New acme_* integration test using ACME test docker container (#41626)

* Using ACME test container for acme_account integration test. * Removing dependency on setup_openssl. Waiting for controller and Pebble. * More tinkering. * Reducing number of tries. * One more try. * Another try. * Added acme_certificate tests. * Removed double key. * Added tests for acme_certificate_revoke. * Making task names more meaningful (during certificate generation). * Using newer test container which integrates letsencrypt/pebble#137. Adding test for revoking certificate by its private key. * Using new version of Pebble which limits the random auth delay. * Simplifying certificates for revocation tests. * Reworking acme_certificate tests (there are now more, but they are faster). * Test whether account_key_content works. * Preparing TLS-ALPN-01 support. * Using official Ansible image of testing container on quay.io. * Bumping version. * Bumping version of test container to 1.1.0. * Adjusting to new CI group names. * Pass ACME simulator IP as playbook variable. * Let test plugin wait for controller and CA endpoints to become active. * Refactor common setup parts of tests to setup_acme. * _ -> dummy * Moving common obtain-cert.yml to setup_acme.
2026-05-08 06:12:51 +00:00 · 2018-07-30 20:10:17 +02:00
parent c809500c79
commit d4c16f51be
17 changed files with 863 additions and 48 deletions
--- a/test/integration/targets/setup_acme/tasks/main.yml
+++ b/test/integration/targets/setup_acme/tasks/main.yml
@@ -0,0 +1,10 @@
+---
+- name: register openssl version
+  shell: "openssl version | cut -d' ' -f2"
+  register: openssl_version
+
+- name: register cryptography version
+  command: python -c 'import cryptography; print(cryptography.__version__)'
+  register: cryptography_version
+
+- debug: msg="ACME test container IP is {{ acme_host }}; OpenSSL version is {{ openssl_version.stdout }}; cryptography version is {{ cryptography_version.stdout }}"
--- a/test/integration/targets/setup_acme/tasks/obtain-cert.yml
+++ b/test/integration/targets/setup_acme/tasks/obtain-cert.yml
@@ -0,0 +1,153 @@
+---
+## PRIVATE KEY ################################################################################
+- name: ({{ certgen_title }}) Create cert private key (RSA)
+  command: "openssl genrsa -out {{ output_dir }}/{{ certificate_name }}.key {{ rsa_bits if key_type == 'rsa' else 2048 }}"
+  when: "key_type == 'rsa'"
+- name: ({{ certgen_title }}) Create cert private key (ECC 256)
+  command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  when: "key_type == 'ec256'"
+- name: ({{ certgen_title }}) Create cert private key (ECC 384)
+  command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  when: "key_type == 'ec384'"
+- name: ({{ certgen_title }}) Create cert private key (ECC 512)
+  command: openssl ecparam -name secp521r1 -genkey -out {{ output_dir }}/{{ certificate_name }}.key
+  when: "key_type == 'ec521'"
+## CSR ########################################################################################
+- name: ({{ certgen_title }}) Create cert CSR
+  openssl_csr:
+    path: "{{ output_dir }}/{{ certificate_name }}.csr"
+    privatekey_path: "{{ output_dir }}/{{ certificate_name }}.key"
+    subject_alt_name: "{{ subject_alt_name }}"
+    subject_alt_name_critical: "{{ subject_alt_name_critical }}"
+## ACME STEP 1 ################################################################################
+- name: ({{ certgen_title }}) Obtain cert, step 1
+  acme_certificate:
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key: "{{ output_dir }}/{{ account_key }}.pem"
+    modify_account: "{{ modify_account }}"
+    csr: "{{ output_dir }}/{{ certificate_name }}.csr"
+    dest: "{{ output_dir }}/{{ certificate_name }}.pem"
+    fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
+    chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
+    challenge: "{{ challenge }}"
+    deactivate_authzs: "{{ deactivate_authzs }}"
+    force: "{{ force }}"
+    remaining_days: "{{ remaining_days }}"
+    terms_agreed: "{{ terms_agreed }}"
+    account_email: "{{ account_email }}"
+  register: challenge_data
+  when: account_key_content is not defined
+- name: ({{ certgen_title }}) Obtain cert, step 1 (using account key data)
+  acme_certificate:
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key_content: "{{ account_key_content }}"
+    modify_account: "{{ modify_account }}"
+    csr: "{{ output_dir }}/{{ certificate_name }}.csr"
+    dest: "{{ output_dir }}/{{ certificate_name }}.pem"
+    fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
