Adding useful OCSP debug messages #89
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: OCSP Tests | |
| on: [push, pull_request] | |
| jobs: | |
| init: | |
| name: Initialization | |
| uses: ./.github/workflows/init.yml | |
| secrets: inherit | |
| build: | |
| name: Waiting for build | |
| needs: init | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.ref }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'push' | |
| - name: Wait for build | |
| uses: lewagon/[email protected] | |
| with: | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| check-name: 'Building PKI' | |
| repo-token: ${{ secrets.GITHUB_TOKEN }} | |
| wait-interval: 30 | |
| if: github.event_name == 'pull_request' | |
| # docs/installation/ocsp/Installing_OCSP.md | |
| ocsp-test: | |
| name: Testing OCSP | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install OCSP | |
| run: docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v | |
| - name: Run PKI healthcheck | |
| run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify OCSP admin | |
| run: | | |
| docker exec pki pki-server cert-export ca_signing --cert-file ca_signing.crt | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| docker exec pki pki -n caadmin ocsp-user-show ocspadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove OCSP | |
| run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove CA | |
| run: docker exec pki pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp | |
| path: | | |
| /tmp/artifacts/pki | |
| ocsp-separate-test: | |
| name: Testing OCSP on separate instance | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Setup CA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ca \ | |
| HOSTNAME=ca.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect CA container to network | |
| run: docker network connect example ca --alias ca.example.com | |
| - name: Install dependencies in CA container | |
| run: docker exec ca dnf install -y 389-ds-base | |
| - name: Install DS in CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in CA container | |
| run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install banner in CA container | |
| run: docker exec ca cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| - name: Setup OCSP container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ocsp \ | |
| HOSTNAME=ocsp.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect OCSP container to network | |
| run: docker network connect example ocsp --alias ocsp.example.com | |
| - name: Install dependencies in OCSP container | |
| run: docker exec ocsp dnf install -y 389-ds-base | |
| - name: Install DS in OCSP container | |
| run: docker exec ocsp ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install OCSP in OCSP container | |
| run: | | |
| docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin.cert ${PKIDIR}/ca_admin.cert | |
| docker exec ocsp cp ${PKIDIR}/ca_signing.crt . | |
| docker exec ocsp cp ${PKIDIR}/ca_admin.cert . | |
| docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-separate.cfg -s OCSP -v | |
| - name: Install banner in OCSP container | |
| run: docker exec ocsp cp /usr/share/pki/server/examples/banner/banner.txt /etc/pki/pki-tomcat | |
| - name: Run PKI healthcheck | |
| run: docker exec ocsp pki-healthcheck --debug | |
| - name: Verify OCSP admin | |
| run: | | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec ca cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec ocsp pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec ocsp pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec ocsp pki -n caadmin --ignore-banner ocsp-user-show ocspadmin | |
| - name: Gather artifacts from CA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ca | |
| tests/bin/pki-artifacts-save.sh ca | |
| - name: Gather artifacts from OCSP container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ocsp | |
| tests/bin/pki-artifacts-save.sh ocsp | |
| - name: Remove OCSP from OCSP container | |
| run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove DS from OCSP container | |
| run: docker exec ocsp ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect OCSP container from network | |
| run: docker network disconnect example ocsp | |
| - name: Remove CA from CA container | |
| run: docker exec ca pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect CA container from network | |
| run: docker network disconnect example ca | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from CA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-separate-ca | |
| path: | | |
| /tmp/artifacts/ca | |
| - name: Upload artifacts from OCSP container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-separate-ocsp | |
| path: | | |
| /tmp/artifacts/ocsp | |
| # docs/installation/ocsp/Installing_OCSP_with_External_Certificates.md | |
| ocsp-external-certs-test: | |
| name: Testing OCSP with external certificates | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Setup CA container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ca \ | |
| HOSTNAME=ca.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect CA container to network | |
| run: docker network connect example ca --alias ca.example.com | |
| - name: Install dependencies in CA container | |
| run: docker exec ca dnf install -y 389-ds-base | |
