + run: | + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo chmod -R 777 /etc/resolv.conf + sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf + sudo cat /etc/resolv.conf + host www.heise.de + host www.bar.local + - name: "[ PREPARE ] install cert-manager charts" + run: | + sudo microk8s.kubectl create namespace cert-manager + sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io + sudo microk8s.helm3 repo update + sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true + echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV + - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_django)" + run: | + cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache + docker save grindsa/acme2certifier > a2c.tar + sudo microk8s ctr image import a2c.tar + sudo microk8s ctr images ls | grep -i grindsa + - name: "[ PREPARE ] Create a2c configuration" + run: | + sudo mkdir -p data + sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/django_settings.py data/settings.py + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + - name: "[ DEPLOY ] deploy a2c pod" + run: | + sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml + sudo microk8s.kubectl get pods -n cert-manager-acme + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" + run: | + sudo microk8s.kubectl get pods -n cert-manager-acme + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier + sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 + echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "a2c pod IP is ${{ env.ACME_IP }}" + + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo cp .github/k8s-cert-mgr-http-01.yml data + sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml + sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + sudo microk8s.kubectl describe certificate + sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cert-manager-http-apwsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certmgr_dns01_apwsgi: + name: "apache2 wsgi - certmgr dns01 challenge tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] change dns" + run: | + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo chmod -R 777 /etc/resolv.conf + sudo echo "nameserver 8.8.8.8" > /etc/resolv.conf + sudo cat /etc/resolv.conf + - name: "[ PREPARE ] install microk8s" + run: | + sudo snap install microk8s --classic + sudo microk8s status --wait-ready + sudo microk8s enable helm3 + - name: "[ PREPARE ] install cert-manager charts" + run: | + sudo microk8s.kubectl create namespace cert-manager + sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io + sudo microk8s.helm3 repo update + sudo microk8s.helm3 install \ + cert-manager jetstack/cert-manager \ + --namespace cert-manager \ + --set installCRDs=true + echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV + - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + run: | + cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache + # docker pull grindsa/acme2certifier:devel + docker save grindsa/acme2certifier > a2c.tar + sudo microk8s ctr image import a2c.tar + sudo microk8s ctr images ls | grep -i grindsa + - name: "[ PREPARE ] Create a2c configuration" + run: | + sudo mkdir -p data + sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + - name: "[ DEPLOY ] deploy a2c pod" + run: | + sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml + sudo microk8s.kubectl get pods -n cert-manager-acme + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" + run: | + sudo microk8s.kubectl get pods -n cert-manager-acme + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier + sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 + echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "a2c pod IP is ${{ env.ACME_IP }}" + + - name: "[ DEPLOY ] deploy cert-manager" + run: | + sudo cp .github/k8s-cert-mgr-dns-01.yml data + sudo chmod -R 777 data/k8s-cert-mgr-dns-01.yml + sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-dns-01.yml + sudo sed -i "s/CF_TOKEN/${{ secrets.CF_TOKEN }}/g" data/k8s-cert-mgr-dns-01.yml + sudo sed -i "s/MY_EMAIL/${{ secrets.EMAIL }}/g" data/k8s-cert-mgr-dns-01.yml + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 30s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 60s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 60s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check challenge and certificate" + run: | + sudo microk8s.kubectl describe challenge -n cert-manager-acme + sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme + sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued" + - name: "[ PREPARE ] reconfigure YAML to wildcard domain" + run: | + sudo microk8s.kubectl delete -f data/k8s-cert-mgr-dns-01.yml + sudo sed -i "s/commonName: k8.acme.dynamop.de/commonName: '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml + sudo sed -i "s/- k8.acme.dynamop.de/- '*.acme.dynamop.de'/g" data/k8s-cert-mgr-dns-01.yml + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-dns-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 30s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 60s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe issuer acme2certifier -n cert-manager-acme + sudo microk8s.kubectl describe challenge -n cert-manager-acme + - name: "[ WAIT ] Sleep for 60s" + uses: juliangruber/sleep-action@v1 + with: + time: 60s + + - name: "[ CHECK ] check challenge and certificate" + run: | + sudo microk8s.kubectl describe challenge -n cert-manager-acme + sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme + sudo microk8s.kubectl describe certificates acme-cert -n cert-manager-acme | grep -i "The certificate has been successfully issued" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cert-manager-dns-apwsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + + certmgr_http01_nginxwsgi: + name: "nginx wsgi - certmgr http01 challenge tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] install microk8s" + run: | + sudo snap install microk8s --classic + sudo microk8s status --wait-ready + sudo microk8s enable helm3 + sudo microk8s enable ingress + - name: "[ PREPARE ] install dnsmasq" + run: | + sudo mkdir -p data + sudo cp .github/dnsmasq.conf data + sudo cp .github/dnsmasq.yml data + sudo chmod -R 777 data/dnsmasq.conf + sudo chmod -R 777 data/dnsmasq.yml + sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf + sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml + cat data/dnsmasq.conf + cat data/dnsmasq.yml + docker pull gigantuar/dnsmasq:latest-amd64 + docker save gigantuar/dnsmasq -o dnsmasq.tar + sudo microk8s ctr image import dnsmasq.tar + sudo microk8s ctr images ls | grep -i gigantuar + - name: "[ PREPARE ] deploy dnsmasq pod" + run: | + sudo microk8s.kubectl apply -f data/dnsmasq.yml + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status dnsmasq pod and grab ip" + run: | + sudo microk8s.kubectl get pods -n dnsmasq + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq + sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 + echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" + + - name: "[ PREPARE ] change and test dns" + run: | + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo chmod -R 777 /etc/resolv.conf + sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf + sudo cat /etc/resolv.conf + host www.heise.de + host www.bar.local + - name: "[ PREPARE ] install cert-manager charts" + run: | + sudo microk8s.kubectl create namespace cert-manager + sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io + sudo microk8s.helm3 repo update + sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true + echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV + - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" + + - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" + run: | + cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache + # docker pull grindsa/acme2certifier:devel + docker save grindsa/acme2certifier > a2c.tar + sudo microk8s ctr image import a2c.tar + sudo microk8s ctr images ls | grep -i grindsa + - name: "[ PREPARE ] Create a2c configuration" + run: | + sudo mkdir -p data + sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + - name: "[ DEPLOY ] deploy a2c pod" + run: | + sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml + sudo microk8s.kubectl get pods -n cert-manager-acme + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" + run: | + sudo microk8s.kubectl get pods -n cert-manager-acme + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier + sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 + echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "a2c pod IP is ${{ env.ACME_IP }}" + + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo cp .github/k8s-cert-mgr-http-01.yml data + sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml + sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + sudo microk8s.kubectl describe certificate + sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cert-manager-http-nginxwsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + certmgr_http01_nginxdjango: + name: "nginx wsgi - certmgr http01 challenge tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: "[ PREPARE ] install microk8s" + run: | + sudo snap install microk8s --classic + sudo microk8s status --wait-ready + sudo microk8s enable helm3 + sudo microk8s enable ingress + - name: "[ PREPARE ] install dnsmasq" + run: | + sudo mkdir -p data + sudo cp .github/dnsmasq.conf data + sudo cp .github/dnsmasq.yml data + sudo chmod -R 777 data/dnsmasq.conf + sudo chmod -R 777 data/dnsmasq.yml + sudo sed -i "s/RUNNER_IP/${{ env.RUNNER_IP }}/g" data/dnsmasq.conf + sudo sed -i "s/RUNNER_PATH/${{ env.RUNNER_PATH }}/g" data/dnsmasq.yml + cat data/dnsmasq.conf + cat data/dnsmasq.yml + docker pull gigantuar/dnsmasq:latest-amd64 + docker save gigantuar/dnsmasq -o dnsmasq.tar + sudo microk8s ctr image import dnsmasq.tar + sudo microk8s ctr images ls | grep -i gigantuar + - name: "[ PREPARE ] deploy dnsmasq pod" + run: | + sudo microk8s.kubectl apply -f data/dnsmasq.yml + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status dnsmasq pod and grab ip" + run: | + sudo microk8s.kubectl get pods -n dnsmasq + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq + sudo microk8s.kubectl get pods -n dnsmasq | grep -i Running + sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5 + echo DNSMASQ_IP=$(sudo microk8s.kubectl -n dnsmasq describe pod dnsmasq | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "dnsmasq pod IP is ${{ env.DNSMASQ_IP }}" + + - name: "[ PREPARE ] change and test dns" + run: | + sudo systemctl disable systemd-resolved + sudo systemctl stop systemd-resolved + sudo chmod -R 777 /etc/resolv.conf + sudo echo "nameserver ${{ env.DNSMASQ_IP }}" > /etc/resolv.conf + sudo cat /etc/resolv.conf + host www.heise.de + host www.bar.local + - name: "[ PREPARE ] install cert-manager charts" + run: | + sudo microk8s.kubectl create namespace cert-manager + sudo microk8s.helm3 repo add jetstack https://charts.jetstack.io + sudo microk8s.helm3 repo update + sudo microk8s.helm3 install cert-manager jetstack/cert-manager --namespace cert-manager --set installCRDs=true + echo CERTMGR_VERSION=$(sudo microk8s.helm3 show chart jetstack/cert-manager | grep version) >> $GITHUB_ENV + - run: echo "cert-manager ${{ env.CERTMGR_VERSION }}" + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + run: | + cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:devel -f - . --no-cache + # docker pull grindsa/acme2certifier:devel + docker save grindsa/acme2certifier > a2c.tar + sudo microk8s ctr image import a2c.tar + sudo microk8s ctr images ls | grep -i grindsa + - name: "[ PREPARE ] Create a2c configuration" + run: | + sudo mkdir -p data + sudo cp examples/ca_handler/openssl_ca_handler.py data/ca_handler.py + sudo mkdir -p data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp .github/django_settings.py data/settings.py + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + - name: "[ DEPLOY ] deploy a2c pod" + run: | + sudo microk8s.kubectl apply -f .github/k8s-acme-srv.yml + sudo microk8s.kubectl get pods -n cert-manager-acme + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ CHECK ] check status a2c pod and grab ip of a2c pod" + run: | + sudo microk8s.kubectl get pods -n cert-manager-acme + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier + sudo microk8s.kubectl get pods -n cert-manager-acme | grep -i Running + sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5 + echo ACME_IP=$(sudo microk8s.kubectl -n cert-manager-acme describe pod acme2certifier | grep " IP:" | cut -d ' ' -f 5) >> $GITHUB_ENV + - run: echo "a2c pod IP is ${{ env.ACME_IP }}" + + - name: "[ DEPLOY ] deploy cert-manager and trigger enrollment" + run: | + sudo cp .github/k8s-cert-mgr-http-01.yml data + sudo chmod -R 777 data/k8s-cert-mgr-http-01.yml + sudo sed -i "s/ACME_SRV/${{ env.ACME_IP }}/g" data/k8s-cert-mgr-http-01.yml + sudo microk8s.kubectl apply -f data/k8s-cert-mgr-http-01.yml + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + - name: "[ WAIT ] Sleep for 20s" + uses: juliangruber/sleep-action@v1 + with: + time: 20s + + - name: "[ CHECK ] check issuer and challenge" + run: | + sudo microk8s.kubectl describe ClusterIssuer acme2certifier + sudo microk8s.kubectl describe challenge + sudo microk8s.kubectl describe certificate + sudo microk8s.kubectl describe certificates | grep -i "The certificate has been successfully issued" + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo microk8s.kubectl logs acme2certifier -n cert-manager-acme > ${{ github.workspace }}/artifact/acme2certifier.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme2certifier.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: cert-manager-http-nginxwsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml new file mode 100644 index 00000000..3ae57deb --- /dev/null +++ b/.github/workflows/codecov.yml @@ -0,0 +1,30 @@ +name: Codecov +on: + push: + branches: + - 'master' + - 'devel' +jobs: + codecov: + name: Codecov Workflow + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v1 + - name: Set up Python + uses: actions/setup-python@master + with: + python-version: 3.8 + - name: Generate coverage report + run: | + python -m pip install --upgrade pip + pip install pytest + pip install pytest-cov + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + pytest --cov=./ --cov-report=xml + - name: Upload coverage to Codecov + uses: codecov/codecov-action@v1 + with: + token: ${{ secrets.CODECOV_TOKEN }} + file: ./coverage.xml + flags: unittests diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml new file mode 100644 index 00000000..594a2eb2 --- /dev/null +++ b/.github/workflows/codeql-analysis.yml @@ -0,0 +1,61 @@ +name: "CodeQL" + +on: + push: + branches: [ devel ] + pull_request: + branches: [ devel ] + schedule: + - cron: '0 2 * * 6' + +jobs: + analyze: + name: Analyze + runs-on: ubuntu-latest + + strategy: + fail-fast: false + matrix: + # Override automatic language detection by changing the below list + # Supported options are ['csharp', 'cpp', 'go', 'java', 'javascript', 'python'] + language: ['python'] + # Learn more... + # https://docs.github.com/en/github/finding-security-vulnerabilities-and-errors-in-your-code/configuring-code-scanning#overriding-automatic-language-detection + + steps: + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: ${{ matrix.language }} + + # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). + # If this step fails, then you should remove it and run the build manually (see below) + - name: Autobuild + uses: github/codeql-action/autobuild@v1 + + # ℹ️ Command-line programs to run using the OS shell. + # 📚 https://git.io/JvXDl + + # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines + # and modify them (or add more) to build your code if your project + # uses a compiled language + + #- run: | + # make bootstrap + # make release + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 diff --git a/.github/workflows/container-tests.yml b/.github/workflows/container-tests.yml new file mode 100644 index 00000000..1985c3a0 --- /dev/null +++ b/.github/workflows/container-tests.yml @@ -0,0 +1,293 @@ +name: Container Deployment Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + docker-compose_apache2_wsgi: + name: "Docker compose - apache2 wsgi" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "Build the stack" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] enable tls" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + - name: "[ PREPARE ] test ca_handler_migration" + run: | + sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py + cd examples/Docker/ + docker-compose restart + head -n 13 data/ca_handler.py + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "[ ENROLL ] enroll certificate to verify handler migration" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: docker-compose_apache2_wsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + docker-compose_nginx_wsgi: + name: "Docker compose - nginx wsgi" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "Build the stack" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] enable tls" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + - name: "[ PREPARE ] test ca_handler_migration" + run: | + sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py + cd examples/Docker/ + docker-compose restart + head -n 13 data/ca_handler.py + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "[ ENROLL ] enroll certificate to verify handler migration" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: docker-compose_nginx_wsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + docker-compose_apache2_django: + name: "Docker compose - apache2 django" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "Build the stack" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] enable tls" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + - name: "[ PREPARE ] test ca_handler_migration" + run: | + sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py + cd examples/Docker/ + docker-compose restart + head -n 13 data/ca_handler.py + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "[ ENROLL ] enroll certificate to verify handler migration" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: docker-compose_apache2_django.