Re-enable certificate validation test with proxy on docker (#2677)

2022-09-08 17:41:01 -07:00 · 2022-09-08 17:41:01 -07:00 · 7038fadf26
--- a/build.ps1
+++ b/build.ps1
@ -73,6 +73,11 @@ Param(
    [switch] $noBuildBeforeTesting
 )

+Function IsWindows()
+{
+	return ([Environment]::OSVersion.Platform -eq [System.PlatformID]::Win32NT)
+}
+
 Function CheckSignTools()
 {
    $commands = $("SignDotNetBinary", "SignBinary", "SignNuGetPackage", "SignMSIPackage")
@ -292,8 +297,6 @@ try
        $testCategory += "TestCategory=Unit"
        $testCategory += "|"
        $testCategory += "TestCategory=E2E"
-        $testCategory += "|"
-        $testCategory += "TestCategory=InvalidServiceCertificate"
        $testCategory += ")"

        # test categories to exclude
@ -353,11 +356,22 @@ try
            Write-Host -ForegroundColor Magenta "IMPORTANT: Using local packages."
        }

+        # Tests categories to include
+        $testCategory = "("
+        $testCategory += "TestCategory=E2E"
+        # Invalid cert tests don't currently work with docker on Windows within pipeline agent setup because of virtual host networking configuration issue
+        if (-not(IsWindows)) 
+        {
+            $testCategory += "|"
+            $testCategory += "TestCategory=InvalidServiceCertificate"
+        }
+        $testCategory += ")"
+
        # Override verbosity to display individual test execution.
        $oldVerbosity = $verbosity
        $verbosity = "normal"

-        RunTests "E2E tests" -framework $framework "TestCategory=E2E"
+        RunTests "E2E tests" -filterTestCategory $testCategory -framework $framework

