[fix] openssl handler #731

Workflow file for this run

.github/workflows/ca_handler_tests_ejbca.yml at ecdc537

	name: CA handler tests - EJBCA handler

	on:
	push:
	pull_request:
	branches: [ devel ]
	schedule:
	# * is a special character in YAML so you have to quote this string
	- cron: '0 2 * * 6'

	jobs:
	ejb_ca_tests:
	name: "ejbca_hander_handler_tests docker image"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	websrv: ['apache2', 'nginx']
	dbhandler: ['wsgi', 'django']

	steps:
	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "create folders"
	run: \|
	mkdir lego
	mkdir acme-sh
	mkdir certbot

	- name: "Get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV
	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Prepare Environment"
	working-directory: examples/Docker/
	run: \|
	mkdir -p data/acme_ca
	sudo chmod -R 777 data/acme_ca
	docker network create acme
	sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts"
	env:
	EJBCA_IP: ${{ env.RUNNER_IP }}

	- name: "Instanciate ejbca server"
	run: \|
	docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data -v $(pwd)/examples/Docker/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce

	- name: "Sleep for 180s"
	uses: juliangruber/[email protected]
	with:
	time: 180s

	- name: "Get randmonly generated Superadmin password for ejbca instance"
	run: \|
	echo SAEC=$(docker logs ejbca \| grep /opt/keyfactor/bin/start.sh \| grep Password: \| awk -F'Password: ' '{print $2}' \| awk -F ' ' '{print $1}') >> $GITHUB_ENV

	- run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}"
	- run: echo ${{ env.SAEC }} > examples/Docker/data/passphrase.txt

	- name: "Configure ejbca"
	run: \|
	docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem
	docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management"
	docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2"
	docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA

	- name: "Get CAID"
	run: \|
	echo CAID=$(docker logs ejbca \| grep "msg=CA with id" \| grep "and name acmeca added" \| awk -F'with id ' '{print $2}' \| awk -F' and name' '{print $1}') >> $GITHUB_ENV

	- run: echo "CAID of acmeca is ${{ env.CAID }}"

	- name: "Create subca"
	run: \|
	docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID
	docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/
	env:
	CAID: ${{ env.CAID }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Fetch superadmin certificate and key"
	working-directory: examples/Docker/
	run: \|
	docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10
	docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC
	docker exec -i ejbca bin/ejbca.sh batch
	docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Test superadmin certificate and key"
	working-directory: examples/Docker/
	run: \|
	curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/superadmin.p12:$SAEC --insecure
	curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
	working-directory: examples/Docker/
	run: \|
	sudo apt-get install -y docker-compose
	sudo mkdir -p data
	sed -i "s/wsgi/$DB_HANDLER/g" .env
	sed -i "s/apache2/$WEB_SRV/g" .env
	cat .env
	docker-compose up -d
	docker-compose logs
	env:
	WEB_SRV: ${{ matrix.websrv }}
	DB_HANDLER: ${{ matrix.dbhandler }}

	- name: "Default - setup a2c with ejbca_ca_handler"
	run: \|
	sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
	sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
	sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
	sudo cp .github/django_settings.py examples/Docker/data/settings.py
	sudo touch examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Default - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Default - Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Default - enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Default - revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Default - register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Default - enroll HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Default - revoke HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot

	- name: "enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Default - revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler"
	run: \|
	sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
	sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
	sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
	sudo cp .github/django_settings.py examples/Docker/data/settings.py
	sudo touch examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
	sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg

	sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
	sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg

	sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
	sudo chmod 777 examples/eab_handler/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
	sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
	sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 02 - profilinging ca and cert_profile"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)"
	id: legofail01
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run

	- name: EAB without headerinfo - 03 - check result "
	if: steps.legofail01.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail01.outcome }}"
	exit 1

	- name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler"
	run: \|
	sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
	sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
	sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
	sudo cp .github/django_settings.py examples/Docker/data/settings.py
	sudo touch examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/ejbca_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_file: volume/superadmin.p12" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/acme_ca/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> examples/Docker/data/acme_srv.cfg
	sudo echo "username: acme_srv" >> examples/Docker/data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> examples/Docker/data/acme_srv.cfg
	sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
	sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg

	sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
	sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg

	sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
	sudo chmod 777 examples/eab_handler/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" examples/Docker/data/kid_profiles.json
	sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
	sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
	sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "EAB wit headerinfo - Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)"
	id: legofail02
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run

	- name: EAB with headerinfo 01c - check result "
	if: steps.legofail02.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail02.outcome }}"
	exit 1

	- name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 02 - profilinging ca and cert_profile"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)"
	id: legofail03
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run

	- name: EAB with headerinfo - 03 - check result "
	if: steps.legofail03.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail03.outcome }}"
	exit 1