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + docker-compose_nginx_django: + name: "Docker compose - nginx django" + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: "Build the stack" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] enable tls" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + - name: "[ PREPARE ] test ca_handler_migration" + run: | + sudo cp .github/openssl_ca_handler_v16.py examples/Docker/data/ca_handler.py + cd examples/Docker/ + docker-compose restart + head -n 13 data/ca_handler.py + docker-compose logs + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "[ ENROLL ] enroll certificate to verify handler migration" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme_sh + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: docker-compose_nginx_django.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml new file mode 100644 index 00000000..a9334a05 --- /dev/null +++ b/.github/workflows/create_release.yml @@ -0,0 +1,48 @@ +on: + push: + branches: + - "master" + +name: Create Release + +jobs: + build: + name: Create Release + runs-on: ubuntu-latest + + steps: + + - name: "Get current version" + uses: oprypin/find-latest-tag@v1 + with: + repository: ${{ github.repository }} # The repository to scan. + releases-only: true # We know that all relevant tags have a GitHub release for them. + id: acme2certifier_ver # The step ID to refer to later. + + - name: Checkout code + uses: actions/checkout@v2 + + - name: Retrieve Version from version.py + run: | + echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + + - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" + - run: echo "APP tag is ${{ env.APP_NAME }}" + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + + - name: Create Release + id: create_release + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + uses: actions/create-release@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + with: + tag_name: ${{ env.TAG_NAME }} + release_name: ${{ env.APP_NAME }} ${{ env.TAG_NAME }} + # release_name: hahohe ${{ env.TAG_NAME }} + # body_path: body.txt + body: | + [Changelog](https://github.com/grindsa/acme2certifier/blob/master/CHANGES.md) + draft: false + prerelease: false diff --git a/.github/workflows/django_tests..yml b/.github/workflows/django_tests..yml new file mode 100644 index 00000000..e18a89d8 --- /dev/null +++ b/.github/workflows/django_tests..yml @@ -0,0 +1,522 @@ +name: Django Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + apache_django_mariadb: + name: "apache_django_mariadb" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build environment" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data/mysql + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] install mariadb" + working-directory: examples/Docker/ + run: | + # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] configure mariadb" + working-directory: examples/Docker/ + run: | + docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" + docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" + docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" + + - name: "[ PREPARE ] configure acme2certifier" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + cd examples/Docker/ + sudo chmod 777 data/acme_srv.cfg + sudo echo "" >> data/acme_srv.cfg + sudo echo "[Directory]" >> data/acme_srv.cfg + sudo echo "url_prefix: /foo" >> data/acme_srv.cfg + docker-compose restart + docker-compose logs + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: django-mariadb.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + apache_django_psql: + name: "apache_django_psql" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build environment" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data/mysql + sudo mkdir -p data/pgsql + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] postgres environment" + run: | + sudo cp .github/a2c.psql examples/Docker/data/pgsql/a2c.psql + sudo cp .github/pgpass examples/Docker/data/pgsql/pgpass + sudo chmod 600 examples/Docker/data/pgsql/pgpass + + - name: "[ PREPARE ] install postgres" + working-directory: examples/Docker/ + run: | + docker run --name postgresdbsrv --network acme -e POSTGRES_PASSWORD=foobar -d postgres + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] configure postgres" + working-directory: examples/Docker/ + run: | + docker run -v "$(pwd)/data/pgsql/a2c.psql":/tmp/a2c.psql -v "$(pwd)/data/pgsql/pgpass:/root/.pgpass" --rm --network acme postgres psql -U postgres -h postgresdbsrv -f /tmp/a2c.psql + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] configure acme2certifier" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings_psql.py examples/Docker/data/settings.py + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + cd examples/Docker/ + sudo chmod 777 data/acme_srv.cfg + sudo echo "" >> data/acme_srv.cfg + sudo echo "[Directory]" >> data/acme_srv.cfg + sudo echo "url_prefix: /foo" >> data/acme_srv.cfg + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + docker-compose logs + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + docker run -v "$(pwd)/examples/Docker/data/pgsql/pgpass":/root/.pgpass --rm --network acme postgres pg_dump -U postgres -h postgresdbsrv acme2certifier > /tmp/acme2certifier.psql + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /tmp/acme2certifier.psql ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: django-psql.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + django_mig_apache2: + name: "django_mig_apache2" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] prepare environment" + working-directory: examples/Docker/ + run: | + docker network create acme + sudo mkdir -p data/mysql + + - name: "[ PREPARE ] install mariadb" + working-directory: examples/Docker/ + run: | + # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] configure mariadb" + working-directory: examples/Docker/ + run: | + docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" + docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" + docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" + + - name: "[ PREPARE ] configure acme2certifier" + run: | + # sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py + sudo chmod 777 examples/Docker/data/settings.py + sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py + sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem + sudo chmod 777 examples/Docker/data/acme_srv.cfg + echo "" >> examples/Docker/data/acme_srv.cfg + echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] install a2c 0.16" + run: | + docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.16-apache2-django + docker logs acme-srv + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh" + docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + + - name: "[ PREPARE ] Upgrade to latest a2c build" + working-directory: examples/Docker/ + run: | + docker stop acme-srv + sudo chmod -R 777 data + sed -i "s/wsgi/django/g" .env + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2" + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + docker logs acme2certifier_acme-srv_1 + docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: apache2-django-mig.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + django_mig_nginx: + name: "django_mig_nginx" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] prepare environment" + working-directory: examples/Docker/ + run: | + docker network create acme + sudo mkdir -p data/mysql + + - name: "[ PREPARE ] install mariadb" + working-directory: examples/Docker/ + run: | + # docker run --name mariadbsrv --network acme -v $PWD/data/mysql:/var/lib/mysql -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + docker run --name mariadbsrv --network acme -e MARIADB_ROOT_PASSWORD=foobar -d mariadb + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] configure mariadb" + working-directory: examples/Docker/ + run: | + docker exec mariadbsrv mysql -u root --password=foobar -e"CREATE DATABASE acme2certifier CHARACTER SET UTF8;" + docker exec mariadbsrv mysql -u root --password=foobar -e"GRANT ALL PRIVILEGES ON acme2certifier.* TO 'acme2certifier'@'%' IDENTIFIED BY '1mmSvDFl';" + docker exec mariadbsrv mysql -u root --password=foobar -e"FLUSH PRIVILEGES;" + + - name: "[ PREPARE ] configure acme2certifier" + run: | + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings_mariadb.py examples/Docker/data/settings.py + sudo chmod 777 examples/Docker/data/settings.py + sudo sed -i "s/ 'acme_srv'/ 'acme'/g" examples/Docker/data/settings.py + sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem + sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem + sudo chmod 777 examples/Docker/data/acme_srv.cfg + echo "" >> examples/Docker/data/acme_srv.cfg + echo "handler_file: examples/ca_handler/openssl_ca_handler.py" >> examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] install a2c 0.16" + run: | + docker run -d -p 80:80 -p 443:443 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:0.16-nginx-django + docker logs acme-srv + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/acme-sh" + docker run --rm -id -v "$(pwd)/examples/Docker/data/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/certbot" + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + + - name: "[ PREPARE ] Upgrade to latest a2c build" + working-directory: examples/Docker/ + run: | + docker stop acme-srv + sudo chmod -R 777 data + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + docker-compose up -d + docker-compose logs + + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "Test if http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "Test if https://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory + + - name: "[ ENROLL ] register via http" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --debug 2 + + - name: "[ ENROLL ] register via https" + run: | + docker exec -i acme-sh acme.sh --server https://acme-srv --register-account --accountemail 'acme-sh@example.com' --accountkeylength ec-256 --insecure --debug 2 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug --output-insecure + + - name: "[ REGISTER] certbot" + run: | + sudo mkdir -p "$(pwd)/examples/Docker/data/certbot2" + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot2":/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v "$(pwd)/examples/Docker/data/certbot":/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem examples/Docker/data/certbot/live/certbot/cert.pem + + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + docker logs acme2certifier_acme-srv_1 + docker exec mariadbsrv mysqldump -u root --password=foobar acme2certifier > /tmp/acme2certifer.sql + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp /tmp/acme2certifer.sql ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nginx-django-mig.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/dns-test.yml b/.github/workflows/dns-test.yml new file mode 100644 index 00000000..3e07f4b9 --- /dev/null +++ b/.github/workflows/dns-test.yml @@ -0,0 +1,118 @@ +name: DNS-01 challenge tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + dns_challenge_tests: + name: "dns_challenge_tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [2048] + acme-sh-version: [2.8.8, latest] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler_dns.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:${{ matrix.acme-sh-version }} daemon + sudo cp .github/dns_test.sh acme-sh/ + docker exec -i acme-sh apk add dnsmasq + docker exec -i acme-sh dnsmasq + docker exec -i acme-sh mv /acme.sh/dns_test.sh /root/.acme.sh/dnsapi/ + docker exec -i acme-sh chmod +x /root/.acme.sh/dnsapi/dns_test.sh + + - name: "[ PREPARE ] set DNS server" + run: | + cd examples/Docker/ + docker-compose stop + docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh + sudo sed -i "s/DNS-IP/$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh)/g" data/acme_srv.cfg + docker-compose start + docker-compose logs + + - name: "[ ENROLL ] acme.sh - single domain" + run: | + docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.single --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.single/acme-sh.single.cer + + - name: "[ ENROLL ] acme.sh - two domains" + run: | + docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.first --dns dns_test -d acme-sh.second --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.first/acme-sh.first.cer + + - name: "[ ENROLL ] acme.sh - single wildcard domain" + run: | + docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.wildcard --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*acme-sh.wildcard/*acme-sh.wildcard.cer + + - name: "[ ENROLL ] acme.sh - double wildcard domain" + run: | + docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d *.acme-sh.first-wildcard --dns dns_test -d *.acme-sh.second-wildcard --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/*.acme-sh.first-wildcard/*.acme-sh.first-wildcard.cer + + - name: "[ ENROLL ] acme.sh - domain and wildcard domain" + run: | + docker exec -i acme-sh acme.sh --dnssleep 10 --server http://acme-srv --accountemail 'acme-sh@example.com' --issue --dns dns_test -d acme-sh.fqdn-wildcard --dns dns_test -d *.acme-sh.fqdn-wildcard --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.fqdn-wildcard/acme-sh.fqdn-wildcard.cer + + - name: "[ Test ] check TXT record exists" + if: ${{ failure() }} + run: | + docker exec -i acme-sh ps -a + docker exec -i acme-sh netstat -anu + cd examples/Docker/ + docker-compose logs + dig -t TXT _acme-challenge.acme-sh.single @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + dig -t TXT _acme-challenge.acme-sh.first @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + dig -t TXT _acme-challenge.acme-sh.second @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + dig -t TXT _acme-challenge.acme-sh.wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + dig -t TXT _acme-challenge.acme-sh.first-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + dig -t TXT _acme-challenge.acme-sh.second-wildcard @$(docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' acme-sh) + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: eab-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/eab-test.yml b/.github/workflows/eab-test.yml new file mode 100644 index 00000000..08e3f257 --- /dev/null +++ b/.github/workflows/eab-test.yml @@ -0,0 +1,130 @@ +name: EAB Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + eab_apache2_wsgi: + name: "eab_apache2_wsgi" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg + sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg + # sudo cat examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ FAIL ] certbot without eab-credentials" + id: certbotfail + continue-on-error: true + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ CHECK ] certbot result " + if: steps.certbotfail.outcome != 'failure' + run: | + echo "certbot outcome is ${{steps.certbotfail.outcome }}" + exit 1 + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=bWFjXzAy + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ FAIL] acme.sh" + id: acmeshfail + continue-on-error: true + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ CHECK ] acme.sh result " + if: steps.acmeshfail.outcome != 'failure' + run: | + echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" + exit 1 + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --eab-kid keyid_02 --eab-hmac-key bWFjXzAy --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ FAIL ] lego" + id: legofail + continue-on-error: true + run: | + mkdir lego + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + + - name: "[ CHECK ] lego result " + if: steps.legofail.outcome != 'failure' + run: | + echo "legofail outcome is ${{steps.legofail.outcome }}" + exit 1 + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" --eab --kid keyid_02 --hmac bWFjXzAy -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: eab-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/enrollment-timeout.yml b/.github/workflows/enrollment-timeout.yml new file mode 100644 index 00000000..a3ffa93c --- /dev/null +++ b/.github/workflows/enrollment-timeout.yml @@ -0,0 +1,110 @@ +name: Asynchronous enrollment and certificate reusage + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + async_enrollment_cert_reusage: + name: "Async_enrollment_cert_reusage" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo chmod 777 examples/Docker/data/ca_handler.py + sudo sed -i "s/import uuid/import uuid\\nimport time/g" examples/Docker/data/ca_handler.py + sudo sed -i "s/ cert_raw = None/ cert_raw = None\\n time.sleep(30)/g" examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\\ncert_reusage_timeframe: 300/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + + - name: "[ VERIFY ] Check timeout" + working-directory: examples/Docker/ + run: | + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + + - name: "[ VERIFY ] Check certificate reusage" + working-directory: examples/Docker/ + run: | + docker-compose logs | grep "Certificate._enroll_and_store(): reuse existing certificate" + + - name: "[ ENROL] lego" + run: | + mkdir lego + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --cert.timeout 150 --http run + + - name: "[ VERIFY ] Check timeout" + working-directory: examples/Docker/ + run: | + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + + - name: "[ REGISTER ] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + + - name: "[ VERIFY ] Check timeout" + working-directory: examples/Docker/ + run: | + docker-compose logs | grep "Certificate.enroll_and_store() ended with: None:timeout" + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: timeout.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/hooks-test.yml b/.github/workflows/hooks-test.yml new file mode 100644 index 00000000..a56eeffd --- /dev/null +++ b/.github/workflows/hooks-test.yml @@ -0,0 +1,267 @@ +name: Hooks Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + hooks_test: + name: "hooks_test" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data/hooks + sudo chmod -R 777 data/hooks + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg + sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/cn_dump_hooks.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "save_path: volume/hooks" >> examples/Docker/data/acme_srv.cfg + sudo echo "$HOOKS_CHECKSUM" > examples/Docker/data/hooks/checksums.sha256 + # sudo cat examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] create letsencrypt folder" + run: | + mkdir certbot + + - name: "[ REGISTER] certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email + + - name: "[ ENROLL ] HTTP-01 single domain certbot" + run: | + docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ ENROLL ] lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ CHECK ] compare checksums to validate hook file content" + working-directory: examples/Docker/data/hooks + run: | + sha256sum -c checksums.sha256 + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: hooks.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + hooks_exception_handling: + name: "hooks_exception_handling" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data/hooks + sudo chmod -R 777 data/hooks + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo echo -e "\n\n[Hooks]" >> examples/Docker/data/acme_srv.cfg + sudo echo "hooks_file: /var/www/acme2certifier/examples/hooks/exception_test_hooks.py" >> examples/Docker/data/acme_srv.cfg + sudo echo "raise_pre_hook_exception: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "raise_post_hook_exception: False" >> examples/Docker/data/acme_srv.cfg + sudo echo "raise_success_hook_exception: False" >> examples/Docker/data/acme_srv.cfg + # sudo cat examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + env: + HOOKS_CHECKSUM: ${{ secrets.HOOKS_CHECKSUM }} + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh - *_pre_hook_failure not configured " + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ PREPARE ] reconfigure hook handler to trigger pre hook exception " + run: | + sudo sed -i "s/raise_pre_hook_exception: False/raise_pre_hook_exception: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ FAIL ] acme.sh enrollment fails due to pre-hook exception (default behaviour)" + id: prehookfailure + continue-on-error: true + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + + - name: "[ CHECK ] result - acme.sh enrollment failed due to pre-hook exception " + if: steps.prehookfailure.outcome != 'failure' + run: | + echo "prehookfailure outcome is ${{steps.prehookfailure.outcome }}" + exit 1 + + - name: "[ PREPARE ] reconfigure a2c to ignore pre-hook failures " + run: | + sudo echo "ignore_pre_hook_failure: True" >> examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ ENROLL] acme.sh - ignore pre_hook_failures " + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ PREPARE ] reconfigure hook handler to trigger success hook exception " + run: | + sudo sed -i "s/raise_pre_hook_exception: True/raise_pre_hook_exception: False/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/raise_success_hook_exception: False/raise_success_hook_exception: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ FAIL ] acme.sh enrollment fails due to success-hook exception (default behaviour) " + id: successhookfailure + continue-on-error: true + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + + - name: "[ CHECK ] result - acme.sh enrollment failed due to success-hook exception " + if: steps.successhookfailure.outcome != 'failure' + run: | + echo "successhookfailure outcome is ${{steps.successhookfailure.outcome }}" + exit 1 + + - name: "[ PREPARE ] reconfigure a2c to ignore success-hook failures " + run: | + sudo sed -i "s/ignore_pre_hook_failure: True/ignore_success_hook_failure: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ ENROLL] acme.sh - ignore sucess_hook_failures " + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ PREPARE ] reconfigure hook handler to trigger post hook exception " + run: | + sudo sed -i "s/raise_success_hook_exception: True/raise_success_hook_exception: False/g" examples/Docker/data/acme_srv.cfg + sudo sed -i "s/raise_post_hook_exception: False/raise_post_hook_exception: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ ENROLL] acme.sh - ignore post_hook_failures (default behaviour) " + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ PREPARE ] reconfigure a2c to detect success-hook failures " + run: | + sudo sed -i "s/ignore_success_hook_failure: True/ignore_post_hook_failure: False/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + sudo truncate -s 0 $(docker inspect --format='{{.LogPath}}' acme2certifier_acme-srv_1) + docker-compose restart + + - name: "[ FAIL ] acme.sh enrollment fails due to post-hook exception " + id: posthookfailure + continue-on-error: true + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --force --debug 3 --output-insecure + + - name: "[ CHECK ] result - acme.sh enrollment failed due to post-hook exception " + if: steps.posthookfailure.outcome != 'failure' + run: | + echo "posthookfailure outcome is ${{steps.posthookfailure.outcome }}" + exit 1 + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: hooks_exception_handling.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/ipv6-test.yml b/.github/workflows/ipv6-test.yml new file mode 100644 index 00000000..55a1a702 --- /dev/null +++ b/.github/workflows/ipv6-test.yml @@ -0,0 +1,207 @@ +name: ipv6-test + +on: + push: + pull_request: + branches: [ devel ] + +jobs: + ipv6_apache2_wsgi: + name: "ipv6_apache2_wsgi" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + docker-compose up -d + docker-compose logs + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + ipv6_nginx_wsgi: + name: "ipv6_nginx_wsgi" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + ipv6_apache2_django: + name: "ipv6_apache2_django" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + - name: "[ PREPARE ] Build docker-compose (apache2_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data + docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + ipv6_nginx_django: + name: "ipv6_nginx_django" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme --ipv6 --subnet "fdbb:6445:65b4:0a60::/64" + docker-compose up -d + docker-compose logs + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v6 --debug 3 --output-insecure + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ ENROLL ] HTTP-01 single domain acme.sh using ipv6 with ipv4 fallback" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --keylength 2048 --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --listen-v4 --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme${ECC}/acme-sh.acme.cer + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/lego-application-test.yml b/.github/workflows/lego-application-test.yml new file mode 100644 index 00000000..63246588 --- /dev/null +++ b/.github/workflows/lego-application-test.yml @@ -0,0 +1,356 @@ +name: Application Tests - lego + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + + lego_apache2_wsgi: + name: "lego_apache2_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [rsa2048, rsa4096, ec256] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "create lego folder" + run: | + mkdir lego + + - name: "[ ENROLL ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ ENROLL ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + lego_apache2_django: + name: "lego_apache2_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [rsa2048, rsa4096, ec256] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "create lego folder" + run: | + mkdir lego + + - name: "[ ENROLL ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ ENROLL ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + lego_nginx_wsgi: + name: "lego_nginx_wsgi" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [rsa2048, rsa4096, ec256] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "create lego folder" + run: | + mkdir lego + + - name: "[ ENROLL ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ ENROLL ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + lego_nginx_django: + name: "lego_nginx_django" + runs-on: ubuntu-latest + strategy: + fail-fast: false + matrix: + keylength: [rsa2048, rsa4096, ec256] + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_django)" + working-directory: examples/Docker/ + run: | + sed -i "s/wsgi/django/g" .env + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "[ WAIT ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "create lego folder" + run: | + mkdir lego + + - name: "[ ENROLL ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 single domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ ENROLL ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ RENEW ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme -d lego --http renew + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ REVOKE ] HTTP-01 2x domain lego" + run: | + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --key-type ${{ matrix.keylength }} --email "lego@example.com" -d lego.acme revoke + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/markdown-check.yml b/.github/workflows/markdown-check.yml new file mode 100644 index 00000000..3cb45b18 --- /dev/null +++ b/.github/workflows/markdown-check.yml @@ -0,0 +1,30 @@ +# workflow to run the acme2certifier unittest suite + +name: Markdown check + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + markdown-check: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@master + - uses: gaurav-nelson/github-action-markdown-link-check@v1 + - name: Lint changelog file root + uses: avto-dev/markdown-lint@v1 + with: + args: '*.md' + - name: Lint changelog file docs + uses: avto-dev/markdown-lint@v1 + with: + args: './docs/*.md' + - name: Lint changelog file docker + uses: avto-dev/markdown-lint@v1 + with: + args: './examples/Docker/*.md' diff --git a/.github/workflows/ossar-analysis.yml b/.github/workflows/ossar-analysis.yml new file mode 100644 index 00000000..f5d68f9a --- /dev/null +++ b/.github/workflows/ossar-analysis.yml @@ -0,0 +1,53 @@ +# This workflow integrates a collection of open source static analysis tools +# with GitHub code scanning. For documentation, or to provide feedback, visit +# https://github.com/github/ossar-action +name: OSSAR + +on: + push: + branches: [ devel ] + pull_request: + branches: [ devel ] + schedule: + - cron: '0 2 * * 6' + +jobs: + OSSAR-Scan: + # OSSAR runs on windows-latest. + # ubuntu-latest and macos-latest support coming soon + runs-on: windows-latest + + steps: + # Checkout your code repository to scan + - name: Checkout repository + uses: actions/checkout@v2 + with: + # We must fetch at least the immediate parents so that if this is + # a pull request then we can checkout the head. + fetch-depth: 2 + + # If this run was triggered by a pull request event, then checkout + # the head of the pull request instead of the merge commit. + - run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + + # Ensure a compatible version of dotnet is installed. + # The [Microsoft Security Code Analysis CLI](https://aka.ms/mscadocs) is built with dotnet v3.1.201. + # A version greater than or equal to v3.1.201 of dotnet must be installed on the agent in order to run this action. + # Remote agents already have a compatible version of dotnet installed and this step may be skipped. + # For local agents, ensure dotnet version 3.1.201 or later is installed by including this action: + # - name: Install .NET + # uses: actions/setup-dotnet@v1 + # with: + # dotnet-version: '3.1.x' + + # Run open source static analysis tools + - name: Run OSSAR + uses: github/ossar-action@v1 + id: ossar + + # Upload results to the Security tab + - name: Upload OSSAR results + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: ${{ steps.ossar.outputs.sarifFile }} diff --git a/.github/workflows/phonito_security_scan.yml b/.github/workflows/phonito_security_scan.yml new file mode 100644 index 00000000..5d6774c2 --- /dev/null +++ b/.github/workflows/phonito_security_scan.yml @@ -0,0 +1,128 @@ +name: phonito security scans +on: + # temporarily disable + push: + branches-ignore: + - '**' + #schedule: + # # * daily checks at 05:00am + # - cron: '0 5 * * *' +jobs: + + apache2_wsgi: + name: Scan acme2certifier:apache2-wsgi + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] apache2 django container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + + - name: "[ SCAN ] Phonito Security Scan" + uses: phonito/phonito-scanner-action@master + with: + image: grindsa/acme2certifier:apache2-wsgi + fail-level: MEDIUM + phonito-token: '${{ secrets.PHONITO_TOKEN }}' + + apache2_django: + name: Scan acme2certifier:apache2-django + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + + - name: "[ PREPARE ] apache2 wsgi container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-django + docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py + sudo chmod a+w examples/Docker/data/db.sqlite3 + + - name: "[ SCAN ] Phonito Security Scan" + uses: phonito/phonito-scanner-action@master + with: + image: grindsa/acme2certifier:apache2-django + fail-level: MEDIUM + phonito-token: '${{ secrets.PHONITO_TOKEN }}' + + nginx_wsgi: + name: Scan acme2certifier:nginx-wsgi + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] nginx wsgi container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-wsgi + + - name: "[ SCAN ] Phonito Security Scan" + uses: phonito/phonito-scanner-action@master + with: + image: grindsa/acme2certifier:nginx-wsgi + fail-level: MEDIUM + phonito-token: '${{ secrets.PHONITO_TOKEN }}' + + nginx_django: + name: Scan acme2certifier:nginx-django + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + + - name: "[ PREPARE ] nginx django container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-django + # docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py + # sudo chmod a+w examples/Docker/data/db.sqlite3 + + - name: "[ SCAN ] Phonito Security Scan" + uses: phonito/phonito-scanner-action@master + with: + image: grindsa/acme2certifier:nginx-django + fail-level: MEDIUM + phonito-token: '${{ secrets.PHONITO_TOKEN }}' diff --git a/.github/workflows/proxy-test.yml b/.github/workflows/proxy-test.yml new file mode 100644 index 00000000..f5590bf9 --- /dev/null +++ b/.github/workflows/proxy-test.yml @@ -0,0 +1,258 @@ +name: Proxy tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + proxy_tests: + name: "proxy_tests" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] create network" + run: | + docker network create acme + + - name: "[ PREPARE ] proxy container" + run: | + docker pull mosajjal/pproxy:latest + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 10s + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"acme-sh.acme\$\": \"socks5:\/\/proxy.acme:8080\", \"acme-sh.