        $verbosity = $oldVerbosity

--- a/e2e/test/docker/haproxy/errors/400.http
+++ b/e2e/test/docker/haproxy/errors/400.http
@ -0,0 +1,8 @@
+HTTP/1.0 400 Bad request
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>400 Bad request</h1>
+Your browser sent an invalid request.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/403.http
+++ b/e2e/test/docker/haproxy/errors/403.http
@ -0,0 +1,8 @@
+HTTP/1.0 403 Forbidden
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>403 Forbidden</h1>
+Request forbidden by administrative rules.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/408.http
+++ b/e2e/test/docker/haproxy/errors/408.http
@ -0,0 +1,8 @@
+HTTP/1.0 408 Request Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>408 Request Time-out</h1>
+Your browser didn't send a complete request in time.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/500.http
+++ b/e2e/test/docker/haproxy/errors/500.http
@ -0,0 +1,8 @@
+HTTP/1.0 500 Internal Server Error
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>500 Internal Server Error</h1>
+An internal server error occurred.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/502.http
+++ b/e2e/test/docker/haproxy/errors/502.http
@ -0,0 +1,8 @@
+HTTP/1.0 502 Bad Gateway
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>502 Bad Gateway</h1>
+The server returned an invalid or incomplete response.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/503.http
+++ b/e2e/test/docker/haproxy/errors/503.http
@ -0,0 +1,8 @@
+HTTP/1.0 503 Service Unavailable
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>503 Service Unavailable</h1>
+No server is available to handle this request.
+</body></html>
--- a/e2e/test/docker/haproxy/errors/504.http
+++ b/e2e/test/docker/haproxy/errors/504.http
@ -0,0 +1,8 @@
+HTTP/1.0 504 Gateway Time-out
+Cache-Control: no-cache
+Connection: close
+Content-Type: text/html
+
+<html><body><h1>504 Gateway Time-out</h1>
+The server didn't respond in time.
+</body></html>
--- a/e2e/test/docker/haproxy/haproxy.bin
+++ b/e2e/test/docker/haproxy/haproxy.bin
--- a/e2e/test/docker/haproxy/haproxydps.cfg
+++ b/e2e/test/docker/haproxy/haproxydps.cfg
@ -0,0 +1,45 @@
+global
+        maxconn 100
+        tune.ssl.default-dh-param 2048
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+        ssl-default-bind-options no-sslv3
+
+defaults
+        mode tcp
+        log global
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+
+frontend hub_fe_https
+        bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode http
+        default_backend hub_be_https
+
+backend hub_be_https
+        mode http
+        http-request set-header Host invalidcertdps1.westus.cloudapp.azure.com
+        server hub1 invalidcertdps1.westus.cloudapp.azure.com ssl verify none
+
+frontend hub_fe_tcp
+        bind *:5671 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        bind *:8883 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode tcp
+        default_backend hub_be_tcp
+
+backend hub_be_tcp
+	    mode tcp
+    	server hub1 invalidcertdps1.westus.cloudapp.azure.com ssl verify none
--- a/e2e/test/docker/haproxy/haproxygde.cfg
+++ b/e2e/test/docker/haproxy/haproxygde.cfg
@ -0,0 +1,45 @@
+global
+        maxconn 100
+        tune.ssl.default-dh-param 2048
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+        ssl-default-bind-options no-sslv3
+
+defaults
+        mode tcp
+        log global
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+
+frontend hub_fe_https
+        bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode http
+        default_backend hub_be_https
+
+backend hub_be_https
+        mode http
+        http-request set-header Host invalidcertgde1.westus.cloudapp.azure.com
+        server hub1 invalidcertgde1.westus.cloudapp.azure.com ssl verify none
+
+frontend hub_fe_tcp
+        bind *:5671 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        bind *:8883 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode tcp
+        default_backend hub_be_tcp
+
+backend hub_be_tcp
+	    mode tcp
+    	server hub1 invalidcertgde1.westus.cloudapp.azure.com ssl verify none
--- a/e2e/test/docker/haproxy/haproxyhub.cfg
+++ b/e2e/test/docker/haproxy/haproxyhub.cfg
@ -0,0 +1,45 @@
+global
+        maxconn 100
+        tune.ssl.default-dh-param 2048
+        log /dev/log    local0
+        log /dev/log    local1 notice
+        user haproxy
+        group haproxy
+        daemon
+
+        # Default SSL material locations
+        ca-base /etc/ssl/certs
+        crt-base /etc/ssl/private
+
+        # Default ciphers to use on SSL-enabled listening sockets.
+        # For more information, see ciphers(1SSL). This list is from:
+        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
+        ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
+        ssl-default-bind-options no-sslv3
+
+defaults
+        mode tcp
+        log global
+        timeout connect 5000
+        timeout client  50000
+        timeout server  50000
+
+frontend hub_fe_https
+        bind *:443 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode http
+        default_backend hub_be_https
+
+backend hub_be_https
+        mode http
+        http-request set-header Host invalidcertiothub1.westus.cloudapp.azure.com
+        server hub1 invalidcertiothub1.westus.cloudapp.azure.com ssl verify none
+
+frontend hub_fe_tcp
+        bind *:5671 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        bind *:8883 ssl crt /usr/local/etc/haproxy/haproxy.pem
+        mode tcp
+        default_backend hub_be_tcp
+
+backend hub_be_tcp
+	    mode tcp
+    	server hub1 invalidcertiothub1.westus.cloudapp.azure.com ssl verify none
--- a/e2e/test/iothub/service/IoTHubCertificateValidationE2ETest.cs
+++ b/e2e/test/iothub/service/IoTHubCertificateValidationE2ETest.cs
@ -12,7 +12,6 @@ using Microsoft.VisualStudio.TestTools.UnitTesting;
 namespace Microsoft.Azure.Devices.E2ETests.IotHub.Service
 {
    [TestClass]
-    [Ignore("TODO: Enable when invalid cert server is back online.")]
    [TestCategory("InvalidServiceCertificate")]
    public class IoTHubCertificateValidationE2ETest : E2EMsTestBase
    {
--- a/e2e/test/provisioning/ProvisioningCertificateValidationE2ETest.cs
+++ b/e2e/test/provisioning/ProvisioningCertificateValidationE2ETest.cs
@ -2,6 +2,7 @@
 // Licensed under the MIT license. See LICENSE file in the project root for full license information.

