CA handler tests - OpenXPKI handler #671

Workflow file for this run

.github/workflows/ca_handler_tests_openxpki.yml at b111fb8

	name: CA handler tests - OpenXPKI handler

	on:
	push:
	pull_request:
	branches: [ devel ]
	schedule:
	# * is a special character in YAML so you have to quote the string
	- cron: '0 2 * * 6'

	jobs:
	ejb_ca_tests:
	name: "openxpki_hander_handler_tests docker image"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	websrv: ['apache2', 'nginx']
	dbhandler: ['wsgi', 'django']
	steps:
	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "[ PREPARE ] get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV
	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Prepare Environment"
	working-directory: examples/Docker/
	run: \|
	mkdir -p data/openxpki
	sudo chmod -R 777 data
	docker network create acme
	sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts"
	sudo cat /etc/hosts
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders"
	run: \|
	mkdir -p /tmp/openxpki
	mkdir certbot
	mkdir lego
	mkdir acme-sh

	- name: "Instanciate OpenXPKI server"
	working-directory: /tmp/openxpki
	run: \|
	sudo apt-get install -y docker-compose
	git clone https://github.com/openxpki/openxpki-docker.git
	cd openxpki-docker/
	git clone https://github.com/openxpki/openxpki-config.git --single-branch --branch=community
	cd openxpki-config/
	# git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604
	cd ..
	sed -i "s/value: 0/value: 1/g" openxpki-config/config.d/realm/democa/est/default.yaml
	sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g" openxpki-config/config.d/realm/democa/est/default.yaml
	sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
	sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
	sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml
	cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yam
	docker-compose up &

	- name: "Sleep for 60s"
	uses: juliangruber/[email protected]
	with:
	time: 60s

	- name: "Fix 1st time start issues with OpenXPKI server"
	working-directory: /tmp/openxpki/openxpki-docker
	run: \|
	docker ps
	docker stop openxpki-docker_openxpki-server_1
	docker start openxpki-docker_openxpki-server_1

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Configure OpenXPKI server"
	working-directory: /tmp/openxpki
	run: \|
	docker ps
	docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh
	docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl

	- name: "Sleep for 45s"
	uses: juliangruber/[email protected]
	with:
	time: 45s

	- name: "Enroll keys for Client-authentication via scep"
	working-directory: examples/Docker/
	run: \|
	sudo openssl genrsa -out data/openxpki/client_key.pem 2048
	sudo openssl req -new -key data/openxpki/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der \| base64 > /tmp/request.pem
	curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure \| base64 -d > /tmp/cert.p7b
	sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/openxpki/client_crt.pem
	sudo openssl pkcs12 -export -out data/openxpki/client_crt.p12 -inkey data/openxpki/client_key.pem -in data/openxpki/client_crt.pem -passout pass:Test1234
	sudo openssl rsa -noout -modulus -in data/openxpki/client_key.pem \| openssl md5
	sudo openssl x509 -noout -modulus -in data/openxpki/client_crt.pem \| openssl md5
	sudo chmod a+r data/openxpki/client_key.pem
	sudo chmod a+r data/openxpki/client_crt.pem
	sudo chmod a+r data/openxpki/client_crt.p12
	curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure \| base64 -d > /tmp/cacert.p7b
	sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/openxpki/ca_bundle.pem
	sudo chmod a+rw data/openxpki/ca_bundle.pem
	sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null </dev/null \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> data/openxpki/ca_bundle.pem

	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
	working-directory: examples/Docker/
	run: \|
	sudo apt-get install -y docker-compose
	sudo mkdir -p data
	sed -i "s/wsgi/$DB_HANDLER/g" .env
	sed -i "s/apache2/$WEB_SRV/g" .env
	cat .env
	docker-compose up -d
	docker-compose logs
	env:
	WEB_SRV: ${{ matrix.websrv }}
	DB_HANDLER: ${{ matrix.dbhandler }}

	- name: "Setup a2c with est_ca_handler"
	run: \|
	sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
	sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
	sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
	sudo cp .github/django_settings.py examples/Docker/data/settings.py
	sudo touch examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_client_cert: volume/openxpki/client_crt.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_client_key: volume/openxpki/client_key.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*
	sudo rm -rf certbot/*

	- name: "Setup a2c with est_ca_handler using pksc12"
	run: \|
	sudo touch examples/Docker/data/acme_srv.cfg
	sudo chmod 777 examples/Docker/data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/est_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
	sudo echo "est_client_cert: volume/openxpki/client_crt.p12" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*
	sudo rm -rf certbot/*

