summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
Diffstat (limited to 'lib')
-rw-r--r--lib/puppet/ssl/certificate_authority.rb11
-rw-r--r--lib/puppet/ssl/certificate_authority/interface.rb10
2 files changed, 19 insertions, 2 deletions
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 4a7d4615b..10d13c28e 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -17,6 +17,14 @@ class Puppet::SSL::CertificateAuthority
require 'puppet/ssl/certificate_authority/interface'
+ class CertificateVerificationError < RuntimeError
+ attr_accessor :error_code
+
+ def initialize(code)
+ @error_code = code
+ end
+ end
+
class << self
include Puppet::Util::Cacher
@@ -276,9 +284,10 @@ class Puppet::SSL::CertificateAuthority
store.add_file Puppet[:cacert]
store.add_crl crl.content if self.crl
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+ store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
unless store.verify(cert.content)
- raise "Certificate for %s failed verification" % name
+ raise CertificateVerificationError.new(store.error), store.error_string
end
end
diff --git a/lib/puppet/ssl/certificate_authority/interface.rb b/lib/puppet/ssl/certificate_authority/interface.rb
index e4552950c..3f91434e3 100644
--- a/lib/puppet/ssl/certificate_authority/interface.rb
+++ b/lib/puppet/ssl/certificate_authority/interface.rb
@@ -60,8 +60,16 @@ class Puppet::SSL::CertificateAuthority::Interface
end
hosts.uniq.sort.each do |host|
- if signed.include?(host)
+ invalid = false
+ begin
+ ca.verify(host) unless requests.include?(host)
+ rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details
+ invalid = details.to_s
+ end
+ if not invalid and signed.include?(host)
puts "+ " + host
+ elsif invalid
+ puts "- " + host + " (" + invalid + ")"
else
puts host
end
generated by cgit (git 2.34.1) at 2024-06-30 14:06:02 +0000