\$\": \"http\:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh - http challenge validation" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme -d acme-sh. --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep socks5 | grep -- "->" + docker logs proxy | grep http | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ ENROLL ] acme.sh - alpn challenge validation" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn -d acme-sh. --alpn --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep socks5 | grep -- "->" + docker logs proxy | grep http | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] setup certifier ca_handler for proxy usage" + run: | + sudo cp examples/ca_handler/certifier_ca_handler.py examples/Docker/data/ca_handler.py + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "api_host: ${{ secrets.NCM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: ${{ secrets.NCM_API_USER }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: ${{ secrets.NCM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: ${{ secrets.NCM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: ${{ secrets.NCM_CA_BUNDLE }}" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"ncm.nclm.eu\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ ENROLL ] via certifier ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ REVOKE ] via certifier ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep socks5 | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] setup msca ca_handler for proxy usage" + run: | + sudo cp examples/ca_handler/mscertsrv_ca_handler.py examples/Docker/data/ca_handler.py + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "host: ${{ secrets.MSCA_NAME }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "auth_method: ${{ secrets.MSCA_AUTHMETHOD }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "template: ${{ secrets.MSCA_TEMPLATE }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: volume/ca_certs.pem" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"amazonaws.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ ENROLL ] via msca ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep socks5 | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] patch est_ca handler for testrfc7030.com" + run: | + sudo apt-get install curl openssl patch + sudo cp examples/ca_handler/est_ca_handler.py examples/Docker/data/ca_handler.py + # sudo patch examples/Docker/data/ca_handler.py .github/est_handler.patch + + - name: "[ PREPARE ] setup using http-basic-auth for proxy usage" + run: | + sudo mkdir -p examples/Docker/data/est + sudo chmod -R 777 examples/Docker/data/est + sudo touch $HOME/.rnd + sudo openssl ecparam -genkey -name prime256v1 -out examples/Docker/data/est/est_client_key.pem + sudo openssl req -new -key examples/Docker/data/est/est_client_key.pem -out /tmp/request.p10 -subj '/CN=acme2certifier' + sudo curl http://testrfc7030.com/dstcax3.pem --output /tmp/dstcax3.pem + sudo curl https://testrfc7030.com:8443/.well-known/est/cacerts -o /tmp/cacerts.p7 --cacert /tmp/dstcax3.pem + sudo openssl base64 -d -in /tmp/cacerts.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/ca_bundle.pem + sudo curl https://testrfc7030.com:8443/.well-known/est/simpleenroll --anyauth -u estuser:estpwd -s -o /tmp/cert.p7 --cacert /tmp/dstcax3.pem --data-binary @/tmp/request.p10 -H "Content-Type: application/pkcs10" --dump-header /tmp/resp.hdr + sudo openssl base64 -d -in /tmp/cert.p7 | openssl pkcs7 -inform DER -outform PEM -print_certs -out examples/Docker/data/est/est_client_cert.pem + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "est_host: https://testrfc7030.com:8443" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_user: estuser" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_password: estpwd" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"socks5:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ ENROLL ] via EST using http-basic-auth" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep socks5 | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] setup using tls-client-auth" + run: | + sudo head -n -4 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "est_host: https://testrfc7030.com:9443" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_client_key: volume/est/est_client_key.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "est_client_cert: volume/est/est_client_cert.pem" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_bundle: False" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"testrfc7030.com\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ ENROLL ] via est using tls-client-auth" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep http | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ PREPARE ] setup nclm ca_handler for proxy usage" + run: | + sudo cp examples/ca_handler/nclm_ca_handler.py examples/Docker/data/ca_handler.py + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo chmod 777 examples/Docker/data/acme_srv.cfg + sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg + sudo echo "api_host: ${{ secrets.NCLM_API_HOST }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_user: ${{ secrets.NCLM_API_USER }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "api_password: ${{ secrets.NCLM_API_PASSWORD }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "tsg_name: ${{ secrets.NCLM_TSG_NAME }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_name: ${{ secrets.NCLM_CA_NAME }}" >> examples/Docker/data/acme_srv.cfg + sudo echo "ca_id_list: [${{ secrets.NCLM_CA_ID_LIST }}]" >> examples/Docker/data/acme_srv.cfg + sudo sed -i "s/debug: True/debug: True\nproxy_server_list: {\"nclm.eu\$\": \"http:\/\/proxy.acme:8080\"}/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ ENROLL ] via nclm ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + # openssl verify -CAfile acme.sh/acme-sh.acme/ca.cer acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ CHECK ] proxy logs" + run: | + docker logs proxy | grep http | grep -- "->" + docker stop proxy + docker run -d -it --name=proxy --network acme --rm -p 8080:8080 mosajjal/pproxy:latest -vv & + + - name: "[ stop ] proxy container" + run: | + docker stop proxy + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: proxy.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/push_images_to_dockerhub.yml b/.github/workflows/push_images_to_dockerhub.yml new file mode 100644 index 00000000..8ff3078c --- /dev/null +++ b/.github/workflows/push_images_to_dockerhub.yml @@ -0,0 +1,319 @@ +name: Push images to dockerhub and ghcr.io +on: + push: + branches: + - "master" + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 4 * * 6' +jobs: + + #update_docker_hub_description: + # runs-on: ubuntu-latest + # steps: + # - uses: actions/checkout@v2 + # - name: Docker Hub Description + # uses: peter-evans/dockerhub-description@v2 + # env: + # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USER }} + # DOCKERHUB_PASSWORD: ${{ secrets.DOCKERHUB_PASSWORD }} + # DOCKERHUB_REPOSITORY: grindsa/acme2certifier + + + build_and_upload_images_to_hub: + name: Push images to dockerhub and github + runs-on: ubuntu-latest + steps: + - name: "Get current version" + uses: oprypin/find-latest-tag@v1 + with: + repository: ${{ github.repository }} # The repository to scan. + releases-only: true # We know that all relevant tags have a GitHub release for them. + id: acme2certifier_ver # The step ID to refer to later. + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "Retrieve Version from version.py" + run: | + echo APP_NAME=$(echo ${{ github.repository }} | awk -F / '{print $2}') >> $GITHUB_ENV + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + + - run: echo "Repo is at version ${{ steps.acme2certifier_ver.outputs.tag }}" + - run: echo "APP tag is ${{ env.APP_NAME }}" + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + + - name: "Create images" + run: | + cat examples/Docker/apache2/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:apache2-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -t ghcr.io/grindsa/acme2certifier:apache2-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-wsgi -f - . --no-cache + cat examples/Docker/apache2/django/Dockerfile | docker build -t grindsa/acme2certifier:apache2-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -t ghcr.io/grindsa/acme2certifier:apache2-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-apache2-django -f - . --no-cache + cat examples/Docker/nginx/wsgi/Dockerfile | docker build -t grindsa/acme2certifier:nginx-wsgi -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -t ghcr.io/grindsa/acme2certifier:nginx-wsgi -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-wsgi -f - . --no-cache + cat examples/Docker/nginx/django/Dockerfile | docker build -t grindsa/acme2certifier:nginx-django -t grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -t ghcr.io/grindsa/acme2certifier:nginx-django -t ghcr.io/grindsa/acme2certifier:${{ env.TAG_NAME }}-nginx-django -f - . --no-cache + + - name: "upload images to hub.docker.com" + run: | + docker login -u ${{ secrets.DOCKERHUB_USER }} -p ${{ secrets.DOCKERHUB_TOKEN }} + docker push -a grindsa/acme2certifier + + - name: "upload images to ghcr.io" + run: | + docker login ghcr.io -u ${{ secrets.GHCR_USER }} -p ${{ secrets.GHCR_TOKEN }} + docker push -a ghcr.io/grindsa/acme2certifier + + - name: "Install syft" + run: | + sudo curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin + + - name: "Retrieve SBOM repo" + run: | + git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom + env: + GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} + GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} + + - name: "Generate SBOMs for a2c images " + run: | + mkdir -p /tmp/sbom/acme2certifier + syft grindsa/acme2certifier:apache2-wsgi > /tmp/sbom/acme2certifier/acme2certifier-apache2-wsgi_sbom.txt + syft grindsa/acme2certifier:apache2-wsgi -o json > /tmp/sbom/acme2certifier/acme2certifier_apache2-wsgi_sbom.json + syft grindsa/acme2certifier:apache2-django > /tmp/sbom/acme2certifier/acme2certifier-apache2-django_sbom.txt + syft grindsa/acme2certifier:apache2-django -o json > /tmp/sbom/acme2certifier/acme2certifier_apache2-django_sbom.json + syft grindsa/acme2certifier:nginx-wsgi > /tmp/sbom/acme2certifier/acme2certifier-nginx-wsgi_sbom.txt + syft grindsa/acme2certifier:nginx-wsgi -o json > /tmp/sbom/acme2certifier/acme2certifier_nginx-wsgi_sbom.json + syft grindsa/acme2certifier:nginx-django > /tmp/sbom/acme2certifier/acme2certifier-nginx-django_sbom.txt + syft grindsa/acme2certifier:nginx-django -o json > /tmp/sbom/acme2certifier/acme2certifier_nginx-django_sbom.json + + - name: "Upload Changes" + run: | + cd /tmp/sbom + git config --global user.email "grindelsack@gmail.com" + git config --global user.name "SBOM Generator" + git add acme2certifier/ + git commit -a -m "SBOM update" + git push + + - name: "delete images from local repository" + run: | + docker rmi $(docker images grindsa/acme2certifier -q) --no-prune --force + + apache2_wsgi: + name: Test acme2certifier:apache2-wsgi image + needs: [build_and_upload_images_to_hub] + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] apache2 django container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-wsgi + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] via openssl ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: apache_wsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + test_apache2_django: + name: Test acme2certifier:apache2-django image + needs: [build_and_upload_images_to_hub] + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + + - name: "[ PREPARE ] apache2 wsgi container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:apache2-django + + - name: "[ PREPARE ] Sleep for 10s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ PREPARE ] django update" + run: | + docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py + sudo chmod a+w examples/Docker/data/db.sqlite3 + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] via openssl ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: apache_django.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + nginx_wsgi: + name: Test acme2certifier:nginx-wsgi image + needs: [build_and_upload_images_to_hub] + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + + - name: "[ PREPARE ] nginx wsgi container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-wsgi + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] via openssl ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nginx_wsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + test_nginx_django: + name: Test acme2certifier:nginx-django image + needs: [build_and_upload_images_to_hub] + runs-on: ubuntu-latest + steps: + + - name: Checkout code + uses: actions/checkout@v2 + + - name: "[ PREPARE ] setup openssl ca_handler and django config" + run: | + docker network create acme + sudo mkdir -p examples/Docker/data + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo cp .github/django_settings.py examples/Docker/data/settings.py + + - name: "[ PREPARE ] nginx django container" + run: | + docker run -d -p 80:80 --rm -id --network acme --name=acme-srv -v "$(pwd)/examples/Docker/data":/var/www/acme2certifier/volume/ grindsa/acme2certifier:nginx-django + # docker exec acme-srv python3 /var/www/acme2certifier/tools/django_update.py + # sudo chmod a+w examples/Docker/data/db.sqlite3 + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] via openssl ca_handler" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ DEACTIVATE ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --deactivate-account --debug 2 --output-insecure + + - name: "[ * ] collecting test data" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + cd examples/Docker + docker logs acme-srv > ${{ github.workspace }}/artifact/docker.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker.log data acme-sh + + - name: "[ * ] uploading artifacts" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nginx_django.