+    chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
+    challenge: "{{ challenge }}"
+    deactivate_authzs: "{{ deactivate_authzs }}"
+    force: "{{ force }}"
+    remaining_days: "{{ remaining_days }}"
+    terms_agreed: "{{ terms_agreed }}"
+    account_email: "{{ account_email }}"
+  register: challenge_data_content
+  when: account_key_content is defined
+- name: ({{ certgen_title }}) Copy challenge data (when using account key data)
+  set_fact:
+    challenge_data: "{{ challenge_data_content }}"
+  when: account_key_content is defined
+- name: ({{ certgen_title }}) Print challenge data
+  debug:
+    var: challenge_data
+- name: ({{ certgen_title }}) Create HTTP challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/http/{{ item.key }}/{{ item.value['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
+    method: PUT
+    body_format: raw
+    body: "{{ item.value['http-01'].resource_value }}"
+    headers:
+      content-type: "application/octet-stream"
+  with_dict: "{{ challenge_data.challenge_data }}"
+  when: "challenge_data is changed and challenge == 'http-01'"
+- name: ({{ certgen_title }}) Create DNS challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/dns/{{ item.key }}"
+    method: PUT
+    body_format: json
+    body: "{{ item.value }}"
+  with_dict: "{{ challenge_data.challenge_data_dns }}"
+  when: "challenge_data is changed and challenge == 'dns-01'"
+- name: ({{ certgen_title }}) Create TLS ALPN challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}"
+    method: PUT
+    body_format: raw
+    body: "{{ item.value['tls-alpn-01'].resource_value | b64encode }}"
+    headers:
+      content-type: "application/octet-stream"
+  with_dict: "{{ challenge_data.challenge_data }}"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01'"
+## ACME STEP 2 ################################################################################
+- name: ({{ certgen_title }}) Obtain cert, step 2
+  acme_certificate:
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key: "{{ output_dir }}/{{ account_key }}.pem"
+    modify_account: "{{ modify_account }}"
+    csr: "{{ output_dir }}/{{ certificate_name }}.csr"
+    dest: "{{ output_dir }}/{{ certificate_name }}.pem"
+    fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
+    chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
+    challenge: "{{ challenge }}"
+    deactivate_authzs: "{{ deactivate_authzs }}"
+    force: "{{ force }}"
+    remaining_days: "{{ remaining_days }}"
+    terms_agreed: "{{ terms_agreed }}"
+    account_email: "{{ account_email }}"
+    data: "{{ challenge_data }}"
+  when: challenge_data is changed and account_key_content is not defined
+- name: ({{ certgen_title }}) Obtain cert, step 2 (using account key data)
+  acme_certificate:
+    acme_version: 2
+    acme_directory: https://{{ acme_host }}:14000/dir
+    validate_certs: no
+    account_key_content: "{{ account_key_content }}"
+    modify_account: "{{ modify_account }}"
+    csr: "{{ output_dir }}/{{ certificate_name }}.csr"
+    dest: "{{ output_dir }}/{{ certificate_name }}.pem"
+    fullchain_dest: "{{ output_dir }}/{{ certificate_name }}-fullchain.pem"
+    chain_dest: "{{ output_dir }}/{{ certificate_name }}-chain.pem"
+    challenge: "{{ challenge }}"
+    deactivate_authzs: "{{ deactivate_authzs }}"
+    force: "{{ force }}"
+    remaining_days: "{{ remaining_days }}"
+    terms_agreed: "{{ terms_agreed }}"
+    account_email: "{{ account_email }}"
+    data: "{{ challenge_data }}"
+  when: challenge_data is changed and account_key_content is defined
+- name: ({{ certgen_title }}) Deleting HTTP challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/http/{{ item.key }}/{{ item.value['http-01'].resource[('.well-known/acme-challenge/'|length):] }}"
+    method: DELETE
+  with_dict: "{{ challenge_data.challenge_data }}"
+  when: "challenge_data is changed and challenge == 'http-01'"
+- name: ({{ certgen_title }}) Deleting DNS challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/dns/{{ item.key }}"
+    method: DELETE
+  with_dict: "{{ challenge_data.challenge_data_dns }}"
+  when: "challenge_data is changed and challenge == 'dns-01'"
+- name: ({{ certgen_title }}) Deleting TLS ALPN challenges
+  uri:
+    url: "http://{{ acme_host }}:5000/tls-alpn/{{ item.value['tls-alpn-01'].resource }}"
+    method: DELETE
+  with_dict: "{{ challenge_data.challenge_data }}"
+  when: "challenge_data is changed and challenge == 'tls-alpn-01'"
+###############################################################################################