ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-06-28 03:00:23 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

acme_*: new test container, tests for IP certificates (#57530)

Browse source 
* Bump container version.

* Use new URLs.

* Add IP certificate tests.

* Disable IPv6 IP from IP certificate.

Background: in CI, the ACME test container apparently has no IPv6 support.
Without IPv6 support, Pebble can't connect to validate, and thus validation
fails.
This commit is contained in:
Felix Fontein 2019-06-08 14:02:44 +02:00 committed by GitHub
parent 9d67f476e6
commit c50a75a41e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 57 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

54
test/integration/targets/acme_certificate/tasks/impl.yml
View file

@ -193,6 +193,46 @@
remaining_days: 10 remaining_days: 10
terms_agreed: yes terms_agreed: yes
account_email: "example@example.org" account_email: "example@example.org"
- name: Obtain cert 7
include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 7
certificate_name: cert-7
key_type: rsa
rsa_bits: 2048
subject_alt_name:
- "IP:127.0.0.1"
# - "IP:::1"
subject_alt_name_critical: no
account_key: account-ec256
challenge: http-01
modify_account: yes
deactivate_authzs: no
force: no
remaining_days: 10
terms_agreed: yes
account_email: "example@example.org"
- name: Obtain cert 8
include_tasks: obtain-cert.yml
vars:
certgen_title: Certificate 8
certificate_name: cert-8
key_type: rsa
rsa_bits: 2048
subject_alt_name:
- "IP:127.0.0.1"
# IPv4 only since our test validation server doesn't work
# with IPv6 (thanks to Python's socketserver).
subject_alt_name_critical: no
account_key: account-ec256
challenge: tls-alpn-01
challenge_alpn_tls: acme_challenge_cert_helper
modify_account: yes
deactivate_authzs: no
force: no
remaining_days: 10
terms_agreed: yes
account_email: "example@example.org"
## DISSECT CERTIFICATES ####################################################################### ## DISSECT CERTIFICATES #######################################################################
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate. # Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
- name: Verifying cert 1 - name: Verifying cert 1
@ -219,6 +259,14 @@
command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem" command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
ignore_errors: yes ignore_errors: yes
register: cert_6_valid register: cert_6_valid
- name: Verifying cert 7
command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"
ignore_errors: yes
register: cert_7_valid
- name: Verifying cert 8
command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"
ignore_errors: yes
register: cert_8_valid
# Dump certificate info # Dump certificate info
- name: Dumping cert 1 - name: Dumping cert 1
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
@ -238,3 +286,9 @@
- name: Dumping cert 6 - name: Dumping cert 6
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
register: cert_6_text register: cert_6_text
- name: Dumping cert 7
command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text
register: cert_7_text
- name: Dumping cert 8
command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text
register: cert_8_text

4
test/integration/targets/setup_acme/tasks/obtain-cert.yml
View file

@ -95,7 +95,7 @@
when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')" when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
- name: ({{ certgen_title }}) Set TLS ALPN challenges (acm_challenge_cert_helper) - name: ({{ certgen_title }}) Set TLS ALPN challenges (acm_challenge_cert_helper)
uri: uri:
url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.domain }}/certificate-and-key" url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.domain }}/{{ item.identifier }}/certificate-and-key"
method: PUT method: PUT
body_format: raw body_format: raw
body: "{{ item.challenge_certificate }}\n{{ lookup('file', output_dir ~ '/' ~ certificate_name ~ '.key') }}" body: "{{ item.challenge_certificate }}\n{{ lookup('file', output_dir ~ '/' ~ certificate_name ~ '.key') }}"
@ -105,7 +105,7 @@
when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')" when: "challenge_data is changed and challenge == 'tls-alpn-01' and (challenge_alpn_tls is defined and challenge_alpn_tls == 'acme_challenge_cert_helper')"
- name: ({{ certgen_title }}) Create TLS ALPN challenges (der-value-b64) - name: ({{ certgen_title }}) Create TLS ALPN challenges (der-value-b64)
uri: uri:
url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}/der-value-b64" url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}/{{ item.value['tls-alpn-01'].resource_original }}/der-value-b64"
method: PUT method: PUT
body_format: raw body_format: raw
body: "{{ item.value['tls-alpn-01'].resource_value }}" body: "{{ item.value['tls-alpn-01'].resource_value }}"

2
test/runner/lib/cloud/acme.py
View file

@ -44,7 +44,7 @@ class ACMEProvider(CloudProvider):
if os.environ.get('ANSIBLE_ACME_CONTAINER'): if os.environ.get('ANSIBLE_ACME_CONTAINER'):
self.image = os.environ.get('ANSIBLE_ACME_CONTAINER') self.image = os.environ.get('ANSIBLE_ACME_CONTAINER')
else: else:
self.image = 'quay.io/ansible/acme-test-container:1.4.2' self.image = 'quay.io/ansible/acme-test-container:1.5.0'
self.container_name = '' self.container_name = ''
def _wait_for_service(self, protocol, acme_host, port, local_part, name): def _wait_for_service(self, protocol, acme_host, port, local_part, name):