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/python-test.yml b/.github/workflows/python-test.yml new file mode 100644 index 00000000..69433b3b --- /dev/null +++ b/.github/workflows/python-test.yml @@ -0,0 +1,78 @@ +# workflow to run the acme2certifier unittest suite + +name: Python Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' +jobs: + unittest: + runs-on: ubuntu-latest + strategy: + matrix: + python_version: ['3.x', '3.10', '3.9', '3.8', '3.7' ] + name: Python Unittest (${{ matrix.python_version }}) + steps: + - uses: actions/checkout@v2 + - name: Set up Python ${{ matrix.python_version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python_version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pytest + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: cp + run: | + cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py + cp examples/acme_srv.cfg acme_srv/ + - name: Python test + run: | + pytest + pylint: + runs-on: ubuntu-latest + strategy: + matrix: + python_version: [3.x, 3.8] + name: Pylint test (${{ matrix.python_version }}) + steps: + - uses: actions/checkout@v2 + - name: Set up Python ${{ matrix.python_version }} + uses: actions/setup-python@v2 + with: + python-version: ${{ matrix.python_version }} + - name: Install dependencies + run: | + python -m pip install --upgrade pip + pip install pylint pylint-exit + if [ -f requirements.txt ]; then pip install -r requirements.txt; fi + - name: cp + run: | + cp examples/ca_handler/skeleton_ca_handler.py acme_srv/ca_handler.py + cp examples/db_handler/wsgi_handler.py acme_srv/db_handler.py + cp examples/acme_srv.cfg acme_srv/ + - name: "Pylint folder: acme" + run: | + pylint --rcfile=".github/pylintrc" acme_srv/ || pylint-exit $? + - name: "Pylint folder: tools" + run: | + pylint --rcfile=".github/pylintrc" tools/*.py || pylint-exit $? + - name: "Pylint folder: examples/db_handler" + run: | + pylint --rcfile=".github/pylintrc" examples/db_handler/*.py || pylint-exit $? + - name: "Pylint folder: examples/ca_handler" + run: | + pylint --rcfile=".github/pylintrc" examples/ca_handler/*.py || pylint-exit $? + + - name: "Linting with pycodestyle" + run: | + pip install pycodestyle + cp .github/pycodestyle ~/.config/pycodestyle + pycodestyle --show-source examples/. + pycodestyle --show-source acme_srv/. + pycodestyle --show-source tools/. diff --git a/.github/workflows/tnauth-test.yml b/.github/workflows/tnauth-test.yml new file mode 100644 index 00000000..5590de6c --- /dev/null +++ b/.github/workflows/tnauth-test.yml @@ -0,0 +1,70 @@ +name: Tnauth Tests + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + tnauth_acme_sh: + name: "tnauth_acme_sh" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg + sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: True/g" examples/Docker/data/acme_srv.cfg + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "[ CURL ] install curl and socat and test connction" + run: | + sudo apt-get install -y curl socat + curl -f http://localhost:22280 + + - name: "[ ACME.SH ] install acme.sh" + run: | + mkdir /tmp/acme_sh + curl -kL https://github.com/grindsa/acme.sh/archive/tnauth_list_support.tar.gz | tar xz -C /tmp/acme_sh --strip-components=1 + + - name: "[ ACME.SH ] enroll certificate using tnauth identifier" + run: | + cd /tmp/acme_sh + /tmp/acme_sh/acme.sh --server http://127.0.0.1:22280 --accountemail grindsa@tnauth.acme --issue -d cert.acme.local --tnauth 123456 --spctoken 1234 --standalone --force --debug 2 + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: lego_key-${{ matrix.keylength }}.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/wiki-update.yml b/.github/workflows/wiki-update.yml new file mode 100644 index 00000000..832fb156 --- /dev/null +++ b/.github/workflows/wiki-update.yml @@ -0,0 +1,26 @@ +# workflow to update wiki + +name: wiki-update + +on: + push: + branches: [ master ] + +jobs: + wiki-update: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v1 + # Additional steps to generate documentation in "Documentation" directory + - name: Upload docs to Wiki + uses: grindsa/github-wiki-publish-action@customize_wiki_title + with: + path: "docs" + env: + GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} + - name: Upload Docker to Wiki + uses: grindsa/github-wiki-publish-action@customize_wiki_title + with: + path: "examples/Docker" + env: + GH_PERSONAL_ACCESS_TOKEN: ${{ secrets.GH_PERSONAL_ACCESS_TOKEN }} diff --git a/.github/workflows/winacme-application-test.yml b/.github/workflows/winacme-application-test.yml new file mode 100644 index 00000000..9df2f9ae --- /dev/null +++ b/.github/workflows/winacme-application-test.yml @@ -0,0 +1,121 @@ +name: Application Tests - win-acme + +on: + push: + pull_request: + branches: [ devel ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + + win_acme: + name: "win_acme" + runs-on: windows-latest + + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get RunnerIP" + run: | + $runner_ip=(Get-NetIPAddress -AddressFamily IPv4 -InterfaceAlias 'Ethernet 3').IPAddress + echo RUNNER_IP=$runner_ip >> $env:GITHUB_ENV + + - name: "[ PREPARE ] echo RunnerIP" + run: echo $env:RUNNER_IP + + - name: "[ PREPARE ] Create DNS entries " + run: | + Invoke-RestMethod -ContentType "application/json" -Method PUT -Uri ${{ secrets.CF_DYNAMOP_URL }} -Headers @{Authorization="Bearer ${{ secrets.CF_TOKEN }}"} -UseBasicParsing -Body '{"type":"A","name":"${{ secrets.CF_WINACME1_NAME }}","content":"${{ env.RUNNER_IP }}","ttl":120,"proxied":false}' + + - name: "[ PREPARE ] Build local acme2certifier environment" + run: | + python -m pip install --upgrade pip + pip install -r requirements.txt + pip install django==3.2 + pip install django-sslserver + pip install pyyaml + cp examples/db_handler/django_handler.py acme_srv/db_handler.py + cp examples/django/* .\ -Recurse -Force + (Get-Content .github/django_settings.py) -replace '/var/www/acme2certifier/volume/db.sqlite3', 'volume/db.sqlite3' | Set-Content acme2certifier/settings.py + (Get-Content acme2certifier/settings.py) -replace 'django.contrib.staticfiles', 'sslserver' | Set-Content acme2certifier/settings.py + cat acme2certifier/settings.py + cp examples/ca_handler/openssl_ca_handler.py acme2certifier/ca_handler.py + cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg acme_srv/acme_srv.cfg + cp .github/acme2certifier_cert.pem acme2certifier/acme2certifier_cert.pem + cp .github/acme2certifier_key.pem acme2certifier/acme2certifier_key.pem + mkdir .\volume/acme_ca/certs + cp test/ca/*.pem volume/acme_ca/ + certutil -addstore -enterprise -f -v root volume\acme_ca\root-ca-cert.pem + certutil -addstore -enterprise -f -v root volume\acme_ca\sub-ca-cert.pem + + - name: "[ PREPARE ] configure server" + run: | + python manage.py makemigrations + python manage.py migrate + python manage.py loaddata acme_srv/fixture/status.yaml + + - name: "[ PREPARE ] try to get up the server" + run: | + Start-Process powershell {python .\manage.py runserver 0.0.0.0:8080 3>&1 2>&1 > volume\redirection.log} + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ TEST ] Test if directory ressource is accessable" + run: | + get-Process python + Invoke-RestMethod -Uri http://127.0.0.1:8080/directory -NoProxy -TimeoutSec 5 + [System.Net.Dns]::GetHostByName('localhost').HostName + ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname + + - name: "[ PREPARE ] Download win-acme" + run: | + Invoke-RestMethod -Uri https://github.com/win-acme/win-acme/releases/download/v2.1.20.1/win-acme.v2.1.20.1185.x64.trimmed.zip -OutFile win-acme.zip + Expand-Archive .\win-acme.zip + mkdir win-acme\certs + dir win-acme\* + + - name: "[ ENROLL ] Enroll certificate via win-acme" + run: | + .\win-acme\wacs.exe --baseuri http://127.0.0.1:8080 --emailaddress=grindsa@bar.local --pemfilespath win-acme\certs --source manual --host ${{ secrets.CF_WINACME1_NAME }},${{ secrets.CF_WINACME2_NAME }} --store pemfiles --force + + - name: "[ PREPARE ] try to get up the sslserver" + run: | + Start-Process powershell {python .\manage.py runsslserver 0.0.0.0:443 --certificate acme2certifier/acme2certifier_cert.pem --key acme2certifier/acme2certifier_key.pem 3>&1 2>&1 > volume\redirection_ssl.log} + - name: "[ PREPARE ] Sleep for 5s" + uses: juliangruber/sleep-action@v1 + with: + time: 5s + + - name: "[ TEST ] Test if directory ressource is accessable" + run: | + get-Process python + Invoke-RestMethod -SkipCertificateCheck -Uri https://localhost -NoProxy -TimeoutSec 5 + [System.Net.Dns]::GetHostByName('localhost').HostName + ([System.Net.Dns]::GetHostByName(($env:computerName))).Hostname + + - name: "[ PREPARE ] Install and configure Posh-ACME" + run: | + Install-Module -Name Posh-ACME -Scope CurrentUser -Force + - name: "[ ENROLL ] Enroll Certificate via Posh-ACME" + run: | + set-PAServer -DirectoryUrl https://localhost/directory -SkipCertificateCheck + New-PACertificate ${{ secrets.CF_WINACME1_NAME }} -AcceptTOS -Contact 'foo@bar.local' -Plugin WebSelfHost -PluginArgs @{} -Force + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir ${{ github.workspace }}\artifact\upload + cp volume ${{ github.workspace }}\artifact\upload/ -Recurse -Force + cp acme_srv\acme_srv.cfg ${{ github.workspace }}\artifact\upload + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: win-acme.tar.gz + path: ${{ github.workspace }}/artifact/upload/ diff --git a/.github/workflows/wsgi_handler-test.yml b/.github/workflows/wsgi_handler-test.yml new file mode 100644 index 00000000..de17a57f --- /dev/null +++ b/.github/workflows/wsgi_handler-test.yml @@ -0,0 +1,153 @@ +name: WSGI handler tests + +on: + push: + pull_request: + branches: [ devel, db_file_customization ] + schedule: + # * is a special character in YAML so you have to quote this string + - cron: '0 2 * * 6' + +jobs: + a2_cust_db_file: + name: "a2_cust_db_file" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (apache2_wsgi)" + working-directory: examples/Docker/ + run: | + sudo mkdir -p data + docker network create acme + sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo echo "" >> data/acme_srv.cfg + sudo echo "[DBhandler]" >> data/acme_srv.cfg + sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg + sudo echo "[Directory]" >> data/acme_srv.cfg + sudo echo "url_prefix: /foo" >> data/acme_srv.cfg + docker-compose up -d + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + cd examples/Docker/ + docker-compose restart + docker-compose logs + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ ENROLL ] lego" + run: | + mkdir lego + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: a2_custdb.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + nginx_cust_db_file: + name: "nginx_cust__db_file" + runs-on: ubuntu-latest + strategy: + fail-fast: false + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] Build docker-compose (nginx_wsgi)" + working-directory: examples/Docker/ + run: | + sed -i "s/apache2/nginx/g" .env + sudo mkdir -p data + docker network create acme + sudo cp ../../.github/openssl_ca_handler.py_acme_srv_default_handler.cfg data/acme_srv.cfg + sudo chmod 777 data/acme_srv.cfg + sudo echo "" >> data/acme_srv.cfg + sudo echo "[DBhandler]" >> data/acme_srv.cfg + sudo echo "dbfile: volume/a2c.db" >> data/acme_srv.cfg + sudo echo "[Directory]" >> data/acme_srv.cfg + sudo echo "url_prefix: /foo" >> data/acme_srv.cfg + docker-compose up -d + docker-compose logs + sleep 5 + + - name: "Test http://acme-srv/directory is accessable" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] setup openssl ca_handler" + run: | + sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py + sudo mkdir -p examples/Docker/data/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ + cd examples/Docker/ + docker-compose restart + docker-compose logs + sleep 5 + + - name: "Test http://acme-srv/directory is accessable again" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ ENROLL ] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --standalone --debug 3 --output-insecure --force + openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ ENROLL ] lego" + run: | + mkdir lego + docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run + sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ + cd examples/Docker + docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nginx_cust_db.tar.gz + path: ${{ github.workspace }}/artifact/upload/ From a929ca48d3e4186c9a36a5f4c4bb9007980dbc43 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 14:06:46 +0100 Subject: [PATCH 08/22] [wf] alma install scripts --- .github/workflows/manual-install-test.yml | 155 +++++++++++++++++- .../Docker/alamlinux-systemd/script_tester.sh | 5 - .../Dockerfile | 0 .../Docker/almalinux-systemd/script_tester.sh | 18 ++ 4 files changed, 170 insertions(+), 8 deletions(-) delete mode 100644 examples/Docker/alamlinux-systemd/script_tester.sh rename examples/Docker/{alamlinux-systemd => almalinux-systemd}/Dockerfile (100%) create mode 100644 examples/Docker/almalinux-systemd/script_tester.sh diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index d1cf93ba..a98f0b0e 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -1,4 +1,4 @@ -name: Manual Installation test +name: Manuall Installation test on: push: @@ -9,6 +9,129 @@ on: - cron: '0 2 * * 6' jobs: + apache2_wsgi: + name: "apache2_wsgi" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: Branch name + run: echo running on branch ${GITHUB_REF##*/} + + - name: "Run install script" + run: | + sudo mkdir -p data + chmod a+rx examples/install_scripts/a2c-ubuntu22-apache2.sh + examples/install_scripts/a2c-ubuntu22-apache2.sh ${GITHUB_REF##*/} + + - name: "Local modification to get a2c running" + run: | + sudo apt-get install -y socat + sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf + sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo service apache2 restart + + - name: "Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1:8080/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: apache.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + nginx_wsgi: + name: "nginx_wsgi" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: Branch name + run: echo running on branch ${GITHUB_REF##*/} + + - name: "Run install script" + run: | + sudo mkdir -p data + sh examples/install_scripts/a2c-ubuntu22-nginx.sh + + - name: "Local modification to get a2c running" + run: | + sudo apt-get install -y socat + sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo service nginx restart + + - name: "Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1:8080/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: nginx.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + alma_nginx_wsgi: name: "alma_nginx_wsgi" runs-on: ubuntu-latest @@ -28,15 +151,41 @@ jobs: - name: "[ PREPARE ] environment" run: | docker network create acme + echo "exit 0" >> examples/install_scripts/a2c-centos9-nginx.sh - name: "[ PREPARE ] Almalinux instance" run: | cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache - docker run -d -id --privileged --network acme --name=acme_srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd + docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/":/tmp/acme2certifier almalinux-systemd - name: "[ RUN ] Execute install scipt" run: | - docker exec acme_srv /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh + docker exec acme-srv sh /tmp/acme2certifier/examples/Docker/almalinux-systemd/script_tester.sh + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz acme-srv.log acme-sh - name: "[ * ] uploading artificates" uses: actions/upload-artifact@v2 diff --git a/examples/Docker/alamlinux-systemd/script_tester.sh b/examples/Docker/alamlinux-systemd/script_tester.sh deleted file mode 100644 index 8e0b0cf5..00000000 --- a/examples/Docker/alamlinux-systemd/script_tester.sh +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -echo "install missing packages" - -yum install -y sudo checkpolicy python3-pip procps \ No newline at end of file diff --git a/examples/Docker/alamlinux-systemd/Dockerfile b/examples/Docker/almalinux-systemd/Dockerfile similarity index 100% rename from examples/Docker/alamlinux-systemd/Dockerfile rename to examples/Docker/almalinux-systemd/Dockerfile diff --git a/examples/Docker/almalinux-systemd/script_tester.sh b/examples/Docker/almalinux-systemd/script_tester.sh new file mode 100644 index 00000000..edd7fe5b --- /dev/null +++ b/examples/Docker/almalinux-systemd/script_tester.sh @@ -0,0 +1,18 @@ +#!/bin/bash + +echo "install missing packages" +yum install -y sudo checkpolicy python3-pip procps rsyslog +systemctl start rsyslog + +cd /tmp/acme2certifier + +echo "execute install script" +sh examples/install_scripts/a2c-centos9-nginx.sh + + +echo "configure handler" +sudo mkdir -p /opt/acme2certifier/volume/acme_ca/certs/ +sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /opt/acme2certifier/volume/acme_ca/ + +echo "fix ownership" +sudo chown -R nginx /opt/acme2certifier/volume \ No newline at end of file From 81f02d1e8d9c1497c4c3e634b615a95748f720ff Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 10 Dec 2022 14:07:48 +0100 Subject: [PATCH 09/22] [wf] fix typo --- .github/workflows/manual-install-test.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index a98f0b0e..1af5ce2b 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -1,4 +1,4 @@ -name: Manuall Installation test +name: Manual Installation test on: push: From 2666322fa1aacafee1fab734975f0d24939fc705 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sun, 11 Dec 2022 07:03:11 +0100 Subject: [PATCH 10/22] [fix] filename in centos script --- examples/install_scripts/a2c-centos9-nginx.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/install_scripts/a2c-centos9-nginx.sh b/examples/install_scripts/a2c-centos9-nginx.sh index 91ab545a..fff3db8c 100644 --- a/examples/install_scripts/a2c-centos9-nginx.sh +++ b/examples/install_scripts/a2c-centos9-nginx.sh @@ -57,7 +57,7 @@ sudo systemctl start uwsgi # 19 - 20 configure nginxinsta echo "## Configure and enable nginx services" -sudo cp examples/nginx/nginx_acme.conf /etc/nginx/conf.d/acme.conf +sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d/nginx_acme_srv.conf sudo systemctl enable nginx.service sudo systemctl restart nginx sudo systemctl status nginx.service From ab2cfcdfd1235961e39af10cbe06c4778c1028c1 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sun, 11 Dec 2022 07:07:54 +0100 Subject: [PATCH 11/22] [feat] add spec file --- .gitignore | 2 +- .../install_scripts/rpm/acme2certifier.spec | 168 ++++++++++++++++++ 2 files changed, 169 insertions(+), 1 deletion(-) create mode 100644 examples/install_scripts/rpm/acme2certifier.spec diff --git a/.gitignore b/.gitignore index f392b842..afe271c5 100644 --- a/.gitignore +++ b/.gitignore @@ -28,7 +28,7 @@ wheels/ # Usually these files are written by a python script from a template # before PyInstaller builds the exe, so as to inject date/other infos into it. *.manifest -*.spec +# *.spec # Installer logs pip-log.txt diff --git a/examples/install_scripts/rpm/acme2certifier.spec b/examples/install_scripts/rpm/acme2certifier.spec new file mode 100644 index 00000000..daad264c --- /dev/null +++ b/examples/install_scripts/rpm/acme2certifier.spec @@ -0,0 +1,168 @@ + +# Disable automatic requires/provides processing +AutoReqProv: no + +%global projname acme2certifier +%global __python %{__python3} +%global dest_dir /opt +%{!?_unitdir: %global _unitdir /usr/lib/systemd/system} + +Summary: library implementing ACME server functionality +Name: acme2certifier + +%define ghowner grindsa + +Version: 0.23.1 +Release: 1.0 +License: GPL3; @grindsa@github +URL: https://github.com/grindsa/acme2certifier +Requires: nginx +# EPEL repo required +Requires: policycoreutils-python-utils +Requires: uwsgi-plugin-python3 +Requires: python3-uwsgidecorators +Requires: tar +# pip **RISK** +Requires: python3-dateutil +Requires: python3-pytz +Requires: python3-setuptools +Requires: python3-jwcrypto +Requires: python3-cryptography +Requires: python3-pyOpenSSL +Requires: python3-dns +# Requires: python-certsrv +Requires: python3-configargparse +Requires: python3-dateutil +Requires: python3-requests +Requires: python3-pysocks +Requires: python3-josepy +Requires: python3-acme +Requires: python3-impacket +Requires: python3-xmltodict +Requires: python3-pyasn1 +Requires: python3-pyasn1-modules +Requires(post): policycoreutils + +BuildArch: noarch + +#define ghsha 1699c09758e56f740437674a8d6ba36443399f24 +%define mungedurl refs/tags/%{?ghsha}%{?!ghsha:%{version}} + +Source0: https://github.com/%{ghowner}/%{?URLbit}%{?!URLbit:%{name}}/archive/%{?mungedurl}.tar.gz + +%description +acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries: + +- acme_srv/*.py - a bunch of classes implementing ACME server functionality based on rfc8555 +- ca_handler.py - interface towards CA server. The intention of this library is to be + modular that an adaption to other CA servers should be straight forward. As of + today the following handlers are available: + + - Openssl + - NetGuard Certificate Manager/Insta Certifier + - NetGuard Certificate Lifecycle Manager + - Generic EST protocol handler + - Generic CMPv2 protocol handler + - Microsoft Certificate Enrollment Web Services + - Microsoft Windows Client Certificate Enrollment Protocol (MS-WCCE) via RPC/DCOM + - Generic ACME protocol handler supporting Letsencrypt, BuyPass.com and ZeroSSL + - XCA + - acme2dfn (external; ACME proxy for the German research network's SOAP API) + +For more up-to-date information and further documentation, please visit the project's +home page at: https://github.com/grindsa/acme2certifier + +Remember to: + - enable acme2certifer service + sudo systemctl enable acme2certifier.service + sudo systemctl start acme2certifier.service + - active acme2certifier in your nginx configuration + cp /opt/acme2certifer/examples/nginx/nginx_acme_srv[_ssl].conf /etc/nginx/conf.d + - enable and start nginx service + sudo systemctl enable nginx.service + sudo systemctl start nginx.service + +%prep +%autosetup -p1 -n %{name}-%{?ghsha}%{?!ghsha:%{version}} -N + +%build +# nothing to build + + +%install +# Main +%{__mkdir_p} \ + %{buildroot}%{_datadir} \ + %{buildroot}%{_unitdir} \ + %{buildroot}%{dest_dir} + + #\ + #%{buildroot}%{_sysconfdir}/httpd/conf.d \ + +%{__cp} -a . %{buildroot}%{dest_dir}/%{projname} + +%{__chmod} -R go-w %{buildroot}%{dest_dir}/%{projname} + +%{__cp} -a \ + examples/acme_srv.cfg \ + %{buildroot}%{dest_dir}/%{projname}/acme_srv/acme_srv.cfg + +%{__cp} -a \ + examples/db_handler/wsgi_handler.py \ + %{buildroot}%{dest_dir}/%{projname}/acme_srv/db_handler.py + +%{__cp} -a \ + examples/acme2certifier_wsgi.py \ + %{buildroot}%{dest_dir}/%{projname}/ + +## Modify acme2certifier.ini for Redhat/Centos and derivations +%{__sed} ' +$a\ +plugins = python3 +' \ + examples/nginx/acme2certifier.ini > \ + %{buildroot}%{dest_dir}/%{projname}/acme2certifier.ini + +## Configure and enable uWSGI service +%{__sed} ' +/^User/i\ +WorkingDirectory=%{dest_dir} +' \ + examples/nginx/uwsgi.service > \ + %{buildroot}%{_unitdir}/acme2certifier.service # ugh + + +%clean +%{__chmod} -R 777 $RPM_BUILD_ROOT +%{__rm} -rf $RPM_BUILD_ROOT + + +%files +%defattr(-,root,root,-) +%license LICENSE +%doc *.md requirements.txt +%attr(0755,nginx,-)%{dest_dir}/%{projname}/ +%{_unitdir}/acme2certifier.service + +%changelog + +%post +cat < acme2certifier.te +module acme2certifier 1.0; + +require { + type var_run_t; + type initrc_t; + type httpd_t; + class sock_file write; + class unix_stream_socket connectto; +} + +#============= httpd_t ============== +allow httpd_t initrc_t:unix_stream_socket connectto; +allow httpd_t var_run_t:sock_file write; +EOT +checkmodule -M -m -o acme2certifier.mod acme2certifier.te +semodule_package -o acme2certifier.pp -m acme2certifier.mod +semodule -i acme2certifier.pp + From 2c0fee052cd46c29d2fccb8c3184a7bd5a8be714 Mon Sep 17 00:00:00 2001 From: grindsa Date: Mon, 12 Dec 2022 09:43:17 +0100 Subject: [PATCH 12/22] [wf] rpm build wf --- .github/workflows/manual-install-test.yml | 80 +++++++++++++++++++ .../Docker/almalinux-systemd/rpm_tester.sh | 24 ++++++ .../install_scripts/rpm/acme2certifier.spec | 53 ++++++------ 3 files changed, 130 insertions(+), 27 deletions(-) create mode 100644 examples/Docker/almalinux-systemd/rpm_tester.sh diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 1af5ce2b..94f4a1f6 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -192,4 +192,84 @@ jobs: if: ${{ failure() }} with: name: alma_nginx_wsgi.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + alma_nginx_wsgi_rpm: + name: "alma_nginx_wsgi_rpm" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: Branch name + run: echo running on branch ${GITHUB_REF##*/} + + - name: Retrieve Version from version.py + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + + - name: update version number in spec file + run: | + # sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec + cat examples/install_scripts/rpm/acme2certifier.spec + + - name: build RPM package + id: rpm + uses: naveenrajm7/rpmbuild@master + with: + spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + + - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" + + - name: "[ PREPARE ] Setup environment" + run: | + docker network create acme + mkdir -p data/acme_ca/certs/ + sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ + sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data + + - name: "[ PREPARE ] Almalinux instance" + run: | + cat examples/Docker/almalinux-systemd/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache + docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd + + - name: "[ RUN ] Execute install scipt" + run: | + docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh + + - name: "Test http://acme-srv/directory is accessible" + run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + sudo mkdir acme-sh + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile test/ca/root-ca-cert.pem -untrusted test/ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ + sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ + docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: alma_nginx_wsgi_rpm.tar.gz path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file diff --git a/examples/Docker/almalinux-systemd/rpm_tester.sh b/examples/Docker/almalinux-systemd/rpm_tester.sh new file mode 100644 index 00000000..a3a591bd --- /dev/null +++ b/examples/Docker/almalinux-systemd/rpm_tester.sh @@ -0,0 +1,24 @@ +#!/bin/bash + +echo "install missing packages" +yum install -y procps rsyslog + +systemctl start rsyslog.service + +yum -y install epel-release +yum -y localinstall /tmp/acme2certifier/acme2certifier-0.23.1-1.0.noarch.rpm +cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d + +yes | cp /tmp/acme2certifier/acme_srv.cfg /opt/acme2certifier/acme_srv +mkdir -p /opt/acme2certifier/volume/acme_ca/certs +cp -R /tmp/acme2certifier/acme_ca/* /opt/acme2certifier/volume/acme_ca/ +chown -R nginx.nginx /opt/acme2certifier/volume/ +ls -la /opt/acme2certifier/ +ls -la /opt/acme2certifier/volume +ls -la /opt/acme2certifier/volume/acme_ca/ + +systemctl enable acme2certifier.service +systemctl start acme2certifier.service + +systemctl enable nginx.service +systemctl start nginx.service \ No newline at end of file diff --git a/examples/install_scripts/rpm/acme2certifier.spec b/examples/install_scripts/rpm/acme2certifier.spec index daad264c..1dd7c642 100644 --- a/examples/install_scripts/rpm/acme2certifier.spec +++ b/examples/install_scripts/rpm/acme2certifier.spec @@ -7,22 +7,21 @@ AutoReqProv: no %global dest_dir /opt %{!?_unitdir: %global _unitdir /usr/lib/systemd/system} -Summary: library implementing ACME server functionality -Name: acme2certifier +Summary: library implementing ACME server functionality +Name: acme2certifier -%define ghowner grindsa +%define ghowner grindsa -Version: 0.23.1 -Release: 1.0 -License: GPL3; @grindsa@github -URL: https://github.com/grindsa/acme2certifier -Requires: nginx +Version: __version__ +Release: 1.0 +License: GPL3; @grindsa@github +URL: https://github.com/grindsa/acme2certifier +Requires: nginx # EPEL repo required -Requires: policycoreutils-python-utils -Requires: uwsgi-plugin-python3 -Requires: python3-uwsgidecorators -Requires: tar -# pip **RISK** +Requires: policycoreutils-python-utils +Requires: uwsgi-plugin-python3 +Requires: python3-uwsgidecorators +Requires: tar Requires: python3-dateutil Requires: python3-pytz Requires: python3-setuptools @@ -45,17 +44,15 @@ Requires(post): policycoreutils BuildArch: noarch -#define ghsha 1699c09758e56f740437674a8d6ba36443399f24 -%define mungedurl refs/tags/%{?ghsha}%{?!ghsha:%{version}} -Source0: https://github.com/%{ghowner}/%{?URLbit}%{?!URLbit:%{name}}/archive/%{?mungedurl}.tar.gz +Source0: %{name}-%{version}.tar.gz %description acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. It consists of two libraries: - acme_srv/*.py - a bunch of classes implementing ACME server functionality based on rfc8555 -- ca_handler.py - interface towards CA server. The intention of this library is to be - modular that an adaption to other CA servers should be straight forward. As of +- ca_handler.py - interface towards CA server. The intention of this library is to be + modular that an adaption to other CA servers should be straight forward. As of today the following handlers are available: - Openssl @@ -69,19 +66,19 @@ acme2certifier is development project to create an ACME protocol proxy. Main int - XCA - acme2dfn (external; ACME proxy for the German research network's SOAP API) -For more up-to-date information and further documentation, please visit the project's +For more up-to-date information and further documentation, please visit the project's home page at: https://github.com/grindsa/acme2certifier Remember to: - - enable acme2certifer service + - enable acme2certifer service sudo systemctl enable acme2certifier.service sudo systemctl start acme2certifier.service - - active acme2certifier in your nginx configuration + - active acme2certifier in your nginx configuration cp /opt/acme2certifer/examples/nginx/nginx_acme_srv[_ssl].conf /etc/nginx/conf.d - enable and start nginx service sudo systemctl enable nginx.service sudo systemctl start nginx.service - + %prep %autosetup -p1 -n %{name}-%{?ghsha}%{?!ghsha:%{version}} -N @@ -94,12 +91,14 @@ Remember to: %{__mkdir_p} \ %{buildroot}%{_datadir} \ %{buildroot}%{_unitdir} \ - %{buildroot}%{dest_dir} - + %{buildroot}%{dest_dir}/%{name}/examples \ + %{buildroot}%{_docdir}/%{projname} \ #\ #%{buildroot}%{_sysconfdir}/httpd/conf.d \ -%{__cp} -a . %{buildroot}%{dest_dir}/%{projname} +# %{__cp} -a . %{buildroot}%{dest_dir}/%{projname} +%{__cp} -a acme_srv tools %{buildroot}%{dest_dir}/%{projname} +%{__cp} -a examples/ca_handler examples/db_handler examples/django examples/eab_handler examples/hooks examples/trigger examples/nginx %{buildroot}%{dest_dir}/%{projname}/examples %{__chmod} -R go-w %{buildroot}%{dest_dir}/%{projname} @@ -122,7 +121,7 @@ plugins = python3 ' \ examples/nginx/acme2certifier.ini > \ %{buildroot}%{dest_dir}/%{projname}/acme2certifier.ini - + ## Configure and enable uWSGI service %{__sed} ' /^User/i\ @@ -140,7 +139,7 @@ WorkingDirectory=%{dest_dir} %files %defattr(-,root,root,-) %license LICENSE -%doc *.md requirements.txt +%doc *.md requirements.txt docs/*.md %attr(0755,nginx,-)%{dest_dir}/%{projname}/ %{_unitdir}/acme2certifier.service From 1f55b50820f45ae3f2842cb93342d2340a3db94e Mon Sep 17 00:00:00 2001 From: grindsa Date: Mon, 12 Dec 2022 21:17:37 +0100 Subject: [PATCH 13/22] [wf] rpm upload during create release wf --- .github/workflows/create_release.yml | 39 ++++++++++++++++++++++++++-- 1 file changed, 37 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml index a9334a05..5c142f9e 100644 --- a/.github/workflows/create_release.yml +++ b/.github/workflows/create_release.yml @@ -40,9 +40,44 @@ jobs: with: tag_name: ${{ env.TAG_NAME }} release_name: ${{ env.APP_NAME }} ${{ env.TAG_NAME }} - # release_name: hahohe ${{ env.TAG_NAME }} - # body_path: body.txt body: | [Changelog](https://github.com/grindsa/acme2certifier/blob/master/CHANGES.md) draft: false prerelease: false + + - name: update version number in spec file + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + run: | + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec + cat examples/install_scripts/rpm/acme2certifier.spec + + - name: build RPM package + id: rpm_build + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + uses: naveenrajm7/rpmbuild@master + with: + spec_file: "examples/install_scripts/rpm/acme2certifier.spec" + + - name: Upload Release Source-RPM + id: upload-srpm + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ${{ steps.rpm_build.outputs.source_rpm_path }} + asset_name: ${{ steps.rpm_build.outputs.source_rpm_name }} + asset_content_type: ${{ steps.rpm_build.outputs.rpm_content_type }} + + - name: Upload Release RPM + id: upload-rpm + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm + asset_name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm + asset_content_type: ${{ steps.rpm_build.outputs.rpm_content_type }} From 92e108f773df2db78dc25c87fd1b69ce430e4d3b Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 06:23:43 +0100 Subject: [PATCH 14/22] {feat] debian framework --- examples/install_scripts/debian/changelog | 5 +++ examples/install_scripts/debian/control | 17 +++++++++ examples/install_scripts/debian/copyright | 25 +++++++++++++ examples/install_scripts/debian/postinst | 45 +++++++++++++++++++++++ examples/install_scripts/debian/rules | 25 +++++++++++++ 5 files changed, 117 insertions(+) create mode 100644 examples/install_scripts/debian/changelog create mode 100644 examples/install_scripts/debian/control create mode 100644 examples/install_scripts/debian/copyright create mode 100644 examples/install_scripts/debian/postinst create mode 100644 examples/install_scripts/debian/rules diff --git a/examples/install_scripts/debian/changelog b/examples/install_scripts/debian/changelog new file mode 100644 index 00000000..2f74cf94 --- /dev/null +++ b/examples/install_scripts/debian/changelog @@ -0,0 +1,5 @@ +acme2certifier (0.23.1-1) stable; urgency=medium + + * Initial release + + -- GrindSa Fri, 16 Dec 2022 18:41:04 +0000 diff --git a/examples/install_scripts/debian/control b/examples/install_scripts/debian/control new file mode 100644 index 00000000..84f26390 --- /dev/null +++ b/examples/install_scripts/debian/control @@ -0,0 +1,17 @@ +Source: acme2certifier +Section: Network +Priority: optional +Maintainer: GrindSa +Build-Depends: debhelper-compat (= 13) +Standards-Version: 4.6.0 +Homepage: https://github.com/grindsa/acme2certifier +#Vcs-Browser: https://salsa.debian.org/debian/acme2certifier +#Vcs-Git: https://salsa.debian.org/debian/acme2certifier.git +Rules-Requires-Root: no + +Package: acme2certifier +Architecture: all +Depends: ${misc:Depends}, tzdata, python3-setuptools, python3-jwcrypto, python3-cryptography, python3-openssl, python3-dnspython, python3-pytzdata, python3-configargparse, python3-dateutil, python3-requests, python3-socks, python3-josepy, python3-acme, python3-impacket, python3-xmltodict, python3-pyasn1, python3-pyasn1-modules, python3-django, python3-mysqldb, python3-pymysql, python3-psycopg2, python3-yaml +Description: Library implementing ACME server functionality + acme2certifier is development project to create an ACME protocol proxy. Main intention is to provide ACME services on CA servers which do not support this protocol yet. + After installation remember to install either NGINX or apache2! diff --git a/examples/install_scripts/debian/copyright b/examples/install_scripts/debian/copyright new file mode 100644 index 00000000..d09b09db --- /dev/null +++ b/examples/install_scripts/debian/copyright @@ -0,0 +1,25 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: acme2certifier +Upstream-Contact: GrindSa +Source: https://github.com/grindsa/acme2certifier + +Files: * +Copyright: 2022 GrindSa + +License: GPL-3 + + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". diff --git a/examples/install_scripts/debian/postinst b/examples/install_scripts/debian/postinst new file mode 100644 index 00000000..294dc79d --- /dev/null +++ b/examples/install_scripts/debian/postinst @@ -0,0 +1,45 @@ +#! /bin/sh +# postinst script for erddcd +# +# see: dh_installdeb(1) + +set -e + +# summary of how this script can be called: +# * 'configure' +# * 'abort-upgrade' +# * 'abort-remove' 'in-favour' +# +# * 'abort-deconfigure' 'in-favour' +# 'removing' +# +# for details, see /usr/share/doc/packaging-manual/ +# +# quoting from the policy: +# Any necessary prompting should almost always be confined to the +# post-installation script, and should be protected with a conditional +# so that unnecessary prompting doesn't happen if a package's +# installation fails and the 'postinst' is called with 'abort-upgrade', +# 'abort-remove' or 'abort-deconfigure'. + +case "$1" in + configure) + chown -R www-data.www-data /var/www/acme2certifier + ;; + + abort-upgrade|abort-remove|abort-deconfigure) + + ;; + + *) + echo "postinst called with unknown argument \`$1'" >&2 + exit 0 + ;; +esac + +# dh_installdeb will replace this with shell code automatically +# generated by other debhelper scripts. + +#DEBHELPER# + +exit 0 diff --git a/examples/install_scripts/debian/rules b/examples/install_scripts/debian/rules new file mode 100644 index 00000000..2063acc9 --- /dev/null +++ b/examples/install_scripts/debian/rules @@ -0,0 +1,25 @@ +#!/usr/bin/make -f +# See debhelper(7) (uncomment to enable) +# output every command that modifies files on the build system. +export DH_VERBOSE = 1 + + +# see FEATURE AREAS in dpkg-buildflags(1) +#export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +# see ENVIRONMENT in dpkg-buildflags(1) +# package maintainers to append CFLAGS +#export DEB_CFLAGS_MAINT_APPEND = -Wall -pedantic +# package maintainers to append LDFLAGS +#export DEB_LDFLAGS_MAINT_APPEND = -Wl,--as-needed + +%: + dh $@ + +build: + cp examples/db_handler/wsgi_handler.py acme_srv/db_handler.py +# dh_make generated override targets +# This is example for Cmake (See https://bugs.debian.org/641051 ) +#override_dh_auto_configure: +# dh_auto_configure -- \ +# -DCMAKE_LIBRARY_PATH=$(DEB_HOST_MULTIARCH) From 37f46497db2dbd411e9c0869e6b7b3aa0afc6797 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 13:34:01 +0100 Subject: [PATCH 15/22] deb packaging workflows --- .github/workflows/manual-install-test.yml | 225 +++++++++++++++++- .../debian/acme2certifier.install | 14 ++ 2 files changed, 237 insertions(+), 2 deletions(-) create mode 100644 examples/install_scripts/debian/acme2certifier.install diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 94f4a1f6..d718d916 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -1,4 +1,4 @@ -name: Manual Installation test +name: Manual Installation tests on: push: @@ -272,4 +272,225 @@ jobs: if: ${{ failure() }} with: name: alma_nginx_wsgi_rpm.tar.gz - path: ${{ github.workspace }}/artifact/upload/ \ No newline at end of file + path: ${{ github.workspace }}/artifact/upload/ + + deb_apache2: + name: "deb_apache2" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: Retrieve Version from version.py + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + + - name: "[ PREPARE ] environment to build deb package" + run: | + sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper + # sudo apt-get -y install debhelper + rm setup.py + cp -R examples/install_scripts/debian ./ + cd ../ + tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ + + # - uses: singingwolfboy/build-dpkg-buster@v1 + # id: build + # with: + # args: --unsigned-source --unsigned-changes + + - name: "[ BUILD ] build debian package" + run: | + dpkg-buildpackage -uc -us + dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + + - name: "[ Install ] install apache2 and acme2certifier packages" + run: | + sudo apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 + sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + + - name: "[ PREPARE ] configure a2c" + run: | + sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available/acme2certifier.conf + sudo a2ensite acme2certifier + sudo rm /etc/apache2/sites-enabled/000-default.conf + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo mkdir -p /var/www/acme2certifier/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /var/www/acme2certifier/volume/acme_ca/ + sudo chown -R www-data.www-data /var/www/acme2certifier/volume + sudo systemctl start apache2 + + - name: "[ TEST ] Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1/directory + + - name: "[ PREPARE ] Modfiy configuration to allow certifiate enrollment" + run: | + # sudo apt-get install -y socat + sudo sed -i "s/Listen 80/Listen 8080/g" /etc/apache2/ports.conf + sudo sed -i "s/*:80/*:8080/g" /etc/apache2/sites-available/acme2certifier.conf + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo systemctl restart apache2 + + - name: "[ TEST ] Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1:8080/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: deb_apache.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + + deb_nginx: + name: "deb_nginx" + runs-on: ubuntu-latest + steps: + - name: "checkout GIT" + uses: actions/checkout@v2 + + - name: "[ PREPARE ] get runner ip" + run: | + echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV + echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV + - run: echo "runner IP is ${{ env.RUNNER_IP }}" + + - name: Retrieve Version from version.py + run: | + echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV + - run: echo "Latest tag is ${{ env.TAG_NAME }}" + + - name: "[ PREPARE ] environment to build deb package" + run: | + sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper + # sudo apt-get -y install debhelper + rm setup.py + cp -R examples/install_scripts/debian ./ + cd ../ + tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ + + - name: "[ BUILD ] build debian package" + run: | + dpkg-buildpackage -uc -us + dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + + - name: "[ Install ] install nginx and acme2certifier packages" + run: | + sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 + sudo apt-get install -y ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + + - name: "[PREPARE] Local modification to get a2c running" + run: | + sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf + sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf + sudo rm /etc/nginx/sites-enabled/default + sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf + sudo chown -R www-data.www-data /var/www/acme2certifier/ + sudo systemctl start nginx + + - name: "[PREPARE] Modify uwsgi configuration file" + run: | + sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini + sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini + echo "plugins=python3" >> examples/nginx/acme2certifier.ini + sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier + + - name: "[PREPARE] create a2c service" + run: | + cat < acme2certifier.service + [Unit] + Description=uWSGI instance to serve acme2certifier + After=network.target + + [Service] + User=www-data + Group=www-data + WorkingDirectory=/var/www/acme2certifier + Environment="PATH=/var/www/acme2certifier" + ExecStart=uwsgi --ini acme2certifier.ini + + [Install] + WantedBy=multi-user.target + EOT + + sudo cp acme2certifier.service /etc/systemd/system/acme2certifier.service + sudo systemctl start acme2certifier + sudo systemctl enable acme2certifier + + - name: "[ TEST ] Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1/directory + + - name: "[ PREPARE ] configure ca_handler" + run: | + sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo mkdir -p /var/www/acme2certifier/volume/acme_ca/certs + sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem /var/www/acme2certifier/volume/acme_ca/ + sudo chown -R www-data.www-data /var/www/acme2certifier/volume + + - name: "[ PREPARE ] Modfiy configuration to allow certifiate enrollment" + run: | + sudo sed -i "s/listen 80/listen 8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/listen [::]:80/listen [::]:8080/g" /etc/nginx/sites-enabled/acme_srv.conf + sudo sed -i "s/examples\/ca_handler/\/var\/www\/acme2certifier\/examples\/ca_handler/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/volume\/acme_ca/\/var\/www\/acme2certifier\/volume\/acme_ca/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo sed -i "s/challenge_validation_disable: False/challenge_validation_disable: True/g" /var/www/acme2certifier/acme_srv/acme_srv.cfg + sudo systemctl restart nginx + + - name: "[ TEST ] Test http://acme-srv/directory is accessable" + run: curl -f http://127.0.0.1:8080/directory + + - name: "[ PREPARE ] prepare acme.sh container" + run: | + docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --name=acme-sh neilpang/acme.sh:latest daemon + + - name: "[ REGISTER] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --register-account --accountemail 'acme-sh@example.com' --debug 3 + + - name: "[ ENROLL] acme.sh" + run: | + docker exec -i acme-sh acme.sh --server http://${{ env.RUNNER_IP }}:8080 --issue -d acme-sh.acme --standalone --debug 3 --output-insecure + openssl verify -CAfile /var/www/acme2certifier/volume/acme_ca/root-ca-cert.pem -untrusted /var/www/acme2certifier/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme/acme-sh.acme.cer + + - name: "[ * ] collecting test logs" + if: ${{ failure() }} + run: | + mkdir -p ${{ github.workspace }}/artifact/upload + sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ + sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data + + - name: "[ * ] uploading artificates" + uses: actions/upload-artifact@v2 + if: ${{ failure() }} + with: + name: deb_nginx.tar.gz + path: ${{ github.workspace }}/artifact/upload/ + diff --git a/examples/install_scripts/debian/acme2certifier.install b/examples/install_scripts/debian/acme2certifier.install new file mode 100644 index 00000000..44daca29 --- /dev/null +++ b/examples/install_scripts/debian/acme2certifier.install @@ -0,0 +1,14 @@ +examples/acme2certifier_wsgi.py /var/www/acme2certifier/ +acme_srv /var/www/acme2certifier/ +examples/acme_srv.cfg /var/www/acme2certifier/acme_srv/ +examples/db_handler /var/www/acme2certifier/examples +examples/ca_handler /var/www/acme2certifier/examples +examples/eab_handler /var/www/acme2certifier/examples +examples/hooks /var/www/acme2certifier/examples +examples/trigger /var/www/acme2certifier/examples +examples/django /var/www/acme2certifier/examples +examples/nginx /var/www/acme2certifier/examples +examples/apache*.conf /var/www/acme2certifier/examples/apache2 +tools /var/www/acme2certifier/ +examples/db_handler/wsgi*.* /var/www/acme2certifier/acme_srv/ +docs /usr/share/doc/acme2certifier/ From f42112ecec801d511fb166ee620f5950858e303a Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 18:07:31 +0100 Subject: [PATCH 16/22] [fix] deb packaging in create release workflow --- .github/workflows/create_release.yml | 30 +++++++++++++++++++++++ .github/workflows/manual-install-test.yml | 7 ++---- examples/install_scripts/debian/changelog | 4 +-- 3 files changed, 34 insertions(+), 7 deletions(-) diff --git a/.github/workflows/create_release.yml b/.github/workflows/create_release.yml index 5c142f9e..288b5a56 100644 --- a/.github/workflows/create_release.yml +++ b/.github/workflows/create_release.yml @@ -81,3 +81,33 @@ jobs: asset_path: ${{ steps.rpm_build.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm asset_name: acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm asset_content_type: ${{ steps.rpm_build.outputs.rpm_content_type }} + + - name: Prepare deb packaging environment + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + run: | + sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper + rm setup.py + cp -R examples/install_scripts/debian ./ + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog + cd ../ + tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ + + - name: "[ BUILD ] build debian package" + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + run: | + dpkg-buildpackage -uc -us + # dpkg -c ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb + cp ../acme2certifier_${{ env.TAG_NAME }}-1_all.deb "$(pwd)/acme2certifier_${{ env.TAG_NAME }}-1_all.deb" + ls -la + + - name: Upload Release deb + id: upload-deb + if: steps.acme2certifier_ver.outputs.tag != env.TAG_NAME + uses: actions/upload-release-asset@v1 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + with: + upload_url: ${{ steps.create_release.outputs.upload_url }} + asset_path: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + asset_name: acme2certifier_${{ env.TAG_NAME }}-1_all.deb + asset_content_type: application/vnd.debian.binary-package \ No newline at end of file diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index d718d916..5f4a8cc4 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -298,13 +298,10 @@ jobs: # sudo apt-get -y install debhelper rm setup.py cp -R examples/install_scripts/debian ./ + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog cd ../ tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ - # - uses: singingwolfboy/build-dpkg-buster@v1 - # id: build - # with: - # args: --unsigned-source --unsigned-changes - name: "[ BUILD ] build debian package" run: | @@ -391,9 +388,9 @@ jobs: - name: "[ PREPARE ] environment to build deb package" run: | sudo apt-get -y install build-essential fakeroot dpkg-dev devscripts debhelper - # sudo apt-get -y install debhelper rm setup.py cp -R examples/install_scripts/debian ./ + sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" debian/changelog cd ../ tar cvfz ../acme2certifier_${{ env.TAG_NAME }}.orig.tar.gz ./ diff --git a/examples/install_scripts/debian/changelog b/examples/install_scripts/debian/changelog index 2f74cf94..14916c0b 100644 --- a/examples/install_scripts/debian/changelog +++ b/examples/install_scripts/debian/changelog @@ -1,5 +1,5 @@ -acme2certifier (0.23.1-1) stable; urgency=medium +acme2certifier (__version__-1) stable; urgency=medium - * Initial release + * Initial release -- GrindSa Fri, 16 Dec 2022 18:41:04 +0000 From 6c55dc9c9ef36f4a2fbbf513917a4fcbc2efa1bd Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 18:16:13 +0100 Subject: [PATCH 17/22] [fix] remove cfg extenstion from .gitignore --- .gitignore | 2 +- examples/soap/soap_srv.cfg | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 examples/soap/soap_srv.cfg diff --git a/.gitignore b/.gitignore index afe271c5..0fff872f 100644 --- a/.gitignore +++ b/.gitignore @@ -148,7 +148,7 @@ examples/Docker/data/* !examples/Docker/.env # acme/ acme_srv/acme_srv.db.old.