Skip to content
CA handler Tests - Insta ASA

[fix] openssl handler #453

Sign in to view logs

[fix] openssl handler

[fix] openssl handler #453

Workflow file for this run

.github/workflows/ca_handler_tests_asa.yml at ecdc537
name: CA handler Tests - Insta ASA
on:
push:
pull_request:
branches: [ devel ]
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 2 * * 6'
jobs:
asa_handler_tests:
name: "asa_handler_tests"
runs-on: ubuntu-latest
strategy:
max-parallel: 1
fail-fast: false
matrix:
websrv: ['apache2', 'nginx']
dbhandler: ['wsgi', 'django']
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "create folders"
run: |
mkdir lego
mkdir acme-sh
mkdir certbot
- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
working-directory: examples/Docker/
run: |
sudo apt-get install -y docker-compose
sudo mkdir -p data
sed -i "s/wsgi/$DB_HANDLER/g" .env
sed -i "s/apache2/$WEB_SRV/g" .env
cat .env
docker network create acme
docker-compose up -d
docker-compose logs
env:
WEB_SRV: ${{ matrix.websrv }}
DB_HANDLER: ${{ matrix.dbhandler }}
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
# openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature"
# sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - revoke HTTP-01 single domain lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Reconfiguration of a2c with a new profile"
run: |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE2" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
# openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke via acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke
- name: "Header-info - Setup asa_ca_handler with header-info"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
- name: "Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "Header-info - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Header-info - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
- name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - Setup asa_ca_handler"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
- name: "EAB without headerinfo - Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "EAB without headerinfo - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "EAB without headerinfo - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 01 - Enroll lego without profile_name"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
- name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
- name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
id: acmefail02
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 04 - check result "
if: steps.acmefail02.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
exit 1
- name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail02
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 04a - check result "
if: steps.legofail02.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail02.outcome }}"
exit 1
- name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
- name: "EAB with headerinfo - Setup asa_ca_handler"
run: |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
sudo cp .github/django_settings.py examples/Docker/data/settings.py
sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_profiling: True" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
sudo echo -e "\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "key_file: volume/kid_profiles.json" >> examples/Docker/data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json examples/Docker/data/kid_profiles.json
sudo chmod 777 examples/eab_handler/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" examples/Docker/data/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" examples/Docker/data/kid_profiles.json
sudo sed -i "s/example.net/acme/g" examples/Docker/data/kid_profiles.json
sudo sed -i '18,19d' examples/Docker/data/kid_profiles.json
sudo sed -i '8,9d' examples/Docker/data/kid_profiles.json
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
- name: "EAB with headerinfo - Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "EAB with headerinfo - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "EAB with headerinfo - Test if https://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory
- name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB with headerinfo - 01 - Enroll lego without profile_name"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)"
id: acmefail01
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 02a - check result "
if: steps.acmefail01.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
exit 1
- name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)"
id: legofail01
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 02a - check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
- name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
- name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
- name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
id: acmefail021
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 04 - check result "
if: steps.acmefail021.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail021.outcome }}"
exit 1
- name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail021
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 04a - check result "
if: steps.legofail021.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail021.outcome }}"
exit 1
- name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
- name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)"
id: acmefail03
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure
- name: "EAB with headerinfo - 06 - check result "