	- name: "Setup a2c with openxpki_ca_handler"
	run: \|
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
	sudo echo "client_cert: volume/openxpki/client_crt.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "client_key: volume/openxpki/client_key.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg
	sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg
	sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Enroll certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Revoke certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "Delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf certbot/*
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*

	- name: "Reconfigure a2c (pkcs12 support)"
	run: \|
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > examples/Docker/data/acme_srv.cfg
	sudo echo "handler_file: examples/ca_handler/openxpki_ca_handler.py" >> examples/Docker/data/acme_srv.cfg
	sudo echo "host: https://openxpki:8443" >> examples/Docker/data/acme_srv.cfg
	# sudo echo "host: https://$OPENXPKI_IP:8443" >> examples/Docker/data/acme_srv.cfg
	sudo echo "client_cert: volume/openxpki/client_crt.p12" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_passphrase: Test1234" >> examples/Docker/data/acme_srv.cfg
	sudo echo "ca_bundle: volume/openxpki/ca_bundle.pem" >> examples/Docker/data/acme_srv.cfg
	sudo echo "cert_profile_name: tls-server" >> examples/Docker/data/acme_srv.cfg
	sudo echo "endpoint_name: enroll" >> examples/Docker/data/acme_srv.cfg
	sudo echo "polling_timeout: 60" >> examples/Docker/data/acme_srv.cfg
	cd examples/Docker/
	docker-compose restart
	docker-compose logs
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Test if https://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Enroll HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
	sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
	sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
	sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
	docker logs openxpki-docker_openxpki-server_1 > ${{ github.workspace }}/artifact/openxpki.log
	cd examples/Docker
	docker-compose logs > ${{ github.workspace }}/artifact/a2c.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz openxpki.log a2c.log data acme-sh certbot lego

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: openxpki-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
	path: ${{ github.workspace }}/artifact/upload/

	openxpki_ca_handler_tests_rpm:
	name: " openxpki_ca_handler_tests_rpm"
	runs-on: ubuntu-latest
	strategy:
	fail-fast: false
	matrix:
	rhversion: [8, 9]
	steps:

	- name: "checkout GIT"
	uses: actions/checkout@v4

	- name: "[ PREPARE ] get runner ip"
	run: \|
	echo RUNNER_IP=$(ip addr show eth0 \| grep -i "inet " \| cut -d ' ' -f 6 \| cut -d '/' -f 1) >> $GITHUB_ENV
	echo RUNNER_PATH=$(pwd \| sed 's_/_\\/_g') >> $GITHUB_ENV
	- run: echo "runner IP is ${{ env.RUNNER_IP }}"

	- name: "Prepare Environment"
	run: \|
	mkdir -p data/acme_ca
	sudo chmod -R 777 data
	docker network create acme
	sudo sh -c "echo '$OPENXPKI_IP openxpki' >> /etc/hosts"
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "[ PREPARE ] create acme-sh, letsencrypt and lego folders"
	run: \|
	mkdir -p /tmp/openxpki
	mkdir certbot
	mkdir lego
	mkdir acme-sh

	- name: "Instanciate OpenXPKI server"
	working-directory: /tmp/openxpki
	run: \|
	sudo apt-get install -y docker-compose
	git clone https://github.com/openxpki/openxpki-docker.git
	cd openxpki-docker/
	git clone https://github.com/openxpki/openxpki-config.git --single-branch --branch=community
	cd openxpki-config/
	# git checkout a86981e2929e68f3fe3530a83bdb7a4436dfd604
	cd ..
	sed -i "s/value: 0/value: 1/g" openxpki-config/config.d/realm/democa/est/default.yaml
	sed -i "s/cert_profile: tls_server/cert_profile: tls_client/g" openxpki-config/config.d/realm/democa/est/default.yaml
	sed -i "s/approval_points: 1/approval_points: 0/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
	sed -i "s/export_certificate: chain/export_certificate: fullchain/g" openxpki-config/config.d/realm/democa/rpc/enroll.yaml
	sed -i "s/dn: CN=\[\% CN.0 \%\],DC=Test Deployment,DC=OpenXPKI,DC=org/dn: CN=\[\% SAN_DNS.0 \%\]/g" openxpki-config/config.d/realm.tpl/profile/tls_server.yaml
	cp contrib/wait_on_init.yaml openxpki-config/config.d/system/local.yam
	docker-compose up &

