1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
|
#!/usr/bin/ruby
#
# = Synopsis
#
# Stand-alone certificate authority. Capable of generating certificates
# but mostly meant for signing certificate requests from puppet clients.
#
# = Usage
#
# puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign]
#
# = Description
#
# Because the puppetmasterd daemon defaults to not signing client certificate
# requests, this script is available for signing outstanding requests. It
# can be used to list outstanding requests and then either sign them individually
# or sign all of them.
#
# = Options
#
# Note that any configuration parameter that's valid in the configuration file
# is also a valid long argument. For example, 'ssldir' is a valid configuration
# parameter, so you can specify '--ssldir <directory>' as an argument.
#
# See the configuration file for the full list of acceptable parameters.
#
# all::
# Operate on all outstanding requests. Only makes sense with '--sign'.
#
# debug::
# Enable full debugging.
#
# generate::
# Generate a certificate for a named client. A certificate/keypair will be
# generated for each client named on the command line.
#
# help::
# Print this help message
#
# list::
# List outstanding certificate requests.
#
# sign::
# Sign an outstanding certificate request. Unless '--all' is specified,
# hosts must be listed after all flags.
#
# verbose::
# Enable verbosity.
#
# = Example
#
# $ puppetca -l
# culain.madstop.com
# $ puppetca -s culain.madstop.com
#
# = Author
#
# Luke Kanies
#
# = Copyright
#
# Copyright (c) 2005 Reductive Labs, LLC
# Licensed under the GNU Public License
require 'puppet'
require 'puppet/sslcertificates'
require 'getoptlong'
$haveusage = true
begin
require 'rdoc/usage'
rescue LoadError
$haveusage = false
end
options = [
[ "--all", "-a", GetoptLong::NO_ARGUMENT ],
[ "--debug", "-d", GetoptLong::NO_ARGUMENT ],
[ "--generate", "-g", GetoptLong::NO_ARGUMENT ],
[ "--help", "-h", GetoptLong::NO_ARGUMENT ],
[ "--list", "-l", GetoptLong::NO_ARGUMENT ],
[ "--sign", "-s", GetoptLong::NO_ARGUMENT ],
[ "--verbose", "-v", GetoptLong::NO_ARGUMENT ]
]
# Add all of the config parameters as valid options.
Puppet.config.addargs(options)
result = GetoptLong.new(*options)
mode = nil
all = false
generate = nil
begin
result.each { |opt,arg|
case opt
when "--all"
all = true
when "--debug"
Puppet::Log.level = :debug
when "--generate"
generate = arg
mode = :generate
when "--help"
if $haveusage
RDoc::usage && exit
else
puts "No help available unless you have RDoc::usage installed"
exit
end
when "--list"
mode = :list
when "--sign"
mode = :sign
when "--verbose"
Puppet::Log.level = :info
else
Puppet.config.handlearg(opt, arg)
end
}
rescue GetoptLong::InvalidOption => detail
$stderr.puts "Try '#{$0} --help'"
#if $haveusage
# RDoc::usage_no_exit('usage')
#end
exit(1)
end
# Now parse the config
if Puppet[:config] and File.exists? Puppet[:config]
Puppet.config.parse(Puppet[:config])
end
Puppet.genconfig
Puppet.genmanifest
Puppet::Util.chuser
begin
ca = Puppet::SSLCertificates::CA.new()
rescue => detail
puts detail.to_s
exit(23)
end
unless mode
$stderr.puts "You must specify --list or --sign"
exit(12)
end
hosts = ca.list
unless hosts.length > 0 or mode == :generate
Puppet.info "No waiting requests"
exit(0)
end
case mode
when :list
puts hosts.join("\n")
when :sign
unless ARGV.length > 0 or all
$stderr.puts(
"You must specify to sign all certificates or you must specify hostnames"
)
exit(24)
end
unless all
ARGV.each { |host|
unless hosts.include?(host)
$stderr.puts "No waiting request for %s" % host
end
}
hosts = hosts.find_all { |host|
ARGV.include?(host)
}
end
hosts.each { |host|
begin
csr = ca.getclientcsr(host)
rescue => detail
$stderr.puts "Could not retrieve request for %s: %s" % [host, detail]
end
begin
ca.sign(csr)
$stderr.puts "Signed %s" % host
rescue => detail
$stderr.puts "Could not sign request for %s: %s" % [host, detail]
end
begin
ca.removeclientcsr(host)
rescue => detail
$stderr.puts "Could not remove request for %s: %s" % [host, detail]
end
}
when :generate
# we need to generate a certificate for a host
unless ARGV.length > 0
$stderr.puts "You must specify hosts to generate certs for"
exit(84)
end
ARGV.each { |host|
puts "Generating certificate for %s" % host
cert = Puppet::SSLCertificates::Certificate.new(
:name => host
)
cert.mkcsr
signedcert, cacert = ca.sign(cert.csr)
cert.cert = signedcert
cert.cacert = cacert
cert.write
}
else
$stderr.puts "Invalid mode %s" % mode
exit(42)
end
# $Id$
|
