Commit 85fb9958 authored by Adrien Dorsaz's avatar Adrien Dorsaz
Browse files

gitlab-ci uses pebble server instead of Let's Encrypt staging

pebble is a Let's Encrypt project providing a simplified ACME
server implementation to run client tests.
parent 2776348a
Pipeline #311 passed with stages
in 17 minutes and 2 seconds
......@@ -6,6 +6,8 @@ stages:
- build
- check
- unit_test
- pebble_strict
- pebble_breaking
- lets_encrypt_staging
.build:
......@@ -26,6 +28,18 @@ stages:
- merge_requests
- master
.pebble_strict:
stage: pebble_strict
only:
- merge_requests
- master
.pebble_breaking:
stage: pebble_breaking
only:
- merge_requests
- master
.lets_encrypt_staging:
stage: lets_encrypt_staging
only:
......@@ -124,27 +138,38 @@ buster-ut:
- .coverage
###
### Stage: lets_encrypt_staging
### Stage: pebble strict
###
.lets_encrypt_staging-common:
extends: .lets_encrypt_staging
.pebble_strict_common:
extends: .pebble_strict
variables:
GITLABCI_ACMEDIRECTORY_V2: https://pebble:14000/dir
REQUESTS_CA_BUNDLE: "./tests/pebble.pem"
# Never reject valid nonce, because, as script is tiny it doesn't manage it (user can run it again)
PEBBLE_WFE_NONCEREJECT: 0
# Never reuse already validated authorizations, so tests always have to validate challenges
PEBBLE_AUTHZREUSE: 0
services:
- name: letsencrypt/pebble:latest
command: ["pebble", "-strict", "false"]
alias: pebble
script:
- python3-coverage run --append --source ./ -m unittest -v
tests.staging_test_acme_dns_tiny
tests.staging_test_acme_account_rollover
tests.staging_test_acme_account_deactivate
jessie-le-staging:
extends: .lets_encrypt_staging-common
jessie-pebble:
extends: .pebble_strict_common
image: acme-dns-tiny:jessie-slim
stretch-le-staging:
extends: .lets_encrypt_staging-common
stretch-pebble:
extends: .pebble_strict_common
image: acme-dns-tiny:stretch-slim
buster-le-staging:
extends: .lets_encrypt_staging-common
buster-pebble:
extends: .pebble_strict_common
image: acme-dns-tiny:buster-slim
after_script:
- python3-coverage report
......@@ -153,3 +178,37 @@ buster-le-staging:
artifacts:
paths:
- htmlcov
###
### Stage: pebble breaking changes allow to detect future change breaks
###
.pebble_breaking_common:
extends:
- .pebble_strict_common
- .pebble_breaking
services:
- name: letsencrypt/pebble:latest
command: ["pebble", "-strict", "true"]
alias: pebble
allow_failure: true
buster_pebble_breaking:
extends: .pebble_breaking_common
image: acme-dns-tiny:buster-slim
###
### Stage: Let's Encrypt staging
###
.lets_encrypt_staging_common:
extends: .lets_encrypt_staging
script:
- python3-coverage run --append --source ./ -m unittest -v
tests.staging_test_acme_dns_tiny
tests.staging_test_acme_account_rollover
tests.staging_test_acme_account_deactivate
buster-le-staging:
extends: .lets_encrypt_staging_common
image: acme-dns-tiny:buster-slim
......@@ -8,6 +8,7 @@ from subprocess import Popen
DOMAIN = os.getenv("GITLABCI_DOMAIN")
ACMEDIRECTORY = os.getenv("GITLABCI_ACMEDIRECTORY_V2",
"https://acme-staging-v02.api.letsencrypt.org/directory")
IS_PEBBLE = ACMEDIRECTORY.startswith('https://pebble')
DNSHOST = os.getenv("GITLABCI_DNSHOST")
DNSHOSTIP = os.getenv("GITLABCI_DNSHOSTIP")
DNSZONE = os.getenv("GITLABCI_DNSZONE")
