EAB Tests #1690
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: EAB Tests | |
on: | |
push: | |
pull_request: | |
branches: [ devel ] | |
schedule: | |
# * is a special character in YAML so you have to quote this string | |
- cron: '0 2 * * 6' | |
jobs: | |
eab_apache2_wsgi: | |
name: "eab_apache2_wsgi" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
websrv: ['apache2', 'nginx'] | |
dbhandler: ['wsgi', 'django'] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})" | |
working-directory: examples/Docker/ | |
run: | | |
sudo apt-get install -y docker-compose | |
sudo mkdir -p data | |
sed -i "s/wsgi/$DB_HANDLER/g" .env | |
sed -i "s/apache2/$WEB_SRV/g" .env | |
cat .env | |
docker network create acme | |
docker-compose up -d | |
docker-compose logs | |
env: | |
WEB_SRV: ${{ matrix.websrv }} | |
DB_HANDLER: ${{ matrix.dbhandler }} | |
- name: "[ PREPARE ] setup openssl ca_handler" | |
run: | | |
sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem | |
sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem | |
sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem | |
sudo cp .github/django_settings.py examples/Docker/data/settings.py | |
sudo mkdir -p examples/Docker/data/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg examples/Docker/data/acme_srv.cfg | |
sudo chmod 777 examples/Docker/data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "eab_handler_file: /var/www/acme2certifier/examples/eab_handler/json_handler.py" >> examples/Docker/data/acme_srv.cfg | |
sudo echo "key_file: examples/eab_handler/key_file.json" >> examples/Docker/data/acme_srv.cfg | |
cd examples/Docker/ | |
docker-compose restart | |
docker-compose logs | |
- name: "Sleep for 10s" | |
uses: juliangruber/[email protected] | |
with: | |
time: 10s | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "[ PREPARE ] create letsencrypt folder" | |
run: | | |
mkdir certbot | |
- name: "[ FAIL ] certbot without eab-credentials" | |
id: certbotfail | |
continue-on-error: true | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
- name: "[ CHECK ] certbot result " | |
if: steps.certbotfail.outcome != 'failure' | |
run: | | |
echo "certbot outcome is ${{steps.certbotfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM | |
- name: "[ ENROLL ] HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem | |
- name: "[ PREPARE ] prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ FAIL] acme.sh" | |
id: acmeshfail | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3 | |
- name: "[ CHECK ] acme.sh result " | |
if: steps.acmeshfail.outcome != 'failure' | |
run: | | |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
- name: "[ ENROLL] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ FAIL ] lego" | |
id: legofail | |
continue-on-error: true | |
run: | | |
mkdir lego | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
- name: "[ CHECK ] lego result " | |
if: steps.legofail.outcome != 'failure' | |
run: | | |
echo "legofail outcome is ${{steps.legofail.outcome }}" | |
exit 1 | |
- name: "[ ENROLL ] lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/ | |
cd examples/Docker | |
docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: eab-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
eab_wsgi_rpm: | |
name: "eab_wsgi_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: Retrieve Version from version.py | |
run: | | |
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
- run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
- name: update version number in spec file | |
run: | | |
# sudo sed -i "s/Source0:.*/Source0: %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec | |
sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec | |
cat examples/install_scripts/rpm/acme2certifier.spec | |
- name: build RPM package | |
id: rpm | |
uses: grindsa/rpmbuild@alma9 | |
with: | |
spec_file: "examples/install_scripts/rpm/acme2certifier.spec" | |
- run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" | |
- name: "[ PREPARE ] setup environment for alma installation" | |
run: | | |
docker network create acme | |
sudo mkdir -p data | |
sudo chmod -R 777 data | |
sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data | |
sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data | |
- name: "[ PREPARE ] create letsencrypt and lego folder" | |
run: | | |
mkdir certbot | |
mkdir lego | |
- name: "Retrieve rpms from SBOM repo" | |
run: | | |
git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom | |
cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data | |