| - name: Install DS in CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in CA container | |
| run: docker exec ca pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Initialize CA admin in CA container | |
| run: | | |
| docker exec ca pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec ca pki client-cert-import ca_signing --ca-cert ${PKIDIR}/ca_signing.crt | |
| docker exec ca pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ca_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf | |
| - name: Setup OCSP container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=ocsp \ | |
| HOSTNAME=ocsp.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect OCSP container to network | |
| run: docker network connect example ocsp --alias ocsp.example.com | |
| - name: Install dependencies in OCSP container | |
| run: docker exec ocsp dnf install -y 389-ds-base | |
| - name: Install DS in OCSP container | |
| run: docker exec ocsp ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install OCSP in OCSP container (step 1) | |
| run: | | |
| docker exec ocsp cp ${PKIDIR}/ca_signing.crt . | |
| docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step1.cfg -s OCSP -v | |
| - name: Issue OCSP signing cert | |
| run: | | |
| docker exec ocsp cp ocsp_signing.csr ${PKIDIR}/ocsp_signing.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caOCSPCert --csr-file ${PKIDIR}/ocsp_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_signing.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat ocsp_signing.certid` --output-file ${PKIDIR}/ocsp_signing.crt" | |
| docker exec ocsp cp ${PKIDIR}/ocsp_signing.crt ocsp_signing.crt | |
| - name: Issue subsystem cert | |
| run: | | |
| docker exec ocsp cp subsystem.csr ${PKIDIR}/subsystem.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caSubsystemCert --csr-file ${PKIDIR}/subsystem.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat subsystem.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/subsystem.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat subsystem.certid` --output-file ${PKIDIR}/subsystem.crt" | |
| docker exec ocsp cp ${PKIDIR}/subsystem.crt subsystem.crt | |
| - name: Issue SSL server cert | |
| run: | | |
| docker exec ocsp cp sslserver.csr ${PKIDIR}/sslserver.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caServerCert --csr-file ${PKIDIR}/sslserver.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat sslserver.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/sslserver.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat sslserver.certid` --output-file ${PKIDIR}/sslserver.crt" | |
| docker exec ocsp cp ${PKIDIR}/sslserver.crt sslserver.crt | |
| - name: Issue OCSP audit signing cert | |
| run: | | |
| docker exec ocsp cp ocsp_audit_signing.csr ${PKIDIR}/ocsp_audit_signing.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caAuditSigningCert --csr-file ${PKIDIR}/ocsp_audit_signing.csr | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_audit_signing.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_audit_signing.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat ocsp_audit_signing.certid` --output-file ${PKIDIR}/ocsp_audit_signing.crt" | |
| docker exec ocsp cp ${PKIDIR}/ocsp_audit_signing.crt ocsp_audit_signing.crt | |
| - name: Issue OCSP admin cert | |
| run: | | |
| docker exec ocsp cp ocsp_admin.csr ${PKIDIR}/ocsp_admin.csr | |
| docker exec ca bash -c "pki ca-cert-request-submit --profile caUserCert --csr-file ${PKIDIR}/ocsp_admin.csr --subject uid=ocspadmin | sed -n 's/Request ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.reqid" | |
| docker exec ca bash -c "pki -n caadmin ca-cert-request-approve `cat ocsp_admin.reqid` --force | sed -n 's/Certificate ID: *\(.*\)/\1/p' > ${PKIDIR}/ocsp_admin.certid" | |
| docker exec ca bash -c "pki ca-cert-export `cat ocsp_admin.certid` --output-file ${PKIDIR}/ocsp_admin.crt" | |
| docker exec ocsp cp ${PKIDIR}/ocsp_admin.crt ocsp_admin.crt | |
| - name: Install OCSP in OCSP container (step 2) | |
| run: | | |
| docker exec ocsp pkispawn -f /usr/share/pki/server/examples/installation/ocsp-external-certs-step2.cfg -s OCSP -v | |
| - name: Run PKI healthcheck | |
| run: docker exec ocsp pki-healthcheck --failures-only | |
| - name: Verify OCSP admin | |
| run: | | |
| docker exec ocsp pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec ocsp pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf | |
| docker exec ocsp pki -n ocspadmin ocsp-user-show ocspadmin | |
| - name: Gather artifacts from CA container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ca | |
| tests/bin/pki-artifacts-save.sh ca | |
| - name: Gather artifacts from OCSP container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh ocsp | |
| tests/bin/pki-artifacts-save.sh ocsp | |
| - name: Remove OCSP from OCSP container | |
| run: docker exec ocsp pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove DS from OCSP container | |
| run: docker exec ocsp ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect OCSP container from network | |
| run: docker network disconnect example ocsp | |
| - name: Remove CA from CA container | |
| run: docker exec ca pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from CA container | |
