diff options
Diffstat (limited to 'lib')
-rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 11 | ||||
-rw-r--r-- | lib/puppet/ssl/certificate_authority/interface.rb | 10 |
2 files changed, 19 insertions, 2 deletions
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 4a7d4615b..10d13c28e 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -17,6 +17,14 @@ class Puppet::SSL::CertificateAuthority require 'puppet/ssl/certificate_authority/interface' + class CertificateVerificationError < RuntimeError + attr_accessor :error_code + + def initialize(code) + @error_code = code + end + end + class << self include Puppet::Util::Cacher @@ -276,9 +284,10 @@ class Puppet::SSL::CertificateAuthority store.add_file Puppet[:cacert] store.add_crl crl.content if self.crl store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT + store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK unless store.verify(cert.content) - raise "Certificate for %s failed verification" % name + raise CertificateVerificationError.new(store.error), store.error_string end end diff --git a/lib/puppet/ssl/certificate_authority/interface.rb b/lib/puppet/ssl/certificate_authority/interface.rb index e4552950c..3f91434e3 100644 --- a/lib/puppet/ssl/certificate_authority/interface.rb +++ b/lib/puppet/ssl/certificate_authority/interface.rb @@ -60,8 +60,16 @@ class Puppet::SSL::CertificateAuthority::Interface end hosts.uniq.sort.each do |host| - if signed.include?(host) + invalid = false + begin + ca.verify(host) unless requests.include?(host) + rescue Puppet::SSL::CertificateAuthority::CertificateVerificationError => details + invalid = details.to_s + end + if not invalid and signed.include?(host) puts "+ " + host + elsif invalid + puts "- " + host + " (" + invalid + ")" else puts host end |