New acme_* integration test using ACME test docker container (#41626)

* Using ACME test container for acme_account integration test. * Removing dependency on setup_openssl. Waiting for controller and Pebble. * More tinkering. * Reducing number of tries. * One more try. * Another try. * Added acme_certificate tests. * Removed double key. * Added tests for acme_certificate_revoke. * Making task names more meaningful (during certificate generation). * Using newer test container which integrates letsencrypt/pebble#137. Adding test for revoking certificate by its private key. * Using new version of Pebble which limits the random auth delay. * Simplifying certificates for revocation tests. * Reworking acme_certificate tests (there are now more, but they are faster). * Test whether account_key_content works. * Preparing TLS-ALPN-01 support. * Using official Ansible image of testing container on quay.io. * Bumping version. * Bumping version of test container to 1.1.0. * Adjusting to new CI group names. * Pass ACME simulator IP as playbook variable. * Let test plugin wait for controller and CA endpoints to become active. * Refactor common setup parts of tests to setup_acme. * _ -> dummy * Moving common obtain-cert.yml to setup_acme.
2025-10-22 20:13:59 -07:00 · 2018-07-30 20:10:17 +02:00 · 2018-07-30 20:10:17 +02:00 · d4c16f51be
commit d4c16f51be
parent c809500c79
17 changed files with 863 additions and 48 deletions
--- a/test/integration/targets/acme_account/aliases
+++ b/test/integration/targets/acme_account/aliases
@ -1,3 +1,2 @@
-shippable/posix/group1
-destructive
-disabled
+shippable/cloud/group1
+cloud/acme
--- a/test/integration/targets/acme_account/meta/main.yml
+++ b/test/integration/targets/acme_account/meta/main.yml
@ -1,2 +1,2 @@
 dependencies:
-  - setup_openssl
+  - setup_acme
--- a/test/integration/targets/acme_account/tasks/main.yml
+++ b/test/integration/targets/acme_account/tasks/main.yml
@ -1,7 +1,5 @@
 ---
 - block:
-  - debug: var=openssl_version.stdout
-
  - name: Generate account key
    command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem

@ -12,7 +10,8 @@
    acme_account:
      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: present
      allow_creation: no
    ignore_errors: yes
@ -22,7 +21,8 @@
    acme_account:
      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: present
      allow_creation: yes
      terms_agreed: yes
@ -32,9 +32,10 @@

  - name: Change email address
    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
+      account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: present
      # allow_creation: no
      contact:
@ -45,7 +46,8 @@
    acme_account:
      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: present
      # allow_creation: no
      contact:
@ -58,52 +60,91 @@
  - name: Parse account key (to ease debugging some test failures)
    command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text

-  - name: Change account key
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
-      new_account_key_src: "{{ output_dir }}/accountkey2.pem"
-      state: changed_key
-      contact:
-      - mailto:example@example.com
-    register: account_change_key
+# Note that pebble has no change key endpoint implemented yet!
+# When it has (and the container was updated), uncomment the
+# uncomment the following tests, and delete the ones below the
+# out-commented ones.
+
+#  - name: Change account key
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      state: changed_key
+#      contact:
+#      - mailto:example@example.com
+#    register: account_change_key
+
+#  - name: Deactivate account
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: absent
+#    register: account_deactivate
+
+#  - name: Deactivate account (idempotent)
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: absent
+#    register: account_deactivate_idempotent
+
+#  - name: Do not try to create account II
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: present
+#      allow_creation: no
+#    ignore_errors: yes
+#    register: account_not_created_2
+
+#  - name: Do not try to create account III
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: present
+#      allow_creation: no
+#    ignore_errors: yes
+#    register: account_not_created_3

  - name: Deactivate account
    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
+      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: absent
    register: account_deactivate

  - name: Deactivate account (idempotent)
    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
+      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: absent
    register: account_deactivate_idempotent

  - name: Do not try to create account II
    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
+      account_key_src: "{{ output_dir }}/accountkey.pem"
      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
      state: present
      allow_creation: no
    ignore_errors: yes
    register: account_not_created_2

-  - name: Do not try to create account III
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
-      state: present
-      allow_creation: no
-    ignore_errors: yes
-    register: account_not_created_3
-
  # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
  when: openssl_version.stdout is version('1.0.0', '>=')
--- a/test/integration/targets/acme_account/tests/validate.yml
+++ b/test/integration/targets/acme_account/tests/validate.yml
@ -22,11 +22,38 @@
      - account_modified_idempotent is not changed
      - account_modified_idempotent.account_uri is not none

- name: Validate that the account key was changed
-  assert:
-    that:
-      - account_change_key is changed
-      - account_change_key.account_uri is not none
+# Note that pebble has no change key endpoint implemented yet!
+# When it has (and the container was updated), uncomment the
+# following validations, and delete the ones below the
+# out-commented ones:
+
+#- name: Validate that the account key was changed
+#  assert:
+#    that:
+#      - account_change_key is changed
+#      - account_change_key.account_uri is not none
+#
+#- name: Validate that the account was deactivated
+#  assert:
+#    that:
+#      - account_deactivate is changed
+#      - account_deactivate.account_uri is not none
+#
+#- name: Validate that the account was really deactivated (idempotency)
+#  assert:
+#    that:
+#      - account_deactivate_idempotent is not changed
+#      - account_deactivate_idempotent.account_uri is not none
+#
+#- name: Validate that the account is gone (new account key)
+#  assert:
+#    that:
+#      - account_not_created_2 is failed
+#
+#- name: Validate that the account is gone (old account key)
+#  assert:
+#    that:
+#      - account_not_created_3 is failed

 - name: Validate that the account was deactivated
  assert:
@ -40,12 +67,7 @@
      - account_deactivate_idempotent is not changed
      - account_deactivate_idempotent.account_uri is not none

- name: Validate that the account is gone (new account key)
+- name: Validate that the account is gone
  assert:
    that:
      - account_not_created_2 is failed
-
- name: Validate that the account is gone (old account key)
-  assert:
-    that:
-      - account_not_created_3 is failed