if: steps.acmefail03.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
exit 1
- name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
id: legofail03
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 06 - check result "
if: steps.legofail03.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail03.outcome }}"
exit 1
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: asa-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
asa_handler_tests_rpm:
name: "asa_handler_tests_rpm"
runs-on: ubuntu-latest
strategy:
max-parallel: 1
fail-fast: false
matrix:
rhversion: [8, 9]
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: Retrieve Version from version.py
run: |
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
- run: echo "Latest tag is ${{ env.TAG_NAME }}"
- name: update version number in spec file
run: |
# sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
cat examples/install_scripts/rpm/acme2certifier.spec
- name: build RPM package
id: rpm
uses: grindsa/rpmbuild@alma9
with:
spec_file: "examples/install_scripts/rpm/acme2certifier.spec"
- run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"
- name: "[ PREPARE ] setup environment for alma installation"
run: |
docker network create acme
sudo mkdir -p data
sudo chmod -R 777 data
sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data
- name: "[ PREPARE ] create letsencrypt and lego folder"
run: |
mkdir certbot
mkdir lego
mkdir acme-sh
- name: "Retrieve rpms from SBOM repo"
run: |
git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom
cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data
env:
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
run: |
mkdir -p data/acme_ca
sudo cp test/ca/certsrv_ca_certs.pem data/acme_ca/ca_certs.pem
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Almalinux instance"
run: |
sudo cp examples/Docker/almalinux-systemd/Dockerfile data
sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile
cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Execute install scipt"
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
# openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke via acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --key-type rsa --rsa-key-size 2048
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Digital Signature"
# sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE1 }} - Revoke HTTP-01 single domain lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Setup a2c with asa_ca_handler with profile ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE2" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - create letsencrypt and lego folder"
run: |
sudo rm -rf certbot/*
sudo rm -rf lego/*
sudo rm -rf acme-sh/*
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
# openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke via acme.sh"
run: |
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - register certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot --force-renewal --key-type rsa --rsa-key-size 2048
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem
sudo openssl x509 -in certbot/live/certbot/cert.pem -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
# sudo openssl x509 -in certbot/live/certbot/cert.pem -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Revoke HTTP-01 single domain certbot"
run: |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - Enroll lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - revoke HTTP-01 single domain lego"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke
- name: "Header-info - Setup asa_ca_handler with header-info"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
- name: "Profile ${{ secrets.ASA_PROFILE2 }} - reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "Header-info - 01 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_name=${{ secrets.ASA_PROFILE1 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "Header-info - 01 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE1 }}"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=${{ secrets.ASA_PROFILE1 }} -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
- name: "Header-info - 02 - Enroll acme.sh with profile_name ${{ secrets.ASA_PROFILE2 }}"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' --useragent profile_name=${{ secrets.ASA_PROFILE2 }} -d acme-sh.acme --alpn --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -texte -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "Header-info - 02 - Enroll lego with profile_id ${{ secrets.ASA_PROFILE2 }}"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=${{ secrets.ASA_PROFILE2 }} -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
# sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - Setup asa_ca_handler"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
- name: "EAB without headerinfo - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "EAB without headerinfo - Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "EAB without headerinfo - 01 - Enroll acme.sh without profile_name"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 01 - Enroll lego without profile_name"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 02 - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 02 - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to be ignored)"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "EAB without headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
- name: "EAB without headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
- name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
id: acmefail02
