ca_handler_tests_openssl.yml

name: CA handler tests - OpenSSL

on:
  push:
  pull_request:
    branches: [ devel ]
  schedule:
    # * is a special character in YAML so you have to quote this string
    - cron:  '0 2 * * 6'

jobs:
  openssl_ca_handler_tests:
    name: "openssl_ca_handler_tests"
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        websrv: ['apache2', 'nginx']
        dbhandler: ['wsgi', 'django']
    steps:
    - name: "checkout GIT"
      uses: actions/checkout@v4

    - name: "create folders"
      run: |
        mkdir lego
        mkdir acme-sh
        mkdir certbot

    - name: "Build docker-compose (${{ matrix.websrv }}_${{ matrix.dbhandler }})"
      working-directory: examples/Docker/
      run: |
        sudo apt-get install -y docker-compose
        sudo mkdir -p data
        sed -i "s/wsgi/$DB_HANDLER/g" .env
        sed -i "s/apache2/$WEB_SRV/g" .env
        cat .env
        docker network create acme
        docker-compose up -d
        docker-compose logs
      env:
        WEB_SRV: ${{ matrix.websrv }}
        DB_HANDLER: ${{ matrix.dbhandler }}

    - name: "Setup a2c with openssl_ca_handler - default"
      run: |
        sudo cp .github/acme2certifier.pem examples/Docker/data/acme2certifier.pem
        sudo cp .github/acme2certifier_cert.pem examples/Docker/data/acme2certifier_cert.pem
        sudo cp .github/acme2certifier_key.pem examples/Docker/data/acme2certifier_key.pem
        sudo cp .github/django_settings.py examples/Docker/data/settings.py
        sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
        sudo mkdir -p examples/Docker/data/acme_ca/certs
        sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
        cd examples/Docker/
        docker-compose restart
        docker-compose logs

    - name: "Sleep for 10s"
      uses: juliangruber/sleep-action@v2.0.3
      with:
        time: 10s

    - name: "Test http://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

    - name: "Test if https://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

    - name: "Prepare acme.sh container"
      run: |
        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon

    - name: "Enroll acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
        openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "Revoke via acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure

    - name: "Register certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email

    - name: "Enroll certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
        sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "Revoke HTTP-01 single domain certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot

    - name: "Enroll lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
        sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "Revoke lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke

    - name: "Setup a2c with openssl_ca_handler - with template"
      run: |
        sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
        sudo mkdir -p examples/Docker/data/acme_ca/certs
        sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
        sudo chmod 777 examples/Docker/data/acme_srv.cfg
        sudo echo -e "\nopenssl_conf: volume/acme_ca/openssl.cnf" >> examples/Docker/data/acme_srv.cfg
        sudo touch examples/Docker/data/acme_ca/openssl.cnf
        sudo chmod 777 examples/Docker/data/acme_ca/openssl.cnf
        sudo echo -e "[extensions]\nbasicConstraints = critical, CA:FALSE\nsubjectKeyIdentifier = hash, issuer:always\nauthorityKeyIdentifier = keyid:always, issuer:always" >> examples/Docker/data/acme_ca/openssl.cnf
        sudo echo -e "keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment, keyAgreement\nextendedKeyUsage = critical, serverAuth, OCSPSigning\n" >> examples/Docker/data/acme_ca/openssl.cnf
        cd examples/Docker/
        docker-compose restart
        docker-compose logs

    - name: "Sleep for 10s"
      uses: juliangruber/sleep-action@v2.0.3
      with:
        time: 10s

    - name: "Test http://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

    - name: "Test if https://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

    - name: "Enroll acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
        # openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, OCSP Signing"

    - name: "Revoke via acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure

    - name: "Register certbot"
      run: |
        sudo rm -rf certbot/*
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email

    - name: "Enroll certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
        # sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, OCSP Signing"

    - name: "Revoke certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot

    - name: "Enroll lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
        # sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Non Repudiation, Key Encipherment, Key Agreement"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, OCSP Signing"

    - name: "Revoke lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke

    - name: "Setup a2c with openssl_ca_handler - cn_enforce"
      run: |
        sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
        sudo mkdir -p examples/Docker/data/acme_ca/certs
        sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
        sudo chmod 777 examples/Docker/data/acme_srv.cfg
        sudo echo -e "\ncn_enforce: True" >> examples/Docker/data/acme_srv.cfg
        cd examples/Docker/
        docker-compose restart
        docker-compose logs

    - name: "Sleep for 10s"
      uses: juliangruber/sleep-action@v2.0.3
      with:
        time: 10s

    - name: "Test http://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

    - name: "Test if https://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

    - name: "[ * ] collecting test logs"
      if: ${{ failure() }}
      run: |
        mkdir -p ${{ github.workspace }}/artifact/upload
        sudo cp -rp examples/Docker/data/ ${{ github.workspace }}/artifact/data/
        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
        cd examples/Docker
        docker-compose logs > ${{ github.workspace }}/artifact/docker-compose.log
        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz docker-compose.log data acme-sh certbot lego