 using System;
+using System.Linq;
 using System.IO;
 using System.Security.Authentication;
 using System.Security.Cryptography.X509Certificates;
@ -16,7 +17,6 @@ using Microsoft.VisualStudio.TestTools.UnitTesting;
 namespace Microsoft.Azure.Devices.E2ETests.Provisioning
 {
    [TestClass]
-    [Ignore("TODO: Enable when invalid cert server is back online.")]
    [TestCategory("InvalidServiceCertificate")]
    public class ProvisioningCertificateValidationE2ETest : E2EMsTestBase
    {
@ -26,7 +26,9 @@ namespace Microsoft.Azure.Devices.E2ETests.Provisioning
        public static void TestClassSetup(TestContext _)
        {
            // Create a folder to hold the DPS client certificates and X509 self-signed certificates. If a folder by the same name already exists, it will be used.
-            s_x509CertificatesFolder = Directory.CreateDirectory($"x509Certificates-{nameof(ProvisioningCertificateValidationE2ETest)}-{Guid.NewGuid()}");
+            // Shorten the folder name to avoid overall file path become too long and cause error in the test
+            string s_folderName = "x509-" + nameof(ProvisioningCertificateValidationE2ETest).Split('.').Last() + "-" + Convert.ToBase64String(Guid.NewGuid().ToByteArray()).Replace('+', '-').Replace('/', '.').Trim('=');
+            s_x509CertificatesFolder = Directory.CreateDirectory(s_folderName);
        }

        [LoggedTestMethod, Timeout(TestTimeoutMilliseconds)]
@ -110,7 +112,8 @@ namespace Microsoft.Azure.Devices.E2ETests.Provisioning

        private async Task TestInvalidServiceCertificate(ProvisioningTransportHandler transport)
        {
-            string certificateSubject = $"{nameof(ProvisioningCertificateValidationE2ETest)}-{Guid.NewGuid()}";
+            // Shorten the file name to avoid overall file path become too long and cause error in the test
+            string certificateSubject = "cert-"+Convert.ToBase64String(Guid.NewGuid().ToByteArray()).Replace('+', '-').Replace('/', '.').Trim('=');
            X509Certificate2Helper.GenerateSelfSignedCertificateFiles(certificateSubject, s_x509CertificatesFolder, Logger);