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 04 - check result "
if: steps.acmefail02.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail02.outcome }}"
exit 1
- name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail02
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 04a - check result "
if: steps.legofail02.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail02.outcome }}"
exit 1
- name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
- name: "EAB with headerinfo - Setup asa_ca_handler"
run: |
sudo touch data/acme_srv.cfg
sudo chmod 777 data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> data/acme_srv.cfg
sudo echo "profile_name: $ASA_PROFILE1" >> data/acme_srv.cfg
sudo echo "eab_profiling: True" >> data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" data/acme_srv.cfg
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/kid_profile_handler.py" >> data/acme_srv.cfg
sudo echo "key_file: /opt/acme2certifier/volume/acme_ca/kid_profiles.json" >> data/acme_srv.cfg
sudo cp examples/eab_handler/kid_profiles.json data/acme_ca/kid_profiles.json
sudo chmod 777 data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \[\"profile_1\", \"profile_2\", \"profile_3\"\]/\"profile_name\"\: \[\"$ASA_PROFILE2\", \"$ASA_PROFILE1\"\]/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"profile_id\"\: \"profile_2\"/\"profile_name\"\: \"$ASA_PROFILE3\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca_2\",/\"ca_name\": \"$ASA_CA_NAME2\"/" data/acme_ca/kid_profiles.json
sudo sed -i "s/\"ca_name\": \"example_ca\",/\"unknown_key\": \"unknown_value\"/g" data/acme_ca/kid_profiles.json
sudo sed -i "s/example.net/acme/g" data/acme_ca/kid_profiles.json
sudo sed -i '18,19d' data/acme_ca/kid_profiles.json
sudo sed -i '8,9d' data/acme_ca/kid_profiles.json
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_NAME2: ${{ secrets.ASA_CA_NAME2 }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_PROFILE1 }}
ASA_PROFILE2: ${{ secrets.ASA_PROFILE2 }}
ASA_PROFILE3: ${{ secrets.ASA_PROFILE3 }}
- name: "EAB without headerinfo - Reconfigure a2c "
run: |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart
- name: "EAB without headerinfo - Sleep for 10s"
uses: juliangruber/[email protected]
with:
time: 10s
- name: "EAB with headerinfo - 01 - Enroll acme.sh without profile_name"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB with headerinfo - 01 - Enroll lego without profile_name"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep -i "Key Encipherment, Data Encipherment"
- name: "EAB with headerinfo - 02a - Enroll acme with a profile_name taken from header_info NOT included in kid.json (to fail)"
id: acmefail01
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=unknown -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 02a - check result "
if: steps.acmefail01.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail01.outcome }}"
exit 1
- name: "EAB with headerinfo - 02b - Enroll acme with a profile_name taken from header_info included in kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_00 --eab-hmac-key V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_name=ACME -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 02a - Enroll lego with a profile_name taken from header_info NOT included in kid.json (to fail)"
id: legofail01
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=unknown -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 02a - check result "
if: steps.legofail01.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail01.outcome }}"
exit 1
- name: "EAB with headerinfo - 02b - Enroll lego with a profile_name taken from header_info included in kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_00 --hmac V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw --user-agent profile_name=ACME -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 03 - Enroll acme with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_01 --eab-hmac-key YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep -i "Digital Signature"
- name: "EAB with headerinfo - 03 - Enroll lego with a profile_name/ca_name taken from kid.json"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_01 --hmac YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME2 }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep -i "Digital Signature"
- name: "EAB with headerinfo - 04 - Enroll acme with a not allowed fqdn in kid.json (to fail)"
id: acmefail021
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
- name: "EAB with headerinfo - 04 - check result "
if: steps.acmefail021.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail021.outcome }}"
exit 1
- name: "EAB with headerinfo - 04 - Enroll lego with a not allowed fqdn in kid.json (to fail)"
id: legofail021
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 04a - check result "
if: steps.legofail021.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail021.outcome }}"
exit 1
- name: "EAB with headerinfo - 05 - Enroll acme with default values from acme.cfg"
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_03 --eab-hmac-key YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv -d acme-sh.acme --standalone --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -text -noout
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "EAB with headerinfo - 05 - Enroll lego with default values from acme.cfg"
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_03 --hmac YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr -k rsa2048 -d lego.acme --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
