1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
|
#!/usr/bin/env ruby
#
# = Synopsis
#
# Stand-alone certificate authority. Capable of generating certificates
# but mostly meant for signing certificate requests from puppet clients.
#
# = Usage
#
# puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
# [-p|--print] [-c|--clean] [--verify] [host]
#
# = Description
#
# Because the puppetmasterd daemon defaults to not signing client certificate
# requests, this script is available for signing outstanding requests. It
# can be used to list outstanding requests and then either sign them individually
# or sign all of them.
#
# = Options
#
# Note that any configuration parameter that's valid in the configuration file
# is also a valid long argument. For example, 'ssldir' is a valid configuration
# parameter, so you can specify '--ssldir <directory>' as an argument.
#
# See the configuration file documentation at
# http://reductivelabs.com/projects/puppet/reference/configref.html for
# the full list of acceptable parameters. A commented list of all
# configuration options can also be generated by running puppetca with
# '--genconfig'.
#
# all::
# Operate on all items. Currently only makes sense with '--sign',
# '--clean', or '--list'.
#
# clean::
# Remove all files related to a host from puppetca's storage. This is
# useful when rebuilding hosts, since new certificate signing requests
# will only be honored if puppetca does not have a copy of a signed
# certificate for that host. The certificate of the host remains valid.
# If '--all' is specified then all host certificates, both signed and
# unsigned, will be removed.
#
# debug::
# Enable full debugging.
#
# generate::
# Generate a certificate for a named client. A certificate/keypair will be
# generated for each client named on the command line.
#
# help::
# Print this help message
#
# list::
# List outstanding certificate requests. If '--all' is specified,
# signed certificates are also listed, prefixed by '+'.
#
# print::
# Print the full-text version of a host's certificate.
#
# revoke::
# Revoke the certificate of a client. The certificate can be specified
# either by its serial number, given as a decimal number or a hexadecimal
# number prefixed by '0x', or by its hostname. The certificate is revoked
# by adding it to the Certificate Revocation List given by the 'cacrl'
# config parameter. Note that the puppetmasterd needs to be restarted
# after revoking certificates.
#
# sign::
# Sign an outstanding certificate request. Unless '--all' is specified,
# hosts must be listed after all flags.
#
# verbose::
# Enable verbosity.
#
# version::
# Print the puppet version number and exit.
#
# verify::
# Verify the named certificate against the local CA certificate.
#
# = Example
#
# $ puppetca -l
# culain.madstop.com
# $ puppetca -s culain.madstop.com
#
# = Author
#
# Luke Kanies
#
# = Copyright
#
# Copyright (c) 2005 Reductive Labs, LLC
# Licensed under the GNU Public License
require 'puppet'
require 'puppet/ssl/certificate_authority'
require 'getoptlong'
options = [
[ "--all", "-a", GetoptLong::NO_ARGUMENT ],
[ "--clean", "-c", GetoptLong::NO_ARGUMENT ],
[ "--debug", "-d", GetoptLong::NO_ARGUMENT ],
[ "--generate", "-g", GetoptLong::NO_ARGUMENT ],
[ "--help", "-h", GetoptLong::NO_ARGUMENT ],
[ "--list", "-l", GetoptLong::NO_ARGUMENT ],
[ "--print", "-p", GetoptLong::NO_ARGUMENT ],
[ "--revoke", "-r", GetoptLong::NO_ARGUMENT ],
[ "--sign", "-s", GetoptLong::NO_ARGUMENT ],
[ "--verify", GetoptLong::NO_ARGUMENT ],
[ "--version", "-V", GetoptLong::NO_ARGUMENT ],
[ "--verbose", "-v", GetoptLong::NO_ARGUMENT ]
]
# Add all of the config parameters as valid options.
Puppet.settings.addargs(options)
result = GetoptLong.new(*options)
modes = Puppet::SSL::CertificateAuthority::Interface::INTERFACE_METHODS
all = false
mode = nil
begin
result.each { |opt,arg|
case opt
when "--clean"
mode = :destroy
when "--all"
all = true
when "--debug"
Puppet::Util::Log.level = :debug
when "--help"
if Puppet.features.usage?
RDoc::usage && exit
else
puts "No help available unless you have RDoc::usage installed"
exit
end
when "--version"
puts "%s" % Puppet.version
exit
when "--verbose"
Puppet::Util::Log.level = :info
else
tmp = opt.sub("--", '').to_sym
if modes.include?(tmp)
mode = tmp
else
Puppet.settings.handlearg(opt, arg)
end
end
}
rescue GetoptLong::InvalidOption => detail
$stderr.puts "Try '#{$0} --help'"
exit(1)
end
# Now parse the config
Puppet.parse_config
if Puppet.settings.print_configs?
exit(Puppet.settings.print_configs ? 0 : 1)
end
Puppet::Util::Log.newdestination :console
Puppet::SSL::Host.ca_location = :local
begin
ca = Puppet::SSL::CertificateAuthority.new
rescue => detail
puts detail.backtrace if Puppet[:trace]
puts detail.to_s
exit(23)
end
unless mode
$stderr.puts "You must specify a mode; see the output from --help"
exit(12)
end
if all
hosts = :all
else
hosts = ARGV.collect { |h| h.downcase }
end
begin
ca.apply(mode, :to => hosts)
rescue => detail
puts detail.backtrace if Puppet[:trace]
puts detail.to_s
exit(24)
end
|