env: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
- name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" | |
run: | | |
sudo mkdir -p data/acme_ca/certs/ | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg | |
sudo chmod 777 data/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> data/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >> data/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/acme_srv.cfg | |
- name: "[ PREPARE ] Almalinux instance" | |
run: | | |
sudo cp examples/Docker/almalinux-systemd/Dockerfile data | |
sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile | |
cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd | |
- name: "[ RUN ] Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "[ FAIL ] certbot without eab-credentials" | |
id: certbotfail | |
continue-on-error: true | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
- name: "[ CHECK ] certbot result " | |
if: steps.certbotfail.outcome != 'failure' | |
run: | | |
echo "certbot outcome is ${{steps.certbotfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM | |
- name: "[ ENROLL ] HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem | |
- name: "[ PREPARE ] prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ FAIL] acme.sh" | |
id: acmeshfail | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3 | |
- name: "[ CHECK ] acme.sh result " | |
if: steps.acmeshfail.outcome != 'failure' | |
run: | | |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
- name: "[ ENROLL] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ FAIL ] lego" | |
id: legofail | |
continue-on-error: true | |
run: | | |
mkdir lego | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
- name: "[ CHECK ] lego result " | |
if: steps.legofail.outcome != 'failure' | |
run: | | |
echo "legofail outcome is ${{steps.legofail.outcome }}" | |
exit 1 | |
- name: "[ ENROLL ] lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: eab-rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ | |
eab_django_rpm: | |
name: "eab_django_rpm" | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
rhversion: [8, 9] | |
steps: | |
- name: "checkout GIT" | |
uses: actions/checkout@v4 | |
- name: "[ PREPARE ] get runner ip" | |
run: | | |
echo RUNNER_IP=$(ip addr show eth0 | grep -i "inet " | cut -d ' ' -f 6 | cut -d '/' -f 1) >> $GITHUB_ENV | |
echo RUNNER_PATH=$(pwd | sed 's_/_\\/_g') >> $GITHUB_ENV | |
- run: echo "runner IP is ${{ env.RUNNER_IP }}" | |
- name: Retrieve Version from version.py | |
run: | | |
echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV | |
- run: echo "Latest tag is ${{ env.TAG_NAME }}" | |
- name: update version number in spec file and path in nginx ssl config | |
run: | | |
sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec | |
sudo sed -i "s/\/var\/www\/acme2certifier\/volume/\/etc\/nginx/g" examples/nginx/nginx_acme_srv_ssl.conf | |
git config --global user.email "[email protected]" | |
git config --global user.name "rpm update" | |
git add examples/nginx | |
git commit -a -m "rpm update" | |
- name: build RPM package | |
id: rpm | |
uses: grindsa/rpmbuild@alma9 | |
with: | |
spec_file: "examples/install_scripts/rpm/acme2certifier.spec" | |
- run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}" | |
- name: "[ PREPARE ] setup environment for alma installation" | |
run: | | |
docker network create acme | |
sudo mkdir -p data/volume | |
sudo mkdir -p data/acme2certifier | |
sudo mkdir -p data/nginx | |
sudo chmod -R 777 data | |
sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data | |
sudo cp examples/Docker/almalinux-systemd/django_tester.sh data | |
sudo cp .github/acme2certifier_cert.pem data/nginx/acme2certifier_cert.pem | |
sudo cp .github/acme2certifier_key.pem data/nginx/acme2certifier_key.pem | |
sudo cp .github/django_settings.py data/acme2certifier/settings.py | |
sudo sed -i "s/\/var\/www\//\/opt\//g" data/acme2certifier/settings.py | |
sudo sed -i "s/USE_I18N = True/USE_I18N = False/g" data/acme2certifier/settings.py | |
- name: "[ PREPARE ] create lego folder" | |
run: | | |
mkdir lego | |
- name: "Retrieve rpms from SBOM repo" | |
run: | | |
git clone https://$GH_SBOM_USER:[email protected]/$GH_SBOM_USER/sbom /tmp/sbom | |
cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm data | |
env: | |
GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }} | |
GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }} | |
- name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler" | |
run: | | |
sudo mkdir -p data/volume/acme_ca/certs | |
sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/volume/acme_ca/ | |
sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/volume/acme_srv.cfg | |
sudo chmod 777 data/volume/acme_srv.cfg | |
sudo echo -e "\n\n[EABhandler]" >> data/volume/acme_srv.cfg | |
sudo echo "eab_handler_file: /opt/acme2certifier/examples/eab_handler/json_handler.py" >>data/volume/acme_srv.cfg | |
sudo echo "key_file: /opt/acme2certifier/examples/eab_handler/key_file.json" >> data/volume/acme_srv.cfg | |
- name: "[ PREPARE ] Almalinux instance" | |
run: | | |
sudo cp examples/Docker/almalinux-systemd/Dockerfile data | |
sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile | |
cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache | |
docker run -d -id --privileged --network acme -p 22280:80 --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd | |
- name: "[ RUN ] Execute install scipt" | |
run: | | |
docker exec acme-srv sh /tmp/acme2certifier/django_tester.sh | |
- name: "Test http://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory | |
- name: "Test if https://acme-srv/directory is accessible" | |
run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory | |
- name: "[ FAIL ] certbot without eab-credentials" | |
id: certbotfail | |
continue-on-error: true | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email | |
- name: "[ CHECK ] certbot result " | |
if: steps.certbotfail.outcome != 'failure' | |
run: | | |
echo "certbot outcome is ${{steps.certbotfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m '[email protected]' --server http://acme-srv --no-eff-email --eab-kid keyid_02 --eab-hmac-key=dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM | |
- name: "[ ENROLL ] HTTP-01 single domain certbot" | |
run: | | |
docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot | |
sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem | |
- name: "[ PREPARE ] prepare acme.sh container" | |
run: | | |
docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon | |
- name: "[ FAIL] acme.sh" | |
id: acmeshfail | |
continue-on-error: true | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --debug 3 | |
- name: "[ CHECK ] acme.sh result " | |
if: steps.acmeshfail.outcome != 'failure' | |
run: | | |
echo "acmeshfail outcome is ${{steps.acmeshfail.outcome }}" | |
exit 1 | |
- name: "[ REGISTER] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --register-account --accountemail '[email protected]' --eab-kid keyid_02 --eab-hmac-key dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM --debug 3 | |
- name: "[ ENROLL] acme.sh" | |
run: | | |
docker exec -i acme-sh acme.sh --server http://acme-srv --issue -d acme-sh.acme --standalone --debug 3 --output-insecure | |
openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer | |
- name: "[ FAIL ] lego" | |
id: legofail | |
continue-on-error: true | |
run: | | |
mkdir lego | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" -d lego.acme --http run | |
- name: "[ CHECK ] lego result " | |
if: steps.legofail.outcome != 'failure' | |
run: | | |
echo "legofail outcome is ${{steps.legofail.outcome }}" | |
exit 1 | |
- name: "[ ENROLL ] lego" | |
run: | | |
docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "[email protected]" --eab --kid keyid_02 --hmac dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM -d lego.acme --http run | |
sudo openssl verify -CAfile data/volume/acme_ca/root-ca-cert.pem -untrusted data/volume/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt | |
- name: "[ * ] collecting test logs" | |
if: ${{ failure() }} | |
run: | | |
mkdir -p ${{ github.workspace }}/artifact/upload | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier | |
docker exec acme-srv tar cvfz /tmp/acme2certifier/nginx.tgz /etc/nginx | |
sudo cp -rp data/ ${{ github.workspace }}/artifact/data/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/ | |
sudo cp -rp lego/ ${{ github.workspace }}/artifact/certbot/ | |
sudo rm ${{ github.workspace }}/artifact/data/*.rpm | |
docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig | |
docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf | |
docker exec acme-srv rpm -qa > ${{ github.workspace }}/artifact/data/packages.txt | |
docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log | |
sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log lego certbot | |
- name: "[ * ] uploading artificates" | |
uses: actions/upload-artifact@v4 | |
if: ${{ failure() }} | |
with: | |
name: eab_django_rpm-rh${{ matrix.rhversion }}.tar.gz | |
path: ${{ github.workspace }}/artifact/upload/ |