    - name: "Register certbot"
      run: |
        sudo rm -rf certbot/*
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email

    - name: "Enroll certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
        sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Subject: CN = certbot.acme"

    - name: "Revoke certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot

    - name: "Setup a2c with openssl_ca_handler - adjust cert_validity"
      run: |
        sudo cp examples/ca_handler/openssl_ca_handler.py examples/Docker/data/ca_handler.py
        sudo mkdir -p examples/Docker/data/acme_ca/certs
        sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem examples/Docker/data/acme_ca/
        sudo cp .github/openssl_ca_handler.py_acme_srv_default_handler.cfg examples/Docker/data/acme_srv.cfg
        sudo chmod 777 examples/Docker/data/acme_srv.cfg
        sudo sed -i "s/cert_validity_days: 30/cert_validity_days: 3650\ncert_validity_adjust: True/g" examples/Docker/data/acme_srv.cfg
        cd examples/Docker/
        docker-compose restart
        docker-compose logs

    - name: "Sleep for 10s"
      uses: juliangruber/sleep-action@v2.0.3
      with:
        time: 10s

    - name: "Test http://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

    - name: "Test if https://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl --insecure -f https://acme-srv/directory

    - name: "Register certbot"
      run: |
        sudo rm -rf certbot/*
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email

    - name: "Enroll certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
        sudo openssl verify -CAfile examples/Docker/data/acme_ca/root-ca-cert.pem -untrusted examples/Docker/data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Not After : Jun  9 17:17:00 2030 GMT"

    - name: "Revoke certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot

    - name: "[ * ] uploading artificates"
      uses: actions/upload-artifact@v4
      if: ${{ failure() }}
      with:
        name: openssl_ca_handler_tests-${{ matrix.websrv }}-${{ matrix.dbhandler }}.tar.gz.tar.gz
        path: ${{ github.workspace }}/artifact/upload/

  openssl_ca_handler_no_tmpl_tests_rpm:
    name: "openssl_ca_handler_no_tmpl_tests_rpm"
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        rhversion: [8, 9]
    steps:
    - name: "checkout GIT"
      uses: actions/checkout@v4

    - name: Retrieve Version from version.py
      run: |
        echo TAG_NAME=$(cat acme_srv/version.py | grep -i __version__ | head -n 1 | sed 's/__version__ = //g' | sed s/\'//g) >> $GITHUB_ENV
    - run: echo "Latest tag is ${{ env.TAG_NAME }}"

    - name: update version number in spec file
      run: |
        # sudo sed -i "s/Source0:.*/Source0:        %{name}-%{version}.tar.gz/g" examples/install_scripts/rpm/acme2certifier.spec
        sudo sed -i "s/__version__/${{ env.TAG_NAME }}/g" examples/install_scripts/rpm/acme2certifier.spec
        cat examples/install_scripts/rpm/acme2certifier.spec

    - name: build RPM package
      id: rpm
      uses: grindsa/rpmbuild@alma9
      with:
        spec_file: "examples/install_scripts/rpm/acme2certifier.spec"

    - run: echo "path is ${{ steps.rpm.outputs.rpm_dir_path }}"

    - name: "[ PREPARE ] setup environment for alma installation"
      run: |
        docker network create acme
        sudo mkdir -p data
        sudo chmod -R 777 data
        sudo cp ${{ steps.rpm.outputs.rpm_dir_path }}noarch/acme2certifier-${{ env.TAG_NAME }}-1.0.noarch.rpm data
        sudo cp examples/Docker/almalinux-systemd/rpm_tester.sh data

    - name: "[ PREPARE ] create letsencrypt and lego folder"
      run: |
        mkdir certbot
        mkdir lego

    - name: "Retrieve rpms from SBOM repo"
      run: |
        git clone https://$GH_SBOM_USER:$GH_SBOM_TOKEN@github.com/$GH_SBOM_USER/sbom /tmp/sbom
        cp /tmp/sbom/rpm-repo/RPMs/rhel${{ matrix.rhversion }}/*.rpm  data
      env:
        GH_SBOM_USER: ${{ secrets.GH_SBOM_USER }}
        GH_SBOM_TOKEN: ${{ secrets.GH_SBOM_TOKEN }}

    - name: "[ PREPARE ] prepare acme_srv.cfg with openssl_ca_handler"
      run: |
        mkdir -p data/acme_ca
        sudo mkdir -p examples/Docker/data/acme_ca/certs
        sudo cp test/ca/sub-ca-key.pem test/ca/sub-ca-crl.pem test/ca/sub-ca-cert.pem test/ca/root-ca-cert.pem data/acme_ca/
        sudo cp .github/openssl_ca_handler.py_acme_srv_choosen_handler.cfg data/acme_srv.cfg