            using X509Certificate2 cert = X509Certificate2Helper.CreateX509Certificate2FromPfxFile(certificateSubject, s_x509CertificatesFolder);
--- a/vsts/build-test-nuget.yml
+++ b/vsts/build-test-nuget.yml
@ -288,13 +288,127 @@ jobs:
          version: 2.1.x
          performMultiLevelLookup: true
          installationPath: $(Agent.ToolsDirectory)/net
- 
+  
+      - task: Docker@2
+        displayName: "Login to ACR"
+        inputs:
+          command: "login"
+          containerRegistry: "Azure IoT ACR"
+
+      - task: DockerInstaller@0
+        displayName: "Cert Validation - Install Docker CLI"
+        inputs:
+          dockerVersion: '20.10.17'
+
+      - task: PowerShell@2
+        displayName: 'Cert Validation - Setup Certificate Proxy'
+        inputs:
+          targetType: 'inline'
+          script: |
+            Write-Host "============"
+            Write-Host "check docker"
+            Write-Host "============"
+            docker images
+            docker ps -a
+            gci -Path $(Build.SourcesDirectory)/e2e/test/docker -Recurse -Force -Name
+            Write-Host "==========================="
+            Write-Host "uncompress self-signed cert"
+            Write-Host "==========================="
+            gzip -d -N -S ".bin" $(Build.SourcesDirectory)/e2e/test/docker/haproxy/haproxy.bin
+            gci -Path $(Build.SourcesDirectory)/e2e/test/docker -Recurse -Force -Name
+            Write-Host "====================="
+            Write-Host "Docker run containers"
+            Write-Host "====================="
+            docker run -h invalidcertgde1.westus.cloudapp.azure.com --name invalid-gde --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxygde.cfg
+            docker run -h invalidcertdps1.westus.cloudapp.azure.com --name invalid-dps --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxydps.cfg
+            docker run -h invalidcertiothub1.westus.cloudapp.azure.com --name invalid-hub --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxyhub.cfg
+            docker ps -a
+
+      - task: Bash@3
+        displayName: 'Cert Validation - Setup local hostname'
+        name: CVTEST_NET
+        inputs:
+          targetType: 'inline'
+          script: |
+            echo "==============="
+            echo "Inspect network"
+            echo "==============="
+            ip -4 addr
+            export CVTEST_HOST_IP=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+')
+            export CVTEST_HOST_NETWORK=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+/*\d.')
+            export CVTEST_HOST_SUBNET=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+' | grep -Po '[\d]{1,3}.[\d]{1,3}.[\d]{1,3}')
+            export CVTEST_HOST_SUBNET_MASK=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+/*\d.' | grep -Po '/[\d]{1,2}')
+            export CVTEST_CONTAINER_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+')
+            echo "HOST=$CVTEST_HOST_IP"
+            echo "HOST NETWORK=$CVTEST_HOST_NETWORK"
+            echo "HOST SUBNET=$CVTEST_HOST_SUBNET"
+            echo "HOST SUBNET MASK=$CVTEST_HOST_SUBNET_MASK"
+            echo "CONTAINER=$CVTEST_CONTAINER_IP"
+            #echo "##vso[task.setvariable variable=AGENT_HOST;isoutput=true;]$CVTEST_HOST_IP"
+            #echo "##vso[task.setvariable variable=AGENT_NETWORK;isoutput=true;]$CVTEST_HOST_NETWORK"
+            #echo "##vso[task.setvariable variable=AGENT_SUBNET;isoutput=true;]$CVTEST_HOST_SUBNET"
+            #echo "##vso[task.setvariable variable=AGENT_SUBNET_MASK;isoutput=true;]$CVTEST_HOST_SUBNET_MASK"
+            #echo "##vso[task.setvariable variable=AGENT_CONTAINER;isoutput=true;]$CVTEST_CONTAINER_IP"
+            #echo "=========="
+            #echo "Ping hosts"
+            #echo "=========="
+            #ping -c 5 $CVTEST_HOST_IP
+            #ping -c 5 $CVTEST_CONTAINER_IP
+            #echo "=================="
+            #echo "Inspect containers"
+            #echo "=================="
+            #docker ps -a
+            #docker inspect invalid-gde
+            #docker inspect invalid-dps
+            #docker inspect invalid-hub
+            export CVTEST_GDE_IP=$(docker inspect invalid-gde | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            export CVTEST_DPS_IP=$(docker inspect invalid-dps | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            export CVTEST_HUB_IP=$(docker inspect invalid-hub | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            echo "invalid-gde=$CVTEST_GDE_IP"
+            echo "invalid-dps=$CVTEST_DPS_IP"
+            echo "invalid-hub=$CVTEST_HUB_IP"
+            #echo "##vso[task.setvariable variable=AGENT_GDE_IP;isoutput=true;]$CVTEST_GDE_IP"
+            #echo "##vso[task.setvariable variable=AGENT_DPS_IP;isoutput=true;]$CVTEST_DPS_IP"
+            #echo "##vso[task.setvariable variable=AGENT_HUB_IP;isoutput=true;]$CVTEST_HUB_IP"
+            #echo "==============="
+            #echo "Ping containers"
+            #echo "==============="
+            #docker ps -a
+            #ping -c 2 $CVTEST_GDE_IP
+            #ping -c 2 $CVTEST_DPS_IP
+            #ping -c 2 $CVTEST_HUB_IP
+            #cat /etc/hosts
+            echo "================="
+            echo "Update hosts file"
+            echo "================="
+            sudo bash -c 'mv /etc/hosts /etc/hosts.org'
+            sudo bash -c 'cp /etc/hosts.org /etc/hosts'
+            echo "$CVTEST_GDE_IP invalidcertgde1.westus.cloudapp.azure.com"
+            echo "$CVTEST_DPS_IP invalidcertdps1.westus.cloudapp.azure.com"
+            echo "$CVTEST_HUB_IP invalidcertiothub1.westus.cloudapp.azure.com"
+            echo "" >> /tmp/hosts.cvtest
+            echo "# Local host for invalid cert test" >> /tmp/hosts.cvtest
+            echo "$CVTEST_GDE_IP invalidcertgde1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            echo "$CVTEST_DPS_IP invalidcertdps1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            echo "$CVTEST_HUB_IP invalidcertiothub1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            sudo bash -c 'cat /tmp/hosts.cvtest >> /etc/hosts'
+            cat /etc/hosts
+            echo "====================="
+            echo "Ping containers (URL)"
+            echo "====================="
+            docker ps -a
+            route
+            ping -c 2 invalidcertgde1.westus.cloudapp.azure.com
+            ping -c 2 invalidcertdps1.westus.cloudapp.azure.com
+            ping -c 2 invalidcertiothub1.westus.cloudapp.azure.com
+
      - task: Docker@1
        displayName: "Start TPM Simulator"
        inputs:
          containerregistrytype: "Container Registry"
          command: "Run an image"
-          imageName: aziotbld/testtpm
+          azureContainerRegistry: aziotacr.azurecr.io
+          imageName: aziotacr.azurecr.io/aziotbld/testtpm
          containerName: "testtpm-instance"
          ports: |
            127.0.0.1:2321:2321
@ -306,7 +420,8 @@ jobs:
        inputs:
          containerregistrytype: 'Container Registry'
          command: 'Run an image'
-          imageName: aziotbld/testproxy
+          azureContainerRegistry: aziotacr.azurecr.io
+          imageName: aziotacr.azurecr.io/aziotbld/testproxy
          containerName: 'testproxy-instance'
          ports: '127.0.0.1:8888:8888'
          restartPolicy: unlessStopped
--- a/vsts/vsts.yaml
+++ b/vsts/vsts.yaml
@ -146,14 +146,127 @@ jobs:
            performMultiLevelLookup: true
            installationPath: $(Agent.ToolsDirectory)/dotnet

