particle-os/debian-forge-composer
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

tests/regression: Add config for v3 certificates

Browse source 
When generating x509 v3 certs we need to explicitely set "CA:TRUE"
otherwise they're not trusted to be used. Also start running the tests
on RHEL-9.5 and RHEL-10.0
This commit is contained in:
Jakub Rusz 2024-09-27 10:05:03 +02:00 committed by Jakub Rusz
parent b9d6dd342d
commit 07a18a5d49
3 changed files with 18 additions and 24 deletions
Download patch file Download diff file Expand all files Collapse all files

8
.gitlab-ci.yml
View file

@ -246,16 +246,16 @@ Base:
regression-composer-works-behind-satellite-fallback:
extends: .regression
rules:
# BLACKLIST: Skipped on subscribed RHEL machines
- if: $RUNNER !~ "/^.*(rhel-.*-ga|centos|fedora).*$/" && $RUNNER !~ "/^.*(rhel-9.5|rhel-10.0).*$/" && $CI_PIPELINE_SOURCE != "schedule"
# WHITELIST: Run on RHEL-nightly only
- if: $RUNNER =~ "/^.*(rhel-.*-nightly).*$/" && $CI_PIPELINE_SOURCE != "schedule"
variables:
SCRIPT: regression-composer-works-behind-satellite-fallback.sh
regression-composer-works-behind-satellite:
extends: .regression
rules:
# BLACKLIST: Skipped on subscribed RHEL machines
- if: $RUNNER !~ "/^.*(rhel-.*-ga|centos|fedora).*$/" && $RUNNER !~ "/^.*(rhel-9.5|rhel-10.0).*$/" && $CI_PIPELINE_SOURCE != "schedule"
# WHITELIST: Run on RHEL-nightly only
- if: $RUNNER =~ "/^.*(rhel-.*-nightly).*$/" && $CI_PIPELINE_SOURCE != "schedule"
variables:
SCRIPT: regression-composer-works-behind-satellite.sh

17
test/cases/regression-composer-works-behind-satellite-fallback.sh
View file

@ -12,17 +12,21 @@ function generate_certificates {
sudo openssl genrsa -out ca.key
# Create and self-sign root certificate
sudo openssl req -new -subj "/C=GB/CN=ca" -addext "subjectAltName = DNS:localhost" -key ca.key -out ca.csr
sudo openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt
# Create config for v3 certs
sudo tee v3_ca.cnf > /dev/null << EOF
basicConstraints = CA:TRUE
EOF
sudo openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt -extfile v3_ca.cnf
# Key for the server
sudo openssl genrsa -out server.key
# Certificate for the server
sudo openssl req -new -subj "/C=GB/CN=localhost" -sha256 -key server.key -out server.csr
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_ca.cnf
# Key for the client
sudo openssl genrsa -out client.key
# Certificate for the client
sudo openssl req -new -subj "/C=GB/CN=localhost" -sha256 -key client.key -out client.csr
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile v3_ca.cnf
# add the certificate authority to the system trust stores
sudo cp ca.crt "/etc/pki/ca-trust/source/anchors/ca-$(uuidgen).crt"
@ -46,13 +50,6 @@ case "${ID}" in
;;
"rhel")
echo "Running on RHEL"
if [[ "$VERSION_ID" == "9.5" || "$VERSION_ID" == "10.0" ]]; then
# fails eventhough we call update-ca-trust, see previous commit
echo "This test has been disabled b/c DNF fails with self-signed certificates"
exit 1
fi
case "${VERSION_ID%.*}" in
"8" | "9" | "10")
echo "Running on RHEL ${VERSION_ID}"

17
test/cases/regression-composer-works-behind-satellite.sh
View file

@ -15,17 +15,21 @@ function generate_certificates {
sudo openssl genrsa -out ca.key
# Create and self-sign root certificate
sudo openssl req -new -subj "/C=GB/CN=ca" -addext "subjectAltName = DNS:localhost" -key ca.key -out ca.csr
sudo openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt
# Create config for v3 certs
sudo tee v3_ca.cnf > /dev/null << EOF
basicConstraints = CA:TRUE
EOF
sudo openssl x509 -req -sha256 -days 365 -in ca.csr -signkey ca.key -out ca.crt -extfile v3_ca.cnf
# Key for the server
sudo openssl genrsa -out server.key
# Certificate for the server
sudo openssl req -new -subj "/C=GB/CN=localhost" -sha256 -key server.key -out server.csr
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256
sudo openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -days 365 -sha256 -extfile v3_ca.cnf
# Key for the client
sudo openssl genrsa -out client.key
# Certificate for the client
sudo openssl req -new -subj "/C=GB/CN=localhost" -sha256 -key client.key -out client.csr
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256
sudo openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out client.crt -days 365 -sha256 -extfile v3_ca.cnf
# add the certificate authority to the system trust stores
sudo cp ca.crt "/etc/pki/ca-trust/source/anchors/ca-$(uuidgen).crt"
@ -77,13 +81,6 @@ case "${ID}" in
;;
"rhel")
echo "Running on RHEL"
if [[ "$VERSION_ID" == "9.5" || "$VERSION_ID" == "10.0" ]]; then
# fails eventhough we call update-ca-trust, see previous commit
echo "This test has been disabled b/c DNF fails with self-signed certificates"
exit 1
fi
case "${VERSION_ID%.*}" in
"8" | "9" | "10")
echo "Running on RHEL ${VERSION_ID}"