| run: docker exec ca ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect CA container from network | |
| run: docker network disconnect example ca | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from CA container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-external-certs-ca | |
| path: | | |
| /tmp/artifacts/ca | |
| - name: Upload artifacts from OCSP container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-external-certs-ocsp | |
| path: | | |
| /tmp/artifacts/ocsp | |
| # docs/installation/ocsp/Installing_OCSP_Clone.md | |
| ocsp-clone-test: | |
| name: Testing OCSP clone | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Create network | |
| run: docker network create example | |
| - name: Run primary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=primary \ | |
| HOSTNAME=primary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect primary container to network | |
| run: docker network connect example primary --alias primary.example.com | |
| - name: Install dependencies in primary container | |
| run: docker exec primary dnf install -y 389-ds-base | |
| - name: Install DS in primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install primary CA in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ca.cfg -s CA -v | |
| - name: Install primary OCSP in primary container | |
| run: docker exec primary pkispawn -f /usr/share/pki/server/examples/installation/ocsp.cfg -s OCSP -v | |
| - name: Setup secondary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=secondary \ | |
| HOSTNAME=secondary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect secondary container to network | |
| run: docker network connect example secondary --alias secondary.example.com | |
| - name: Install dependencies in secondary container | |
| run: docker exec secondary dnf install -y 389-ds-base | |
| - name: Install DS in secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in secondary container | |
| run: | | |
| docker exec primary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec primary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec secondary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone.cfg -s CA -v | |
| - name: Install OCSP in secondary container | |
| run: | | |
| docker exec primary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123 | |
| docker exec secondary cp ${PKIDIR}/ocsp-certs.p12 . | |
| docker exec secondary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone.cfg -s OCSP -v | |
| - name: Verify OCSP admin in secondary container | |
| run: | | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca_admin_cert.p12 ${PKIDIR}/ca_admin_cert.p12 | |
| docker exec primary cp /root/.dogtag/pki-tomcat/ca/pkcs12_password.conf ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec secondary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec secondary pki -n caadmin ocsp-user-show ocspadmin | |
| - name: Setup tertiary container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=tertiary \ | |
| HOSTNAME=tertiary.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Connect tertiary container to network | |
| run: docker network connect example tertiary --alias tertiary.example.com | |
| - name: Install dependencies in tertiary container | |
| run: docker exec tertiary dnf install -y 389-ds-base | |
| - name: Install DS in tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Install CA in tertiary container | |
| run: | | |
| docker exec secondary pki-server cert-export ca_signing --cert-file ${PKIDIR}/ca_signing.crt | |
| docker exec secondary pki-server ca-clone-prepare --pkcs12-file ${PKIDIR}/ca-certs.p12 --pkcs12-password Secret.123 | |
| docker exec tertiary cp ${PKIDIR}/ca_signing.crt . | |
| docker exec tertiary cp ${PKIDIR}/ca-certs.p12 . | |
| docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ca-clone-of-clone.cfg -s CA -v | |
| - name: Install OCSP in tertiary container | |
| run: | | |
| docker exec secondary pki-server ocsp-clone-prepare --pkcs12-file ${PKIDIR}/ocsp-certs.p12 --pkcs12-password Secret.123 | |
| docker exec tertiary cp ${PKIDIR}/ocsp-certs.p12 . | |
| docker exec tertiary pkispawn -f /usr/share/pki/server/examples/installation/ocsp-clone-of-clone.cfg -s OCSP -v | |
| - name: Verify OCSP admin in tertiary container | |
| run: | | |
| docker exec tertiary pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec tertiary pki client-cert-import \ | |
| --pkcs12 ${PKIDIR}/ca_admin_cert.p12 \ | |
| --pkcs12-password-file ${PKIDIR}/pkcs12_password.conf | |
| docker exec tertiary pki -n caadmin ocsp-user-show ocspadmin | |
| - name: Gather artifacts from primary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh primary | |
| tests/bin/pki-artifacts-save.sh primary | |
| - name: Gather artifacts from secondary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh secondary | |
| tests/bin/pki-artifacts-save.sh secondary | |
| - name: Gather artifacts from tertiary container | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh tertiary | |
| tests/bin/pki-artifacts-save.sh tertiary | |
| - name: Remove OCSP from tertiary container | |
| run: docker exec tertiary pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove CA from tertiary container | |