+      - task: Docker@2
+        displayName: "Login to ACR"
+        inputs:
+          command: "login"
+          containerRegistry: "Azure IoT ACR"
+
+      - task: DockerInstaller@0
+        displayName: "Cert Validation - Install Docker CLI"
+        inputs:
+          dockerVersion: '20.10.17'
+
+      - task: PowerShell@2
+        displayName: 'Cert Validation - Setup Certificate Proxy'
+        inputs:
+          targetType: 'inline'
+          script: |
+            Write-Host "============"
+            Write-Host "check docker"
+            Write-Host "============"
+            docker images
+            docker ps -a
+            gci -Path $(Build.SourcesDirectory)/e2e/test/docker -Recurse -Force -Name
+            Write-Host "==========================="
+            Write-Host "uncompress self-signed cert"
+            Write-Host "==========================="
+            gzip -d -N -S ".bin" $(Build.SourcesDirectory)/e2e/test/docker/haproxy/haproxy.bin
+            gci -Path $(Build.SourcesDirectory)/e2e/test/docker -Recurse -Force -Name
+            Write-Host "====================="
+            Write-Host "Docker run containers"
+            Write-Host "====================="
+            docker run -h invalidcertgde1.westus.cloudapp.azure.com --name invalid-gde --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxygde.cfg
+            docker run -h invalidcertdps1.westus.cloudapp.azure.com --name invalid-dps --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxydps.cfg
+            docker run -h invalidcertiothub1.westus.cloudapp.azure.com --name invalid-hub --expose=443 --expose=5671 --expose=8883 -v $(Build.SourcesDirectory)/e2e/test/docker/haproxy:/usr/local/etc/haproxy:ro -d aziotacr.azurecr.io/haproxy haproxy -f /usr/local/etc/haproxy/haproxyhub.cfg
+            docker ps -a
+
+      - task: Bash@3
+        displayName: 'Cert Validation - Setup local hostname'
+        name: CVTEST_NET
+        inputs:
+          targetType: 'inline'
+          script: |
+            echo "==============="
+            echo "Inspect network"
+            echo "==============="
+            ip -4 addr
+            export CVTEST_HOST_IP=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+')
+            export CVTEST_HOST_NETWORK=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+/*\d.')
+            export CVTEST_HOST_SUBNET=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+' | grep -Po '[\d]{1,3}.[\d]{1,3}.[\d]{1,3}')
+            export CVTEST_HOST_SUBNET_MASK=$(ip -4 addr show eth0 | grep -Po 'inet \K[\d.]+/*\d.' | grep -Po '/[\d]{1,2}')
+            export CVTEST_CONTAINER_IP=$(ip -4 addr show docker0 | grep -Po 'inet \K[\d.]+')
+            echo "HOST=$CVTEST_HOST_IP"
+            echo "HOST NETWORK=$CVTEST_HOST_NETWORK"
+            echo "HOST SUBNET=$CVTEST_HOST_SUBNET"
+            echo "HOST SUBNET MASK=$CVTEST_HOST_SUBNET_MASK"
+            echo "CONTAINER=$CVTEST_CONTAINER_IP"
+            #echo "##vso[task.setvariable variable=AGENT_HOST;isoutput=true;]$CVTEST_HOST_IP"
+            #echo "##vso[task.setvariable variable=AGENT_NETWORK;isoutput=true;]$CVTEST_HOST_NETWORK"
+            #echo "##vso[task.setvariable variable=AGENT_SUBNET;isoutput=true;]$CVTEST_HOST_SUBNET"
+            #echo "##vso[task.setvariable variable=AGENT_SUBNET_MASK;isoutput=true;]$CVTEST_HOST_SUBNET_MASK"
+            #echo "##vso[task.setvariable variable=AGENT_CONTAINER;isoutput=true;]$CVTEST_CONTAINER_IP"
+            #echo "=========="
+            #echo "Ping hosts"
+            #echo "=========="
+            #ping -c 5 $CVTEST_HOST_IP
+            #ping -c 5 $CVTEST_CONTAINER_IP
+            #echo "=================="
+            #echo "Inspect containers"
+            #echo "=================="
