3 files changed, 58 insertions, 7 deletions

diff --git a/bin/puppet b/bin/puppet
index 13e99e2a6..f5d230a7a 100755
--- a/bin/puppet
+++ b/bin/puppet
@@ -198,9 +198,13 @@ begin
     # Compile our catalog
     catalog = Puppet::Node::Catalog.find(node)
 
+    exit(0) if Puppet[:parseonly]
+
     # Translate it to a RAL catalog
     catalog = catalog.to_ral
 
+    catalog.finalize
+
     # And apply it
     catalog.apply
 rescue => detail
diff --git a/bin/puppetca b/bin/puppetca
index 987295b7a..3ad896b55 100755
--- a/bin/puppetca
+++ b/bin/puppetca
@@ -10,7 +10,7 @@
 #
 #   puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
 #               [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
-#               [-c|--clean] [host]
+#               [-p|--print] [-c|--clean] [--verify] [host]
 #
 # = Description
 #
@@ -55,6 +55,9 @@
 #   List outstanding certificate requests.  If '--all' is specified, 
 #   signed certificates are also listed, prefixed by '+'.
 #
+# print::
+#   Print the full-text version of a host's certificate.
+#
 # revoke::
 #   Revoke the certificate of a client. The certificate can be specified
 #   either by its serial number, given as a decimal number or a hexadecimal
@@ -73,6 +76,9 @@
 # version::
 #   Print the puppet version number and exit.
 #
+# verify::
+#   Verify the named certificate against the local CA certificate.
+#
 # = Example
 #
 #   $ puppetca -l
@@ -99,8 +105,10 @@ options = [
     [ "--generate", "-g",  GetoptLong::NO_ARGUMENT ],
     [ "--help",     "-h",  GetoptLong::NO_ARGUMENT ],
     [ "--list",     "-l",  GetoptLong::NO_ARGUMENT ],
+    [ "--print",    "-p",  GetoptLong::NO_ARGUMENT ],
     [ "--revoke",   "-r",  GetoptLong::NO_ARGUMENT ],
     [ "--sign",     "-s",  GetoptLong::NO_ARGUMENT ],
+    [ "--verify",          GetoptLong::NO_ARGUMENT ],
 	[ "--version",	"-V",  GetoptLong::NO_ARGUMENT ],
     [ "--verbose",  "-v",  GetoptLong::NO_ARGUMENT ]
 ]
@@ -114,13 +122,13 @@ mode = nil
 all = false
 generate = nil
 
+modes = [:clean, :list, :revoke, :generate, :sign, :print, :verify]
+
 begin
     result.each { |opt,arg|
         case opt
             when "--all"
                 all = true
-            when "--clean"
-                mode = :clean
             when "--debug"
                 Puppet::Util::Log.level = :debug
             when "--generate"
@@ -145,7 +153,12 @@ begin
             when "--verbose"
                 Puppet::Util::Log.level = :info
             else
-                Puppet.settings.handlearg(opt, arg)
+                tmp = opt.sub("--", '').to_sym
+                if modes.include?(tmp)
+                    mode = tmp
+                else
+                    Puppet.settings.handlearg(opt, arg)
+                end
         end
     }
 rescue GetoptLong::InvalidOption => detail
@@ -174,7 +187,7 @@ unless mode
     exit(12)
 end
 
-if [:generate, :clean, :revoke, :list].include?(mode)
+if [:verify, :print, :generate, :clean, :revoke, :list].include?(mode)
     hosts = ARGV.collect { |h| h.downcase }
 end
 
@@ -271,6 +284,11 @@ when :generate
         cert.cacert = cacert
         cert.write
     }
+when :print
+    hosts.each { |h|
+        cert = ca.getclientcert(h)[0]
+        puts cert.to_text
+    }
 when :revoke
     hosts.each { |h|
         serial = nil
@@ -291,6 +309,33 @@ when :revoke
             puts "Revoked certificate with serial #{serial}"
         end
     }
+when :verify
+    unless ssl = %x{which openssl}.chomp
+        raise "Can't verify certificates without the openssl binary and could not find one"
+    end
+    success = true
+
+    cacert = Puppet[:localcacert]
+
+    hosts.each do |host|
+        print "%s: " % host
+        file = ca.host2certfile(host)
+        unless FileTest.exist?(file)
+            puts "no certificate found"
+            success = false
+            next
+        end
+
+
+        command = %{#{ssl} verify -CAfile #{cacert} #{file}}
+        output = %x{#{command}}
+        if $? == 0
+            puts "valid"
+        else
+            puts output
+            success = false
+        end
+    end
 else
     $stderr.puts "Invalid mode %s" % mode
     exit(42)
diff --git a/bin/puppetd b/bin/puppetd
index 1235a36fe..297d4876d 100755
--- a/bin/puppetd
+++ b/bin/puppetd
@@ -328,7 +328,7 @@ if Puppet[:daemonize]
     client.daemonize
 end
 
-unless client.read_cert
+unless Puppet::Network::HttpPool.read_cert
     # If we don't already have the certificate, then create a client to
     # request one.  Use the special ca stuff, don't use the normal server and port.
     caclient = Puppet::Network::Client.ca.new()
@@ -350,7 +350,9 @@ unless client.read_cert
     end
 
     # Now read the new cert in.
-    if client.read_cert
+    if Puppet::Network::HttpPool.read_cert
+        # If we read it in, then get rid of our existing http connection.
+        client.recycle_connection
         Puppet.notice "Got signed certificate"
     else
         Puppet.err "Could not read certificates after retrieving them"