mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
c50a75a41e
* Bump container version. * Use new URLs. * Add IP certificate tests. * Disable IPv6 IP from IP certificate. Background: in CI, the ACME test container apparently has no IPv6 support. Without IPv6 support, Pebble can't connect to validate, and thus validation fails.
294 lines
9.8 KiB
YAML
294 lines
9.8 KiB
YAML
---
|
|
## SET UP ACCOUNT KEYS ########################################################################
|
|
- name: Create ECC256 account key
|
|
command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/account-ec256.pem
|
|
- name: Create ECC384 account key
|
|
command: openssl ecparam -name secp384r1 -genkey -out {{ output_dir }}/account-ec384.pem
|
|
- name: Create RSA-2048 account key
|
|
command: openssl genrsa -out {{ output_dir }}/account-rsa2048.pem 2048
|
|
## SET UP ACCOUNTS ############################################################################
|
|
- name: Make sure ECC256 account hasn't been created yet
|
|
acme_account:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key_src: "{{ output_dir }}/account-ec256.pem"
|
|
state: absent
|
|
- name: Create ECC384 account
|
|
acme_account:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
state: present
|
|
allow_creation: yes
|
|
terms_agreed: yes
|
|
contact:
|
|
- mailto:example@example.org
|
|
- mailto:example@example.com
|
|
- name: Create RSA-2048 account
|
|
acme_account:
|
|
select_crypto_backend: "{{ select_crypto_backend }}"
|
|
acme_version: 2
|
|
acme_directory: https://{{ acme_host }}:14000/dir
|
|
validate_certs: no
|
|
account_key_src: "{{ output_dir }}/account-rsa2048.pem"
|
|
state: present
|
|
allow_creation: yes
|
|
terms_agreed: yes
|
|
contact: []
|
|
## OBTAIN CERTIFICATES ########################################################################
|
|
- name: Obtain cert 1
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 1
|
|
certificate_name: cert-1
|
|
key_type: rsa
|
|
rsa_bits: 2048
|
|
subject_alt_name: "DNS:example.com"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec256
|
|
challenge: http-01
|
|
modify_account: yes
|
|
deactivate_authzs: no
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: yes
|
|
account_email: "example@example.org"
|
|
- name: Obtain cert 2
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 2
|
|
certificate_name: cert-2
|
|
key_type: ec256
|
|
subject_alt_name: "DNS:*.example.com,DNS:example.com"
|
|
subject_alt_name_critical: yes
|
|
account_key: account-ec384
|
|
challenge: dns-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- name: Obtain cert 3
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 3
|
|
certificate_name: cert-3
|
|
key_type: ec384
|
|
subject_alt_name: "DNS:*.example.com,DNS:example.org,DNS:t1.example.com"
|
|
subject_alt_name_critical: no
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-rsa2048.pem') }}"
|
|
challenge: dns-01
|
|
modify_account: no
|
|
deactivate_authzs: no
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- name: Obtain cert 4
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 4
|
|
certificate_name: cert-4
|
|
key_type: rsa
|
|
rsa_bits: 2048
|
|
subject_alt_name: "DNS:example.com,DNS:t1.example.com,DNS:test.t2.example.com,DNS:example.org,DNS:test.example.org"
|
|
subject_alt_name_critical: no
|
|
account_key: account-rsa2048
|
|
challenge: http-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: yes
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- name: Obtain cert 5
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 5, Iteration 1/4
|
|
certificate_name: cert-5
|
|
key_type: ec521
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec384
|
|
challenge: http-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: yes
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- name: Obtain cert 5 (should not, since already there and valid for more than 10 days)
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 5, Iteration 2/4
|
|
certificate_name: cert-5
|
|
key_type: ec521
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec384
|
|
challenge: http-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- set_fact:
|
|
cert_5_recreate_1: "{{ challenge_data is changed }}"
|
|
- name: Obtain cert 5 (should again by less days)
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 5, Iteration 3/4
|
|
certificate_name: cert-5
|
|
key_type: ec521
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec384
|
|
challenge: http-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: yes
|
|
remaining_days: 1000
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- set_fact:
|
|
cert_5_recreate_2: "{{ challenge_data is changed }}"
|
|
- name: Obtain cert 5 (should again by force)
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 5, Iteration 4/4
|
|
certificate_name: cert-5
|
|
key_type: ec521
|
|
subject_alt_name: "DNS:t2.example.com"
|
|
subject_alt_name_critical: no
|
|
account_key_content: "{{ lookup('file', output_dir ~ '/account-ec384.pem') }}"
|
|
challenge: http-01
|
|
modify_account: no
|
|
deactivate_authzs: yes
|
|
force: yes
|
|
remaining_days: 10
|
|
terms_agreed: no
|
|
account_email: ""
|
|
- set_fact:
|
|
cert_5_recreate_3: "{{ challenge_data is changed }}"
|
|
- name: Obtain cert 6
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 6
|
|
certificate_name: cert-6
|
|
key_type: rsa
|
|
rsa_bits: 2048
|
|
subject_alt_name: "DNS:example.org"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec256
|
|
challenge: tls-alpn-01
|
|
modify_account: yes
|
|
deactivate_authzs: no
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: yes
|
|
account_email: "example@example.org"
|
|
- name: Obtain cert 7
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 7
|
|
certificate_name: cert-7
|
|
key_type: rsa
|
|
rsa_bits: 2048
|
|
subject_alt_name:
|
|
- "IP:127.0.0.1"
|
|
# - "IP:::1"
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec256
|
|
challenge: http-01
|
|
modify_account: yes
|
|
deactivate_authzs: no
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: yes
|
|
account_email: "example@example.org"
|
|
- name: Obtain cert 8
|
|
include_tasks: obtain-cert.yml
|
|
vars:
|
|
certgen_title: Certificate 8
|
|
certificate_name: cert-8
|
|
key_type: rsa
|
|
rsa_bits: 2048
|
|
subject_alt_name:
|
|
- "IP:127.0.0.1"
|
|
# IPv4 only since our test validation server doesn't work
|
|
# with IPv6 (thanks to Python's socketserver).
|
|
subject_alt_name_critical: no
|
|
account_key: account-ec256
|
|
challenge: tls-alpn-01
|
|
challenge_alpn_tls: acme_challenge_cert_helper
|
|
modify_account: yes
|
|
deactivate_authzs: no
|
|
force: no
|
|
remaining_days: 10
|
|
terms_agreed: yes
|
|
account_email: "example@example.org"
|
|
## DISSECT CERTIFICATES #######################################################################
|
|
# Make sure certificates are valid. Root certificate for Pebble equals the chain certificate.
|
|
- name: Verifying cert 1
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-1-root.pem" -untrusted "{{ output_dir }}/cert-1-chain.pem" "{{ output_dir }}/cert-1.pem"
|
|
ignore_errors: yes
|
|
register: cert_1_valid
|
|
- name: Verifying cert 2
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-2-root.pem" -untrusted "{{ output_dir }}/cert-2-chain.pem" "{{ output_dir }}/cert-2.pem"
|
|
ignore_errors: yes
|
|
register: cert_2_valid
|
|
- name: Verifying cert 3
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-3-root.pem" -untrusted "{{ output_dir }}/cert-3-chain.pem" "{{ output_dir }}/cert-3.pem"
|
|
ignore_errors: yes
|
|
register: cert_3_valid
|
|
- name: Verifying cert 4
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-4-root.pem" -untrusted "{{ output_dir }}/cert-4-chain.pem" "{{ output_dir }}/cert-4.pem"
|
|
ignore_errors: yes
|
|
register: cert_4_valid
|
|
- name: Verifying cert 5
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-5-root.pem" -untrusted "{{ output_dir }}/cert-5-chain.pem" "{{ output_dir }}/cert-5.pem"
|
|
ignore_errors: yes
|
|
register: cert_5_valid
|
|
- name: Verifying cert 6
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-6-root.pem" -untrusted "{{ output_dir }}/cert-6-chain.pem" "{{ output_dir }}/cert-6.pem"
|
|
ignore_errors: yes
|
|
register: cert_6_valid
|
|
- name: Verifying cert 7
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-7-root.pem" -untrusted "{{ output_dir }}/cert-7-chain.pem" "{{ output_dir }}/cert-7.pem"
|
|
ignore_errors: yes
|
|
register: cert_7_valid
|
|
- name: Verifying cert 8
|
|
command: openssl verify -CAfile "{{ output_dir }}/cert-8-root.pem" -untrusted "{{ output_dir }}/cert-8-chain.pem" "{{ output_dir }}/cert-8.pem"
|
|
ignore_errors: yes
|
|
register: cert_8_valid
|
|
# Dump certificate info
|
|
- name: Dumping cert 1
|
|
command: openssl x509 -in "{{ output_dir }}/cert-1.pem" -noout -text
|
|
register: cert_1_text
|
|
- name: Dumping cert 2
|
|
command: openssl x509 -in "{{ output_dir }}/cert-2.pem" -noout -text
|
|
register: cert_2_text
|
|
- name: Dumping cert 3
|
|
command: openssl x509 -in "{{ output_dir }}/cert-3.pem" -noout -text
|
|
register: cert_3_text
|
|
- name: Dumping cert 4
|
|
command: openssl x509 -in "{{ output_dir }}/cert-4.pem" -noout -text
|
|
register: cert_4_text
|
|
- name: Dumping cert 5
|
|
command: openssl x509 -in "{{ output_dir }}/cert-5.pem" -noout -text
|
|
register: cert_5_text
|
|
- name: Dumping cert 6
|
|
command: openssl x509 -in "{{ output_dir }}/cert-6.pem" -noout -text
|
|
register: cert_6_text
|
|
- name: Dumping cert 7
|
|
command: openssl x509 -in "{{ output_dir }}/cert-7.pem" -noout -text
|
|
register: cert_7_text
|
|
- name: Dumping cert 8
|
|
command: openssl x509 -in "{{ output_dir }}/cert-8.pem" -noout -text
|
|
register: cert_8_text
|