| run: docker exec tertiary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from tertiary container | |
| run: docker exec tertiary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect tertiary container from network | |
| run: docker network disconnect example tertiary | |
| - name: Remove OCSP from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove CA from secondary container | |
| run: docker exec secondary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from secondary container | |
| run: docker exec secondary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect secondary container from network | |
| run: docker network disconnect example secondary | |
| - name: Remove OCSP from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove CA from primary container | |
| run: docker exec primary pkidestroy -i pki-tomcat -s CA -v | |
| - name: Remove DS from primary container | |
| run: docker exec primary ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Disconnect primary container from network | |
| run: docker network disconnect example primary | |
| - name: Remove network | |
| run: docker network rm example | |
| - name: Upload artifacts from primary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-clone-primary | |
| path: | | |
| /tmp/artifacts/primary | |
| - name: Upload artifacts from secondary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-clone-secondary | |
| path: | | |
| /tmp/artifacts/secondary | |
| - name: Upload artifacts from tertiary container | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-clone-tertiary | |
| path: | | |
| /tmp/artifacts/tertiary | |
| ocsp-standalone-test: | |
| name: Testing standalone OCSP | |
| needs: [init, build] | |
| runs-on: ubuntu-latest | |
| env: | |
| PKIDIR: /tmp/workdir/pki | |
| steps: | |
| - name: Clone repository | |
| uses: actions/checkout@v3 | |
| - name: Retrieve pki-runner image | |
| uses: actions/cache@v3 | |
| with: | |
| key: pki-runner-${{ github.sha }} | |
| path: pki-runner.tar | |
| - name: Load runner image | |
| run: docker load --input pki-runner.tar | |
| - name: Run container | |
| run: | | |
| IMAGE=pki-runner \ | |
| NAME=pki \ | |
| HOSTNAME=pki.example.com \ | |
| tests/bin/runner-init.sh | |
| - name: Install dependencies | |
| run: docker exec pki dnf install -y 389-ds-base | |
| - name: Install DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-create.sh | |
| - name: Create CA signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-request \ | |
| --subject "CN=CA Signing Certificate" \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --csr ca_signing.csr | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --csr ca_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ca_signing.conf \ | |
| --serial 1 \ | |
| --cert ca_signing.crt | |
| docker exec pki pki -d nssdb nss-cert-import \ | |
| --cert ca_signing.crt \ | |
| --trust CT,C,C \ | |
| ca_signing | |
| - name: Install OCSP (step 1) | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step1.cfg -s OCSP -v | |
| - name: Issue OCSP signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr ocsp_signing.csr \ | |
| --ext /usr/share/pki/server/certs/ocsp_signing.conf \ | |
| --serial 2 \ | |
| --cert ocsp_signing.crt | |
| - name: Issue subsystem cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr subsystem.csr \ | |
| --ext /usr/share/pki/server/certs/subsystem.conf \ | |
| --serial 3 \ | |
| --cert subsystem.crt | |
| - name: Issue SSL server cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr sslserver.csr \ | |
| --ext /usr/share/pki/server/certs/sslserver.conf \ | |
| --serial 4 \ | |
| --cert sslserver.crt | |
| - name: Issue OCSP audit signing cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr ocsp_audit_signing.csr \ | |
| --ext /usr/share/pki/server/certs/audit_signing.conf \ | |
| --serial 5 \ | |
| --cert ocsp_audit_signing.crt | |
| - name: Issue OCSP admin cert | |
| run: | | |
| docker exec pki pki -d nssdb nss-cert-issue \ | |
| --issuer ca_signing \ | |
| --csr ocsp_admin.csr \ | |
| --ext /usr/share/pki/server/certs/admin.conf \ | |
| --serial 6 \ | |
| --cert ocsp_admin.crt | |
| - name: Install OCSP (step 2) | |
| run: | | |
| docker exec pki pkispawn -f /usr/share/pki/server/examples/installation/ocsp-standalone-step2.cfg -s OCSP -v | |
| # TODO: Fix DogtagOCSPConnectivityCheck to work without CA | |
| # - name: Run PKI healthcheck | |
| # run: docker exec pki pki-healthcheck --failures-only | |
| - name: Verify admin user | |
| run: | | |
| docker exec pki pki client-cert-import ca_signing --ca-cert ca_signing.crt | |
| docker exec pki pki client-cert-import \ | |
| --pkcs12 /root/.dogtag/pki-tomcat/ocsp_admin_cert.p12 \ | |
| --pkcs12-password-file /root/.dogtag/pki-tomcat/ocsp/pkcs12_password.conf | |
| docker exec pki pki -n ocspadmin ocsp-user-show ocspadmin | |
| - name: Gather artifacts | |
| if: always() | |
| run: | | |
| tests/bin/ds-artifacts-save.sh pki | |
| tests/bin/pki-artifacts-save.sh pki | |
| - name: Remove OCSP | |
| run: docker exec pki pkidestroy -i pki-tomcat -s OCSP -v | |
| - name: Remove DS | |
| run: docker exec pki ${PKIDIR}/tests/bin/ds-remove.sh | |
| - name: Upload artifacts | |
| if: always() | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: ocsp-standalone | |
| path: | | |
| /tmp/artifacts/pki |