	- name: "Sleep for 60s"
	uses: juliangruber/[email protected]
	with:
	time: 60s

	- name: "Fix 1st time start issues with OpenXPKI server"
	working-directory: /tmp/openxpki/openxpki-docker
	run: \|
	docker ps
	docker stop openxpki-docker_openxpki-server_1
	docker start openxpki-docker_openxpki-server_1

	- name: "Sleep for 10s"
	uses: juliangruber/[email protected]
	with:
	time: 10s

	- name: "Configure OpenXPKI server"
	working-directory: /tmp/openxpki
	run: \|
	docker ps
	docker exec -id openxpki-docker_openxpki-server_1 /bin/bash /etc/openxpki/contrib/sampleconfig.sh
	docker exec -id openxpki-docker_openxpki-client_1 apt-get install -y libjson-pp-perl

	- name: "Sleep for 45s"
	uses: juliangruber/[email protected]
	with:
	time: 45s

	- name: "Enroll keys for Client-authentication via scep"
	run: \|
	sudo openssl genrsa -out data/acme_ca/client_key.pem 2048
	sudo openssl req -new -key data/acme_ca/client_key.pem -subj '/CN=a2c:pkiclient,O=acme' -outform der \| base64 > /tmp/request.pem
	curl -v -H "Content-Type: application/pkcs10" --data @/tmp/request.pem https://$OPENXPKI_IP:8443/.well-known/est/simpleenroll --insecure \| base64 -d > /tmp/cert.p7b
	sudo openssl pkcs7 -print_certs -in /tmp/cert.p7b -inform der -out data/acme_ca/client_crt.pem
	sudo openssl pkcs12 -export -out data/acme_ca/client_crt.p12 -inkey data/acme_ca/client_key.pem -in data/acme_ca/client_crt.pem -passout pass:Test1234
	sudo openssl rsa -noout -modulus -in data/acme_ca/client_key.pem \| openssl md5
	sudo openssl x509 -noout -modulus -in data/acme_ca/client_crt.pem \| openssl md5
	sudo chmod a+r data/acme_ca/client_key.pem
	sudo chmod a+r data/acme_ca/client_crt.pem
	sudo chmod a+r data/acme_ca/client_crt.p12
	curl https://$OPENXPKI_IP:8443/.well-known/est/cacerts --insecure \| base64 -d > /tmp/cacert.p7b
	sudo openssl pkcs7 -print_certs -in /tmp/cacert.p7b -inform der -out data/acme_ca/ca_bundle.pem
	sudo chmod a+rw data/acme_ca/ca_bundle.pem
	sudo openssl s_client -connect $OPENXPKI_IP:8443 2>/dev/null </dev/null \| sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >> data/acme_ca/ca_bundle.pem
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: Retrieve Version from version.py
	run: \|
	echo TAG_NAME=$(cat acme_srv/version.py \| grep -i __version__ \| head -n 1 \| sed 's/__version__ = //g' \| sed s/\'//g) >> $GITHUB_ENV
	- run: echo "Latest tag is ${{ env.TAG_NAME }}"

	- name: update version number in spec file
	run: \|
	# sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
	sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
	cat examples/install_scripts/rpm/acme2certifier.spec

	- name: build RPM package
	id: rpm
	uses: grindsa/rpmbuild@alma9
	with:
	spec_file: "examples/install_scripts/rpm/acme2certifier.spec"

	- run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"

	- name: "setup environment for alma installation"
	run: \|
	sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
	sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data

	- name: "Retrieve rpms from SBOM repo"
	run: \|
	git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom
	cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data
	env:
	GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
	GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}

	- name: "Setup a2c with est_ca_handler"
	run: \|
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "est_host: https://openxpki:8443" >> data/acme_srv.cfg
	# sudo echo "est_host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
	sudo echo "est_client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.pem" >> data/acme_srv.cfg
	sudo echo "est_client_key: /opt/acme2certifier/volume/acme_ca/client_key.pem" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Prepare Almalinux instance"
	run: \|
	sudo cp examples/Docker/almalinux-systemd/Dockerfile data
	sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile
	cat data/Dockerfile \| docker build -t almalinux-systemd -f - . --no-cache
	docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd

	- name: "Execute install scipt"
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf certbot/*
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*

	- name: "setup a2c with est_ca_handler (pkcs12)"
	run: \|
	sudo touch data/acme_srv.cfg
	sudo chmod 777 data/acme_srv.cfg
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/est_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "est_host: https://openxpki:8443" >> data/acme_srv.cfg
	sudo echo "est_client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.p12" >> data/acme_srv.cfg
	sudo echo "cert_passphrase: Test1234" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "[ PREPARE ] reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "[ RUN ] Execute install scipt"
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh

