New acme_* integration test using ACME test docker container (#41626)

* Using ACME test container for acme_account integration test.

* Removing dependency on setup_openssl. Waiting for controller and Pebble.

* More tinkering.

* Reducing number of tries.

* One more try.

* Another try.

* Added acme_certificate tests.

* Removed double key.

* Added tests for acme_certificate_revoke.

* Making task names more meaningful (during certificate generation).

* Using newer test container which integrates letsencrypt/pebble#137. Adding test for revoking certificate by its private key.

* Using new version of Pebble which limits the random auth delay.

* Simplifying certificates for revocation tests.

* Reworking acme_certificate tests (there are now more, but they are faster).

* Test whether account_key_content works.

* Preparing TLS-ALPN-01 support.

* Using official Ansible image of testing container on quay.io.

* Bumping version.

* Bumping version of test container to 1.1.0.

* Adjusting to new CI group names.

* Pass ACME simulator IP as playbook variable.

* Let test plugin wait for controller and CA endpoints to become active.

* Refactor common setup parts of tests to setup_acme.

* _ -> dummy

* Moving common obtain-cert.yml to setup_acme.

1 files changed, 74 insertions, 33 deletions

diff --git a/test/integration/targets/acme_account/tasks/main.yml b/test/integration/targets/acme_account/tasks/main.yml
index 83b74d9c86..8879ddce55 100644
--- a/test/integration/targets/acme_account/tasks/main.yml
+++ b/test/integration/targets/acme_account/tasks/main.yml
@@ -1,7 +1,5 @@
 ---
 - block:
-  - debug: var=openssl_version.stdout
-
   - name: Generate account key
     command: openssl ecparam -name prime256v1 -genkey -out {{ output_dir }}/accountkey.pem
 
@@ -12,7 +10,8 @@
     acme_account:
       account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: present
       allow_creation: no
     ignore_errors: yes
@@ -22,7 +21,8 @@
     acme_account:
       account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: present
       allow_creation: yes
       terms_agreed: yes
@@ -32,9 +32,10 @@
 
   - name: Change email address
     acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
+      account_key_content: "{{ lookup('file', output_dir ~ '/accountkey.pem') }}"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: present
       # allow_creation: no
       contact:
@@ -45,7 +46,8 @@
     acme_account:
       account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: present
       # allow_creation: no
       contact:
@@ -58,52 +60,91 @@
   - name: Parse account key (to ease debugging some test failures)
     command: openssl ec -in {{ output_dir }}/accountkey2.pem -noout -text
 
-  - name: Change account key
-    acme_account:
-      account_key_src: "{{ output_dir }}/accountkey.pem"
-      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
-      new_account_key_src: "{{ output_dir }}/accountkey2.pem"
-      state: changed_key
-      contact:
-      - mailto:example@example.com
-    register: account_change_key
+# Note that pebble has no change key endpoint implemented yet!
+# When it has (and the container was updated), uncomment the
+# uncomment the following tests, and delete the ones below the
+# out-commented ones.
+
+#  - name: Change account key
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      new_account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      state: changed_key
+#      contact:
+#      - mailto:example@example.com
+#    register: account_change_key
+
+#  - name: Deactivate account
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: absent
+#    register: account_deactivate
+
+#  - name: Deactivate account (idempotent)
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: absent
+#    register: account_deactivate_idempotent
+
+#  - name: Do not try to create account II
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey2.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: present
+#      allow_creation: no
+#    ignore_errors: yes
+#    register: account_not_created_2
+
+#  - name: Do not try to create account III
+#    acme_account:
+#      account_key_src: "{{ output_dir }}/accountkey.pem"
+#      acme_version: 2
+#      acme_directory: https://{{ acme_host }}:14000/dir
+#      validate_certs: no
+#      state: present
+#      allow_creation: no
+#    ignore_errors: yes
+#    register: account_not_created_3
 
   - name: Deactivate account
     acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
+      account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: absent
     register: account_deactivate
 
   - name: Deactivate account (idempotent)
     acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
+      account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: absent
     register: account_deactivate_idempotent
 
   - name: Do not try to create account II
     acme_account:
-      account_key_src: "{{ output_dir }}/accountkey2.pem"
-      acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
-      state: present
-      allow_creation: no
-    ignore_errors: yes
-    register: account_not_created_2
-
-  - name: Do not try to create account III
-    acme_account:
       account_key_src: "{{ output_dir }}/accountkey.pem"
       acme_version: 2
-      acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
+      acme_directory: https://{{ acme_host }}:14000/dir
+      validate_certs: no
       state: present
       allow_creation: no
     ignore_errors: yes
-    register: account_not_created_3
+    register: account_not_created_2
 
   # Old 0.9.8 versions have insufficient CLI support for signing with EC keys
   when: openssl_version.stdout is version('1.0.0', '>=')