* -*.cfg +# *.cfg *.pub *.private settings.json diff --git a/examples/soap/soap_srv.cfg b/examples/soap/soap_srv.cfg new file mode 100644 index 00000000..7d9b955f --- /dev/null +++ b/examples/soap/soap_srv.cfg @@ -0,0 +1,7 @@ +[CAhandler] +xdb_file: +issuing_ca_name: +issuing_ca_key: +template_name: +passphrase: +ca_cert_chain_list: [""] \ No newline at end of file From 6f5d12109c9f31648785f8acffa5b52f1e813229 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 19:22:24 +0100 Subject: [PATCH 18/22] [doc] rpm install --- README.md | 6 +++-- docs/install_rpm.md | 58 +++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 2 deletions(-) create mode 100644 docs/install_rpm.md diff --git a/README.md b/README.md index 1064ceff..41fe242b 100644 --- a/README.md +++ b/README.md @@ -109,10 +109,12 @@ django project. Running acme2certifier as django project allows to use other database backends than SQLite. The fastest and most convenient way to install acme2certifier is to use docker -containers. There are ready made images available at [dockerhub](https://hub.docker.com/r/grindsa/acme2certifier) and [ghcr.io](https://github.com/grindsa?tab=packages&ecosystem=container) as well as [instructions to build your own container](examples/Docker/). +containers. There are ready made images available at [dockerhub](https://hub.docker.com/r/grindsa/acme2certifier) and [ghcr.io](https://github.com/grindsa?tab=packages&ecosystem=container) as well as [instructions to build your own container](examples/Docker/). In addition rpm packages for AlmaLinux/CentOS Stream/Redhat EL 9 and deb packages for Ubuntu 22.04 will be provided with every release. - [acme2certifier in Github container repository](https://github.com/grindsa?tab=packages&ecosystem=container) -- [acme2certifier repository at hub.docker.com](https://hub.docker.com/r/grindsa/acme2certifier), +- [acme2certifier repository at hub.docker.com](https://hub.docker.com/r/grindsa/acme2certifier) +- [rpm package installation on Alma Linux 9](docs/install_rpm.md) +- [deb package installation Ubuntu 22.04](docs/install_deb.md) - [Instructions to build your own container](examples/Docker/) - [Installation as wsgi-script running on apache2 (Ubuntu 22.04)](docs/install_apache2_wsgi.md) - [Installation as wsgi-script running on NGINX (Ubuntu 22.04)](docs/install_nginx_wsgi_ub22.md) diff --git a/docs/install_rpm.md b/docs/install_rpm.md new file mode 100644 index 00000000..afd57c2e --- /dev/null +++ b/docs/install_rpm.md @@ -0,0 +1,58 @@ + + +# RPM installation on AlmaLinux/Redhat EL/CentOS Stream 9 + +I barely know NGINX. Main input has been taken from [here](https://hostpresto.com/community/tutorials/how-to-serve-python-apps-using-uwsgi-and-nginx-on-centos-7/). If you see room for improvement let me know. + +1. download the latest [RPM package](https://github.com/grindsa/acme2certifier/releases). + +2. Install "Extra Packages for Enterprise Linux (EPEL)" + +```bash +$ sudo yum install -y epel-release +$ sudo yum update -y +``` + +3. Install the RPM packages + +```bash +$ sudo yum -y localinstall /tmp/acme2certifier/acme2certifier-0.23.1-1.0.noarch.rpm +``` + +4. Copy NGINX configuration file + +```bash +$ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d +``` + +5. Copy NGINX ssl configuration file (optional) + +```bash +$ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d +``` + +5. create a configuration file `acme_srv.cfg` in `/opt/acme2certifier/acme_srv/` or use the example stored in the examples directory +6. modify the [configuration file](acme_srv.md) according to you needs +7. configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) +8. enable and start the acme2certifier service + +```bash +$ systemctl enable acme2certifier.service +$ systemctl start acme2certifier.service +``` + +9. enable and start the nginx service + +```bash +systemctl enable nginx.service +systemctl start nginx.service +``` + +10. test the server by accessing the directory resource + +```bash +$ curl http:///directory +{"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa "}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"} +``` + +11. Try to enroll a certificate by using your favourite acme-client. If something does not work enable debugging in `/opt/acme2certifier/acme_srv/acme_srv.cfg` and check `/var/log/messages` for errors. From d2c0d567259bca3f313ee8b5c0d46d68807b9865 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 20:00:09 +0100 Subject: [PATCH 19/22] [doc] deb installation instructions --- .github/workflows/manual-install-test.yml | 2 +- docs/install_deb.md | 126 ++++++++++++++++++++++ docs/install_nginx_wsgi.md | 2 +- docs/install_rpm.md | 4 +- 4 files changed, 130 insertions(+), 4 deletions(-) create mode 100644 docs/install_deb.md diff --git a/.github/workflows/manual-install-test.yml b/.github/workflows/manual-install-test.yml index 5f4a8cc4..84404117 100644 --- a/.github/workflows/manual-install-test.yml +++ b/.github/workflows/manual-install-test.yml @@ -481,7 +481,7 @@ jobs: if: ${{ failure() }} run: | mkdir -p ${{ github.workspace }}/artifact/upload - sudo cp -rp /var/log/apache2 ${{ github.workspace }}/artifact/data/ + sudo cp -rp /var/log/nginx ${{ github.workspace }}/artifact/data/ sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data - name: "[ * ] uploading artificates" diff --git a/docs/install_deb.md b/docs/install_deb.md new file mode 100644 index 00000000..d41a7f28 --- /dev/null +++ b/docs/install_deb.md @@ -0,0 +1,126 @@ + + +# DEB installation on Ubuntu 22.04 + +The debian package is generic and supports running acme2certifier with either apache2 and nginx + +## Installation with apache2 + +1. Download the latest [DEB package](https://github.com/grindsa/acme2certifier/releases). +2. Install acme2certifier and apache2 packages + +```bash +$ sudo apt-get install -y apache2 apache2-data libapache2-mod-wsgi-py3 +$ sudo apt-get install -y ../acme2certifier_-1_all.deb +``` + +3. Copy and activete apache2 configuration file + +```bash +$ sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi.conf /etc/apache2/sites-available acme2certifier.conf +$ sudo a2ensite acme2certifier +``` + +4. Copy and activate apache2 ssl configuration file (optional) + +```bash +$ sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apache2/sites-available acme2certifier_ssl.conf +$ sudo a2ensite acme2certifier_ssl +``` + +5. create a configuration file `acme_srv.cfg` in `/var/www/acme2certifier/acme_srv/` or use the example stored in the examples directory +6. modify the [configuration file](acme_srv.md) according to you needs +7. configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) + +8. enable and start the apache2 service + +```bash +systemctl enable apache2.service +systemctl start apache2.service +``` + +9. test the server by accessing the directory resource + +```bash +$ curl http:///directory +{"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa "}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"} +``` + +10. Try to enroll a certificate by using your favourite acme-client. If something does not work enable debugging in `/var/www/acme2certifier/acme_srv/acme_srv.cfg` and check `/var/log/apache2/error.log` for errors. + +## Installation with nginx + +1. Download the latest [DEB package](https://github.com/grindsa/acme2certifier/releases). +2. Install acme2certifier and nginx packages + +```bash +$ sudo apt-get install -y python3-pip nginx uwsgi uwsgi-plugin-python3 +$ sudo apt-get install -y ../acme2certifier_-1_all.deb +``` + +3. Adapt the nginx configuration file to Ubuntu 22.04 and activate the configuration + +```bash +$ sed -i "s/run\/uwsgi\/acme.sock/var\/www\/acme2certifier\/acme.sock/g" examples/nginx/nginx_acme_srv.conf +$ sudo cp examples/nginx/nginx_acme_srv.conf /etc/nginx/sites-available/acme_srv.conf +$ sudo rm /etc/nginx/sites-enabled/default +$ sudo ln -s /etc/nginx/sites-available/acme_srv.conf /etc/nginx/sites-enabled/acme_srv.conf +``` + +4. Adapt and copy uwsgi configuration files + +```bash +$ sed -i "s/\/run\/uwsgi\/acme.sock/acme.sock/g" examples/nginx/acme2certifier.ini +$ sed -i "s/nginx/www-data/g" examples/nginx/acme2certifier.ini +$ echo "plugins=python3" >> examples/nginx/acme2certifier.ini +$ sudo cp examples/nginx/acme2certifier.ini /var/www/acme2certifier +``` + +5. Create acme2certifier systemd service file + +```bash +cat < acme2certifier.service +[Unit] +Description=uWSGI instance to serve acme2certifier +After=network.target + +[Service] +User=www-data +Group=www-data +WorkingDirectory=/var/www/acme2certifier +Environment="PATH=/var/www/acme2certifier" +ExecStart=uwsgi --ini acme2certifier.ini + +[Install] +WantedBy=multi-user.target +EOT +``` + +6. copy systemd service file + +```bash +$ sudo mv acme2certifier.service /etc/systemd/system/acme2certifier.service +``` + +7. Enable and start acme2certifier service + +```bash +$ sudo systemctl start acme2certifier +$ sudo systemctl enable acme2certifier +``` + +8. Enable and start nginx + +```bash +$ sudo systemctl start nginx +$ sudo systemctl enable nginx +``` + +9. test the server by accessing the directory resource + +```bash +$ curl http:///directory +{"newAccount": "http://127.0.0.1:8000/acme_srv/newaccount", "fa8b347d3849421ebc4b234205418805": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "http://127.0.0.1:8000/acme_srv/key-change", "newNonce": "http://127.0.0.1:8000/acme_srv/newnonce", "meta": {"home": "https://github.com/grindsa/acme2certifier", "author": "grindsa "}, "newOrder": "http://127.0.0.1:8000/acme_srv/neworders", "revokeCert": "http://127.0.0.1:8000/acme_srv/revokecert"} +``` + +10. Try to enroll a certificate by using your favourite acme-client. If something does not work enable debugging in `/var/www/acme2certifier/acme_srv/acme_srv.cfg` and check `/var/log/nginx/error.log` for errors. diff --git a/docs/install_nginx_wsgi.md b/docs/install_nginx_wsgi.md index 74a572c3..f1a92cbf 100644 --- a/docs/install_nginx_wsgi.md +++ b/docs/install_nginx_wsgi.md @@ -2,7 +2,7 @@ # Installation on NGINX runnig on CentOS -I barely know NGINX. Main input has been taken from [here](https://hostpresto.com/community/tutorials/how-to-serve-python-apps-using-uwsgi-and-nginx-on-centos-7/). If you see room for improvement let me know. +I barely know NGINX. Main input has been taken from [here](https://hostpresto.com/community/tutorials/how-to-serve-python-apps-using-uwsgi-and-nginx-on-centos-7/). If you see room for improvements let me know. Setup is done in a way that uWSGI will serve acme2certifier while NGINX will act as reverse proxy to provide better connection handling. diff --git a/docs/install_rpm.md b/docs/install_rpm.md index afd57c2e..7b36ab48 100644 --- a/docs/install_rpm.md +++ b/docs/install_rpm.md @@ -2,9 +2,9 @@ # RPM installation on AlmaLinux/Redhat EL/CentOS Stream 9 -I barely know NGINX. Main input has been taken from [here](https://hostpresto.com/community/tutorials/how-to-serve-python-apps-using-uwsgi-and-nginx-on-centos-7/). If you see room for improvement let me know. +I barely know NGINX. Main input has been taken from [here](https://hostpresto.com/community/tutorials/how-to-serve-python-apps-using-uwsgi-and-nginx-on-centos-7/). If you see room for improvements let me know. -1. download the latest [RPM package](https://github.com/grindsa/acme2certifier/releases). +1. Download the latest [RPM package](https://github.com/grindsa/acme2certifier/releases). 2. Install "Extra Packages for Enterprise Linux (EPEL)" From 68b5fa0c82c630647c4553aa1c21bf6116c8196e Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 20:04:51 +0100 Subject: [PATCH 20/22] [doc] typo --- docs/install_deb.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/install_deb.md b/docs/install_deb.md index d41a7f28..a7609458 100644 --- a/docs/install_deb.md +++ b/docs/install_deb.md @@ -35,8 +35,8 @@ $ sudo a2ensite acme2certifier_ssl 8. enable and start the apache2 service ```bash -systemctl enable apache2.service -systemctl start apache2.service +$ systemctl enable apache2.service +$ systemctl start apache2.service ``` 9. test the server by accessing the directory resource From 876387c4c6f85f6da4cca72392da6264b1b0762b Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 20:08:19 +0100 Subject: [PATCH 21/22] [doc] Typos fixed --- docs/install_deb.md | 14 +++++++------- docs/install_rpm.md | 16 ++++++++-------- 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/docs/install_deb.md b/docs/install_deb.md index a7609458..63988a63 100644 --- a/docs/install_deb.md +++ b/docs/install_deb.md @@ -28,18 +28,18 @@ $ sudo cp /var/www/acme2certifier/examples/apache2/apache_wsgi_ssl.conf /etc/apa $ sudo a2ensite acme2certifier_ssl ``` -5. create a configuration file `acme_srv.cfg` in `/var/www/acme2certifier/acme_srv/` or use the example stored in the examples directory -6. modify the [configuration file](acme_srv.md) according to you needs -7. configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) +5. Create a configuration file `acme_srv.cfg` in `/var/www/acme2certifier/acme_srv/` or use the example stored in the examples directory +6. Modify the [configuration file](acme_srv.md) according to you needs +7. Configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) -8. enable and start the apache2 service +8. Enable and start the apache2 service ```bash $ systemctl enable apache2.service $ systemctl start apache2.service ``` -9. test the server by accessing the directory resource +9. Test the server by accessing the directory resource ```bash $ curl http:///directory @@ -96,7 +96,7 @@ WantedBy=multi-user.target EOT ``` -6. copy systemd service file +6. Copy systemd service file ```bash $ sudo mv acme2certifier.service /etc/systemd/system/acme2certifier.service @@ -116,7 +116,7 @@ $ sudo systemctl start nginx $ sudo systemctl enable nginx ``` -9. test the server by accessing the directory resource +9. Test the server by accessing the directory resource ```bash $ curl http:///directory diff --git a/docs/install_rpm.md b/docs/install_rpm.md index 7b36ab48..1fa425be 100644 --- a/docs/install_rpm.md +++ b/docs/install_rpm.md @@ -31,24 +31,24 @@ $ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv.conf /etc/nginx/conf.d $ cp /opt/acme2certifier/examples/nginx/nginx_acme_srv_ssl.conf /etc/nginx/conf.d ``` -5. create a configuration file `acme_srv.cfg` in `/opt/acme2certifier/acme_srv/` or use the example stored in the examples directory -6. modify the [configuration file](acme_srv.md) according to you needs -7. configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) -8. enable and start the acme2certifier service +5. Create a configuration file `acme_srv.cfg` in `/opt/acme2certifier/acme_srv/` or use the example stored in the examples directory +6. Modify the [configuration file](acme_srv.md) according to you needs +7. Configure the CA handler according to your needs. [Example for Insta Certifier](certifier.md) +8. Enable and start the acme2certifier service ```bash $ systemctl enable acme2certifier.service $ systemctl start acme2certifier.service ``` -9. enable and start the nginx service +9. Enable and start the nginx service ```bash -systemctl enable nginx.service -systemctl start nginx.service +$ systemctl enable nginx.service +$ systemctl start nginx.service ``` -10. test the server by accessing the directory resource +10. Test the server by accessing the directory resource ```bash $ curl http:///directory From 7d81d7f6a2b719dda880b13c600fdaf31c2d1ae8 Mon Sep 17 00:00:00 2001 From: grindsa Date: Sat, 17 Dec 2022 21:12:32 +0100 Subject: [PATCH 22/22] [rel] bump to 0.23.2 --- CHANGES.md | 6 ++++++ acme_srv/version.py | 4 ++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index e4669d50..d01c1ed4 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,12 @@ This is a high-level summary of the most important changes. For a full list of changes, see the [git commit log](https://github.com/grindsa/acme2certifier/commits) and pick the appropriate release branch. +# Changes in 0.23.2 + +**Features and Improvements**: + +- [rpm](docs/install_rpm.md) and [deb](docs/install_deb.md) packages + # Changes in 0.23.1 **Bugfixes**: diff --git a/acme_srv/version.py b/acme_srv/version.py index 9d6beeeb..dcdc523f 100644 --- a/acme_srv/version.py +++ b/acme_srv/version.py @@ -3,5 +3,5 @@ # 1) we don't load dependencies by storing it in __init__.py # 2) we can import it in setup.py for the same reason # 3) we can import it into your module module -__version__ = '0.23.1' -__dbversion__ = '0.23.1' +__version__ = '0.23.2' +__dbversion__ = '0.23.2'