	- name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
	sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
	sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
	sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
	docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log
	cd examples/Docker
	docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz ejbca.log a2c.log data acme-sh certbot lego

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: ejbca-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
	path: ${{ github.workspace }}/artifact/upload/

	ejbca_ca_handler_tests_rpm:
	name: " ejbca_ca_handler_tests_rpm"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	rhversion: [8, 9]
	steps:

	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "[ PREPARE ] get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV
	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Prepare Environment"
	run: \|
	mkdir -p data/acme_ca
	sudo chmod -R 777 data
	docker network create acme
	sudo sh -c "echo '$EJBCA_IP ejbca' >> /etc/hosts"
	env:
	EJBCA_IP: ${{ env.RUNNER_IP }}

	- name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders"
	run: \|
	mkdir certbot
	mkdir lego
	mkdir acme-sh

	- name: "Instanciate ejbca server"
	run: \|
	docker run -id --rm -p 80:8080 -p 443:8443 -e TLS_SETUP_ENABLED=true -v $(pwd)/examples/ejbca:/tmp/data -v $(pwd)/data:/tmp/store --name "ejbca" -h ejbca keyfactor/ejbca-ce

	- name: "Sleep for 180s"
	uses: juliangruber/[email protected]
	with:
	time: 180s

	- name: "Get randmonly generated Superadmin password for ejbca instance"
	run: \|
	echo SAEC=$(docker logs ejbca \| grep /opt/keyfactor/bin/start.sh \| grep Password: \| awk -F'Password: ' '{print $2}' \| awk -F ' ' '{print $1}') >> $GITHUB_ENV

	- run: echo "Randmonly generated Superadmin password is ${{ env.SAEC }}"
	- run: echo ${{ env.SAEC }} > data/passphrase.txt

	- name: "Configure ejbca"
	run: \|
	docker exec -i ejbca bin/ejbca.sh ca getcacert --caname ManagementCA -f /tmp/store/acme_ca/ca_bundle.pem
	docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management"
	docker exec -i ejbca bin/ejbca.sh config protocols enable --name "REST Certificate Management V2"
	docker exec -i ejbca bin/ejbca.sh ca init acmeca "CN=acmeca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA

	- name: "Get CAID"
	run: \|
	echo CAID=$(docker logs ejbca \| grep "msg=CA with id" \| grep "and name acmeca added" \| awk -F'with id ' '{print $2}' \| awk -F' and name' '{print $1}') >> $GITHUB_ENV

	- run: echo "CAID of acmeca is ${{ env.CAID }}"

	- name: "Create subca"
	run: \|
	docker exec -i ejbca bin/ejbca.sh ca init acmesubca "CN=acmesubca" soft foo123 4096 RSA -v 365 --policy 2.5.29.32.0 -s SHA256WithRSA --signedby $CAID
	docker exec -i ejbca bin/ejbca.sh ca importprofiles -d /tmp/data/

	env:
	CAID: ${{ env.CAID }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Fetch superadmin certificate and key"
	run: \|
	docker exec -i ejbca bin/ejbca.sh ra setendentitystatus superadmin 10
	docker exec -i ejbca bin/ejbca.sh ra setclearpwd superadmin $SAEC
	docker exec -i ejbca bin/ejbca.sh batch
	docker cp ejbca:/opt/keyfactor/p12/superadmin.p12 data/acme_ca/
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Test superadmin certificate and key"
	run: \|
	curl https://127.0.0.1/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --insecure
	curl https://ejbca/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert data/acme_ca/superadmin.p12:$SAEC --cacert data/acme_ca/ca_bundle.pem
	env:
	SAEC: ${{ env.SAEC }}

	- name: Retrieve Version from version.py
	run: \|
	echo TAG_NAME=$(cat acme_srv/version.py \| grep -i __version__ \| head -n 1 \| sed 's/__version__ = //g' \| sed s/\'//g) >> $GITHUB_ENV
	- run: echo "Latest tag is ${{ env.TAG_NAME }}"

	- name: update version number in spec file
	run: \|
	# sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
	sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
	cat examples/install_scripts/rpm/acme2certifier.spec

	- name: build RPM package
	id: rpm
	uses: grindsa/rpmbuild@alma9
	with:
	spec_file: "examples/install_scripts/rpm/acme2certifier.spec"

	- run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"

	- name: "setup environment for alma installation"
	run: \|
	sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
	sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data

	- name: "Retrieve rpms from SBOM repo"
	run: \|
	git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom
	cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data
	env:
	GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
	GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}

	- name: "Default - setup a2c with ejbca_ca_handler"
	run: \|
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
	sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
	sudo echo "username: acme_srv" >> data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
	env:
	SAEC: ${{ env.SAEC }}

	- name: "Prepare Almalinux instance"
	run: \|
	sudo cp examples/Docker/almalinux-systemd/Dockerfile data
	sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile
	cat data/Dockerfile \| docker build -t almalinux-systemd -f - . --no-cache
	docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd

	- name: "Execute install scipt"
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh

	- name: "Default - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Default - enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Default - revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Default - register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Default - enroll HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Default - revoke HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot

	- name: "Default - enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Default - revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "EAB without headerinfo - setup a2c with ejbca_ca_handler"
	run: \|
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
	sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
	sudo echo "username: acme_srv" >> data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
	sudo echo "eab_profiling: True" >> data/acme_srv.cfg

	sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
	sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
	sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg

	sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
	sudo chmod 777 data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
	sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
	sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
	env:
	SAEC: ${{ env.SAEC }}

	- name: "EAB without headerinfo - Reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "EAB without headerinfo - Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "EAB without headerinfo - 01a - enrollment without header-info field (first value in list)"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 01b - enrollment with header-info field included in list (silent ignore)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 01c - with header-info field containing value not included in list (silent ignore)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 02 - profilinging ca and cert_profile"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB without headerinfo - 03 - domainlist validation fails (to fail)"
	id: legofail01
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run

	- name: EAB without headerinfo - 03 - check result "
	if: steps.legofail01.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail01.outcome }}"
	exit 1

	- name: "EAB without headerinfo - 04 - Settings from acme_srv.cfg"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "EAB with headerinfo - setup a2c with ejbca_ca_handler"
	run: \|
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/ejbca_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "api_host: https://ejbca" >> data/acme_srv.cfg
	sudo echo "cert_file: /opt/acme2certifier/volume/acme_ca/superadmin.p12" >> data/acme_srv.cfg
	sudo echo "cert_passphrase: $SAEC" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	sudo echo "ca_name: acmesubca" >> data/acme_srv.cfg
	sudo echo "cert_profile_name: acmeca1" >> data/acme_srv.cfg
	sudo echo "ee_profile_name: acmeca" >> data/acme_srv.cfg
	sudo echo "username: acme_srv" >> data/acme_srv.cfg
	sudo echo "enrollment_code: acme_srv" >> data/acme_srv.cfg
	sudo echo "eab_profiling: True" >> data/acme_srv.cfg
	sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg

	sudo echo -e "\n[EABhandler]" >> data/acme_srv.cfg
	sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
	sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg

	sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
	sudo chmod 777 data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"cert_profile_name\"\: \[\"acmeca2\", \"acmeca1\"\]/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"cert_profile_name\"\: \"acmeca2\"/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"acmeca\"/" data/acme_ca/kid_profiles.json
	sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown\": \"unknown\"/g" data/acme_ca/kid_profiles.json
	sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
	sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
	sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
	env:
	SAEC: ${{ env.SAEC }}

	- name: "EAB with headerinfo - Reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "EAB with headerinfo - Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "EAB with headerinfo - 01a - enrollment without header-info field (first value in list)"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 01b - enrollment with header-info field (pick value from list)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca1 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "EAB with headerinfo - 01c - enrollment with header-info field containing value not included in list (to fail)"
	id: legofail02
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca3 -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run

	- name: EAB with headerinfo 01c - check result "
	if: steps.legofail02.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail02.outcome }}"
	exit 1

	- name: "EAB with headerinfo - 01d - enrollment with header-info field cotaining an invalid parameter (silent overwrite)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent ca_name=foo -d lego.acme --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 01e - enrollment with header-info field containing parameter not in json (silent overwrite)"
	run: \|
	sudo rm -rf lego/*
	sudo docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent cert_profile_name=acmeca2 -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 02 - profilinging ca and cert_profile"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmeca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Client"

	- name: "EAB with headerinfo - 03 - domainlist validation fails (to fail)"
	id: legofail03
	continue-on-error: true
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --http run

	- name: EAB with headerinfo - 03 - check result "
	if: steps.legofail03.outcome != 'failure'
	run: \|
	echo "legofail outcome is ${{steps.legofail03.outcome }}"
	exit 1

	- name: "EAB with headerinfo - 04 - Settings from acme_srv.cfg"
	run: \|
	sudo rm -rf lego/*
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --http run
	sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
	sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer -noout \| grep -i acmesubca
	sudo openssl x509 -in lego/certificates/lego.acme.crt -ext extendedKeyUsage -noout \| grep "TLS Web Server"

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
	docker logs ejbca > ${{ github.workspace }}/artifact/ejbca.log
	sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
	sudo rm ${{ github.workspace }}/artifact/data/*.rpm
	sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
	docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
	docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
	docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data ejbca.log acme-srv.log acme-sh

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: ejb_rpm-rh${{ matrix.rhversion }}.tar.gz
	path: ${{ github.workspace }}/artifact/upload/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[fix] openssl handler #731

Workflow file

[fix] openssl handler #731

Jobs

Run details

Workflow file for this run