+            #docker ps -a
+            #docker inspect invalid-gde
+            #docker inspect invalid-dps
+            #docker inspect invalid-hub
+            export CVTEST_GDE_IP=$(docker inspect invalid-gde | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            export CVTEST_DPS_IP=$(docker inspect invalid-dps | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            export CVTEST_HUB_IP=$(docker inspect invalid-hub | grep -Po -m 1 '"IPAddress": "\K[\d.]+')
+            echo "invalid-gde=$CVTEST_GDE_IP"
+            echo "invalid-dps=$CVTEST_DPS_IP"
+            echo "invalid-hub=$CVTEST_HUB_IP"
+            #echo "##vso[task.setvariable variable=AGENT_GDE_IP;isoutput=true;]$CVTEST_GDE_IP"
+            #echo "##vso[task.setvariable variable=AGENT_DPS_IP;isoutput=true;]$CVTEST_DPS_IP"
+            #echo "##vso[task.setvariable variable=AGENT_HUB_IP;isoutput=true;]$CVTEST_HUB_IP"
+            #echo "==============="
+            #echo "Ping containers"
+            #echo "==============="
+            #docker ps -a
+            #ping -c 2 $CVTEST_GDE_IP
+            #ping -c 2 $CVTEST_DPS_IP
+            #ping -c 2 $CVTEST_HUB_IP
+            #cat /etc/hosts
+            echo "================="
+            echo "Update hosts file"
+            echo "================="
+            sudo bash -c 'mv /etc/hosts /etc/hosts.org'
+            sudo bash -c 'cp /etc/hosts.org /etc/hosts'
+            echo "$CVTEST_GDE_IP invalidcertgde1.westus.cloudapp.azure.com"
+            echo "$CVTEST_DPS_IP invalidcertdps1.westus.cloudapp.azure.com"
+            echo "$CVTEST_HUB_IP invalidcertiothub1.westus.cloudapp.azure.com"
+            echo "" >> /tmp/hosts.cvtest
+            echo "# Local host for invalid cert test" >> /tmp/hosts.cvtest
+            echo "$CVTEST_GDE_IP invalidcertgde1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            echo "$CVTEST_DPS_IP invalidcertdps1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            echo "$CVTEST_HUB_IP invalidcertiothub1.westus.cloudapp.azure.com" >> /tmp/hosts.cvtest
+            sudo bash -c 'cat /tmp/hosts.cvtest >> /etc/hosts'
+            cat /etc/hosts
+            echo "====================="
+            echo "Ping containers (URL)"
+            echo "====================="
+            docker ps -a
+            route
+            ping -c 2 invalidcertgde1.westus.cloudapp.azure.com
+            ping -c 2 invalidcertdps1.westus.cloudapp.azure.com
+            ping -c 2 invalidcertiothub1.westus.cloudapp.azure.com
+
      - task: Docker@1
        displayName: "Start TPM Simulator"
        inputs:
          containerregistrytype: "Container Registry"
          command: "Run an image"
-          imageName: aziotbld/testtpm
+          azureContainerRegistry: aziotacr.azurecr.io
+          imageName: aziotacr.azurecr.io/aziotbld/testtpm
          containerName: "testtpm-instance"
-
          ports: |
            127.0.0.1:2321:2321
            127.0.0.1:2322:2322
@ -165,7 +278,8 @@ jobs:
        inputs:
          containerregistrytype: "Container Registry"
          command: "Run an image"
-          imageName: aziotbld/testproxy
+          azureContainerRegistry: aziotacr.azurecr.io
+          imageName: aziotacr.azurecr.io/aziotbld/testproxy
          containerName: "testproxy-instance"
          ports: "127.0.0.1:8888:8888"
          restartPolicy: unlessStopped
@ -341,12 +455,6 @@ jobs:
          inputs:
            script: 'choco install dotnet4.5.1'

-      - script: |
-          call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\Common7\Tools\VsDevCmd.bat"
-          sn.exe -Vr *,31bf3856ad364e35
-
-        displayName: "Disable strong name validation"
-
      - script: |
          choco install -y squid