	- name: "Test http://acme-srv/directory is accessible"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf certbot/*
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*

	- name: "Setup a2c with openxpki_ca_handler"
	run: \|
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/openxpki_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "host: https://openxpki:8443" >> data/acme_srv.cfg
	# sudo echo "host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
	sudo echo "client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.pem" >> data/acme_srv.cfg
	sudo echo "client_key: /opt/acme2certifier/volume/acme_ca/client_key.pem" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	sudo echo "cert_profile_name: tls-server" >> data/acme_srv.cfg
	sudo echo "endpoint_name: enroll" >> data/acme_srv.cfg
	sudo echo "polling_timeout: 60" >> data/acme_srv.cfg
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "Test http://acme-srv/directory is accessible again"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "Revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Enroll HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Revoke HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv -d certbot.acme --cert-name certbot

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "[ PREPARE ] delete acme-sh, letsencypt and lego folders"
	run: \|
	sudo rm -rf certbot/*
	sudo rm -rf lego/*
	sudo rm -rf acme-sh/*

	- name: "reconfigure a2c (pkcs12 support)"
	run: \|
	sudo head -n -8 .github/openssl_ca_handler.py_acme_srv_default_handler.cfg > data/acme_srv.cfg
	sudo echo "handler_file: /opt/acme2certifier/examples/ca_handler/openxpki_ca_handler.py" >> data/acme_srv.cfg
	sudo echo "host: https://openxpki:8443" >> data/acme_srv.cfg
	# sudo echo "host: https://$OPENXPKI_IP:8443" >> data/acme_srv.cfg
	sudo echo "client_cert: /opt/acme2certifier/volume/acme_ca/client_crt.p12" >> data/acme_srv.cfg
	sudo echo "cert_passphrase: Test1234" >> data/acme_srv.cfg
	sudo echo "ca_bundle: /opt/acme2certifier/volume/acme_ca/ca_bundle.pem" >> data/acme_srv.cfg
	sudo echo "cert_profile_name: tls-server" >> data/acme_srv.cfg
	sudo echo "endpoint_name: enroll" >> data/acme_srv.cfg
	sudo echo "polling_timeout: 60" >> data/acme_srv.cfg
	env:
	OPENXPKI_IP: ${{ env.RUNNER_IP }}

	- name: "Reconfigure a2c "
	run: \|
	docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh restart

	- name: "Test http://acme-srv/directory is accessible again"
	run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

	- name: "Enroll via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --issue --server http://acme-srv --accountemail '[email protected]' -d acme-sh.acme --standalone --debug 3 --output-insecure --force
	awk 'BEGIN {c=0;} /BEGIN CERT/{c++} { print > "cert-" c ".pem"}' < acme-sh/acme-sh.acme_ecc/ca.cer
	openssl verify -CAfile cert-2.pem -untrusted cert-1.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer

	- name: "revoke via acme.sh"
	run: \|
	docker run --rm -i -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest --revoke --server http://acme-srv -d acme-sh.acme --standalone --debug 3 --output-insecure

	- name: "Register certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email

	- name: "Enroll HTTP-01 single domain certbot"
	run: \|
	docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem certbot/live/certbot/cert.pem

	- name: "Enroll lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run
	sudo openssl verify -CAfile cert-2.pem -untrusted cert-1.pem lego/certificates/lego.acme.crt

	- name: "Revoke HTTP-01 single domain lego"
	run: \|
	docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme revoke

	- name: "[ * ] collecting test logs"
	if: ${{ failure() }}
	run: \|
	mkdir -p ${{ github.workspace }}/artifact/upload
	docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
	docker logs openxpki-docker_openxpki-server_1 > ${{ github.workspace }}/artifact/openxpki_server.log
	docker logs openxpki-docker_openxpki-client_1 > ${{ github.workspace }}/artifact/openxpki_client.log
	sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
	sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
	sudo rm ${{ github.workspace }}/artifact/data/*.rpm
	docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
	docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt
	docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
	docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
	sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data openxpki_server.log openxpki_client.log acme-srv.log acme-sh

	- name: "[ * ] uploading artificates"
	uses: actions/upload-artifact@v4
	if: ${{ failure() }}
	with:
	name: openxpki_rpm-rh${{ matrix.rhversion }}.tar.gz
	path: ${{ github.workspace }}/artifact/upload/

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CA handler tests - OpenXPKI handler #671

Workflow file

CA handler tests - OpenXPKI handler #671

Jobs

Run details

Workflow file for this run