sudo openssl x509 -in lego/certificates/lego.acme.crt -issuer --noout | grep -i "${{ secrets.ASA_CA_NAME }}"
sudo openssl x509 -in lego/certificates/lego.acme.crt -text -ext keyUsage | grep "Digital Signature"
- name: "EAB with headerinfo - 06 - Enroll acme with not allowed headerinfo-field (should fail)"
id: acmefail03
continue-on-error: true
run: |
sudo rm -rf acme-sh/*
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --register-account --server http://acme-srv --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3
docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --useragent profile_id=101 -d acme-sh.acme --keylength 2048 --standalone --debug 3 --output-insecure
- name: "EAB with headerinfo - 06 - check result "
if: steps.acmefail03.outcome != 'failure'
run: |
echo "acmefail outcome is ${{steps.acmefail03.outcome }}"
exit 1
- name: "EAB with headerinfo - 06 - Enroll lego with not allowed headerinfo-field (should fail)"
id: legofail03
continue-on-error: true
run: |
sudo rm -rf lego/*
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --user-agent profile_id=101 -k rsa2048 -d lego.acme --http run
- name: "EAB with headerinfo - 06 - check result "
if: steps.legofail03.outcome != 'failure'
run: |
echo "legofail outcome is ${{steps.legofail03.outcome }}"
exit 1
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
sudo rm ${{ github.workspace }}/artifact/data/*.rpm
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: asa_handler_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
path: ${{ github.workspace }}/artifact/upload/
asa_handler_headerinfo_tests:
name: "asa_handler_headerinfo_tests"
runs-on: ubuntu-latest
steps:
- name: "checkout GIT"
uses: actions/checkout@v4
- name: "[ PREPARE ] Build docker-compose (apache2_wsgi)"
working-directory: examples/Docker/
run: |
sudo mkdir -p data
docker network create acme
docker-compose up -d
docker-compose logs
- name: "[ PREPARE ] create lego folder"
run: |
mkdir lego
- name: "Test http://acme-srv/directory is accessible"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "[ PREPARE ] reconfiguration of a2c with a new profile"
run: |
sudo cp test/ca/certsrv_ca_certs.pem examples/Docker/data/ca_certs.pem
sudo touch examples/Docker/data/acme_srv.cfg
sudo chmod 777 examples/Docker/data/acme_srv.cfg
sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
sudo echo "handler_file: examples/ca_handler/asa_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_host: $ASA_API_HOST" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_user: $ASA_API_USER" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_password: $ASA_API_PASSWORD" >> examples/Docker/data/acme_srv.cfg
sudo echo "api_key: $ASA_API_KEY" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_name: $ASA_CA_NAME" >> examples/Docker/data/acme_srv.cfg
sudo echo "ca_bundle: $ASA_CA_BUNDLE" >> examples/Docker/data/acme_srv.cfg
sudo echo "profile_name: $ASA_POFILE1" >> examples/Docker/data/acme_srv.cfg
sudo sed -i "s/revocation_reason_check_disable: False/revocation_reason_check_disable: False\nenrollment_timeout:15/g" examples/Docker/data/acme_srv.cfg
sudo sed -i "s/tnauthlist_support: False/tnauthlist_support: False\nheader_info_list: [\"HTTP_USER_AGENT\"]/g" examples/Docker/data/acme_srv.cfg
cd examples/Docker/
docker-compose restart
docker-compose logs
env:
ASA_API_HOST: ${{ secrets.ASA_API_HOST }}
ASA_API_USER: ${{ secrets.ASA_API_USER }}
ASA_API_PASSWORD: ${{ secrets.ASA_API_PASSWORD }}
ASA_API_KEY: ${{ secrets.ASA_API_KEY }}
ASA_CA_NAME: ${{ secrets.ASA_CA_NAME }}
ASA_CA_BUNDLE: ${{ secrets.ASA_CA_BUNDLE }}
ASA_PROFILE1: ${{ secrets.ASA_POFILE1 }}
- name: "Test http://acme-srv/directory is accessible again"
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory
- name: "[ PREPARE ] prepare acme.sh container"
run: |
sudo mkdir acme-sh
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon
- name: "[ REGISTER] acme.sh"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3
- name: "[ ENROLL] acme.sh with profileID ACME"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --useragent profile_name=ACME --keylength 2048 --debug 3 --output-insecure
awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme/ca.cer
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Digital Signature"
- name: "[ ENROLL ] lego with profileID ACME"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=ACME -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Digital Signature"
- name: "[ ENROLL] acme.sh with profileID ACME_2"
run: |
docker exec -i acme-sh acme.sh --server http://acme-srv --renew --force -d acme-sh.acme --standalone --useragent profile_name=ACME_2 --keylength 2048 --debug 3 --output-insecure
openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme/acme-sh.acme.cer
openssl x509 -in acme-sh/acme-sh.acme/acme-sh.acme.cer -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "[ ENROLL ] lego with profileID ACME_2"
run: |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --user-agent profile_name=ACME_2 -d lego.acme --key-type rsa2048 --http run
sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt
sudo openssl x509 -in lego/certificates/lego.acme.crt -ext keyUsage -noout | grep "Key Encipherment, Data Encipherment"
- name: "[ * ] collecting test logs"
if: ${{ failure() }}
run: |
mkdir -p ${{ github.workspace }}/artifact/upload
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
cd examples/Docker
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data lego
- name: "[ * ] uploading artificates"
uses: actions/upload-artifact@v4
if: ${{ failure() }}
with:
name: asa_handler_headerinfo_tests.tar.gz
path: ${{ github.workspace }}/artifact/upload/