    - name: "[ PREPARE ] Almalinux instance"
      run: |
        sudo cp examples/Docker/almalinux-systemd/Dockerfile data
        sudo sed -i "s/FROM almalinux:9/FROM almalinux:${{ matrix.rhversion }}/g" data/Dockerfile
        cat data/Dockerfile | docker build -t almalinux-systemd -f - . --no-cache
        docker run -d -id --privileged --network acme --name=acme-srv -v "$(pwd)/data":/tmp/acme2certifier almalinux-systemd

    - name: "[ RUN ] Execute install scipt"
      run: |
        docker exec acme-srv sh /tmp/acme2certifier/rpm_tester.sh

    - name: "Test http://acme-srv/directory is accessible"
      run: docker run -i --rm --network acme curlimages/curl -f http://acme-srv/directory

    - name: "[ PREPARE ] prepare acme.sh container"
      run: |
        sudo mkdir acme-sh
        docker run --rm -id -v "$(pwd)/acme-sh":/acme.sh --network acme --name=acme-sh neilpang/acme.sh:latest daemon

    - name: "[ ENROLL ] acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --accountemail 'acme-sh@example.com' --issue -d acme-sh.acme --alpn --standalone --debug 3 --output-insecure --force
        sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Basic Constraints: critical"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "Digital Signature, Key Encipherment"
        openssl x509 -in acme-sh/acme-sh.acme_ecc/acme-sh.acme.cer -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "revoke via acme.sh"
      run: |
        docker exec -i acme-sh acme.sh --server http://acme-srv --revoke -d acme-sh.acme --standalone --debug 3 --output-insecure

    - name: "[ REGISTER] certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot register --agree-tos -m 'certbot@example.com' --server http://acme-srv --no-eff-email

    - name: "[ ENROLL ] HTTP-01 single domain certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot certonly --server http://acme-srv --standalone --preferred-challenges http -d certbot.acme --cert-name certbot
        sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem certbot/live/certbot/cert.pem
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "Digital Signature, Key Encipherment"
        sudo openssl x509 -in certbot/archive/certbot/cert1.pem -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "revoke HTTP-01 single domain certbot"
      run: |
        docker run -i --rm --name certbot --network acme -v $PWD/certbot:/etc/letsencrypt/ certbot/certbot revoke --delete-after-revoke --server http://acme-srv  -d certbot.acme --cert-name certbot

    - name: "[ ENROLL ] lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme --http run
        sudo openssl verify -CAfile data/acme_ca/root-ca-cert.pem -untrusted data/acme_ca/sub-ca-cert.pem lego/certificates/lego.acme.crt
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Basic Constraints: critical"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "Digital Signature, Key Encipherment"
        sudo openssl x509 -in lego/certificates/lego.acme.crt -text -noout | grep "TLS Web Server Authentication, TLS Web Client Authentication"

    - name: "revoke HTTP-01 single domain lego"
      run: |
        docker run -i -v $PWD/lego:/.lego/ --rm --name lego --network acme goacme/lego -s http://acme-srv -a --email "lego@example.com" -d lego.acme revoke

    - name: "[ * ] collecting test logs"
      if: ${{ failure() }}
      run: |
        mkdir -p ${{ github.workspace }}/artifact/upload
        docker exec acme-srv tar cvfz /tmp/acme2certifier/a2c.tgz /opt/acme2certifier
        sudo cp -rp data/ ${{ github.workspace }}/artifact/data/
        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
        sudo cp -rp acme-sh/ ${{ github.workspace }}/artifact/acme-sh/
        sudo cp -rp certbot/ ${{ github.workspace }}/artifact/certbot/
        sudo cp -rp lego/ ${{ github.workspace }}/artifact/lego/
        sudo rm ${{ github.workspace }}/artifact/data/*.rpm
        docker exec acme-srv cat /etc/nginx/nginx.conf.orig > ${{ github.workspace }}/artifact/data/nginx.conf.orig
        docker exec acme-srv cat /etc/nginx/nginx.conf > ${{ github.workspace }}/artifact/data/nginx.conf
        docker exec acme-srv cat /var/log/messages > ${{ github.workspace }}/artifact/acme-srv.log
        sudo tar -C ${{ github.workspace }}/artifact/ -cvzf ${{ github.workspace }}/artifact/upload/artifact.tar.gz data acme-srv.log acme-sh certbot lego

    - name: "[ * ] uploading artificates"
      uses: actions/upload-artifact@v4
      if: ${{ failure() }}
      with:
        name: openssl-rpmopenssl_ca_handler_no_tmpl_tests_rpm-rh${{ matrix.rhversion }}.tar.gz
        path: ${{ github.workspace }}/artifact/upload/