......@@ -30,8 +31,19 @@ def generate_config(account_key_path=None):
# Domain key and CSR
domain_key = NamedTemporaryFile(delete=False)
domain_csr = NamedTemporaryFile(delete=False)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key.name,
"-subj", "/CN={0}".format(DOMAIN), "-out", domain_csr.name]).wait()
if IS_PEBBLE: # Pebble server enforces usage of SAN instead of CN
san_conf = NamedTemporaryFile(delete=False)
with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf:
san_conf.write(opensslcnf.read().encode("utf8"))
san_conf.write("\n[SAN]\nsubjectAltName=DNS:{0}\n".format(DOMAIN).encode("utf8"))
san_conf.seek(0)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key.name,
"-subj", "/", "-reqexts", "SAN", "-config", san_conf.name,
"-out", domain_csr.name]).wait()
os.remove(san_conf.name)
else:
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key.name,
"-subj", "/CN={0}".format(DOMAIN), "-out", domain_csr.name]).wait()
# acme-dns-tiny configuration
parser = configparser.ConfigParser()
......@@ -101,8 +113,19 @@ def generate_acme_dns_tiny_config(): # pylint: disable=too-many-locals,too-many
# Configuration with CSR containing a wildcard domain
_, domain_key, domain_csr, config = generate_config(account_key)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait()
if IS_PEBBLE: # Pebble server enforces usage of SAN instead of CN
san_conf = NamedTemporaryFile(delete=False)
with open("/etc/ssl/openssl.cnf", 'r') as opensslcnf:
san_conf.write(opensslcnf.read().encode("utf8"))
san_conf.write("\n[SAN]\nsubjectAltName=DNS:*.{0}\n".format(DOMAIN).encode("utf8"))
san_conf.seek(0)
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/", "-reqexts", "SAN", "-config", san_conf.name,
"-out", domain_csr]).wait()
os.remove(san_conf.name)
else:
Popen(["openssl", "req", "-newkey", "rsa:2048", "-nodes", "-keyout", domain_key,
"-subj", "/CN=*.{0}".format(DOMAIN), "-out", domain_csr]).wait()
os.remove(domain_key)
wild_cname = NamedTemporaryFile(delete=False)
......
-----BEGIN CERTIFICATE-----
MIIDCTCCAfGgAwIBAgIIJOLbes8sTr4wDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
AxMVbWluaWNhIHJvb3QgY2EgMjRlMmRiMCAXDTE3MTIwNjE5NDIxMFoYDzIxMTcx
MjA2MTk0MjEwWjAgMR4wHAYDVQQDExVtaW5pY2Egcm9vdCBjYSAyNGUyZGIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5WgZNoVJandj43kkLyU50vzCZ
alozvdRo3OFiKoDtmqKPNWRNO2hC9AUNxTDJco51Yc42u/WV3fPbbhSznTiOOVtn
Ajm6iq4I5nZYltGGZetGDOQWr78y2gWY+SG078MuOO2hyDIiKtVc3xiXYA+8Hluu
9F8KbqSS1h55yxZ9b87eKR+B0zu2ahzBCIHKmKWgc6N13l7aDxxY3D6uq8gtJRU0
toumyLbdzGcupVvjbjDP11nl07RESDWBLG1/g3ktJvqIa4BWgU2HMh4rND6y8OD3
Hy3H8MY6CElL+MOCbFJjWqhtOxeFyZZV9q3kYnk9CAuQJKMEGuN4GU6tzhW1AgMB
AAGjRTBDMA4GA1UdDwEB/wQEAwIChDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADANBgkqhkiG9w0BAQsFAAOCAQEAF85v
d40HK1ouDAtWeO1PbnWfGEmC5Xa478s9ddOd9Clvp2McYzNlAFfM7kdcj6xeiNhF
WPIfaGAi/QdURSL/6C1KsVDqlFBlTs9zYfh2g0UXGvJtj1maeih7zxFLvet+fqll
xseM4P9EVJaQxwuK/F78YBt0tCNfivC6JNZMgxKF59h0FBpH70ytUSHXdz7FKwix
Mfn3qEb9BXSk0Q3prNV5sOV3vgjEtB4THfDxSz9z3+DepVnW3vbbqwEbkXdk3j82
2muVldgOUgTwK8eT+XdofVdntzU/kzygSAtAQwLJfn51fS1GvEcYGBc1bDryIqmF
p9BI7gVKtWSZYegicA==
-----END CERTIFICATE-----
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment