1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
|
#!/usr/bin/env ruby
#
# = Synopsis
#
# Stand-alone certificate authority. Capable of generating certificates
# but mostly meant for signing certificate requests from puppet clients.
#
# = Usage
#
# puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign]
# [-c|--clean] [host]
#
# = Description
#
# Because the puppetmasterd daemon defaults to not signing client certificate
# requests, this script is available for signing outstanding requests. It
# can be used to list outstanding requests and then either sign them individually
# or sign all of them.
#
# = Options
#
# Note that any configuration parameter that's valid in the configuration file
# is also a valid long argument. For example, 'ssldir' is a valid configuration
# parameter, so you can specify '--ssldir <directory>' as an argument.
#
# See the configuration file for the full list of acceptable parameters.
#
# all::
# Operate on all outstanding requests. Only makes sense with '--sign'.
#
# clean::
# Remove all traces of a host. This is useful when rebuilding hosts.
#
# debug::
# Enable full debugging.
#
# generate::
# Generate a certificate for a named client. A certificate/keypair will be
# generated for each client named on the command line.
#
# help::
# Print this help message
#
# list::
# List outstanding certificate requests.
#
# revoke::
# Revoke the certificate of a client. The certificate can be specified
# either by its serial number, given as a decimal number or a hexadecimal
# number prefixed by '0x', or by its hostname. The certificate is revoked
# by adding it to the Certificate Revocation List given by the 'cacrl'
# config parameter. Note that the puppetmasterd needs to be restarted
# after revoking certificates.
#
# sign::
# Sign an outstanding certificate request. Unless '--all' is specified,
# hosts must be listed after all flags.
#
# verbose::
# Enable verbosity.
#
# = Example
#
# $ puppetca -l
# culain.madstop.com
# $ puppetca -s culain.madstop.com
#
# = Author
#
# Luke Kanies
#
# = Copyright
#
# Copyright (c) 2005 Reductive Labs, LLC
# Licensed under the GNU Public License
require 'puppet'
require 'puppet/sslcertificates'
require 'getoptlong'
$haveusage = true
begin
require 'rdoc/usage'
rescue
$haveusage = false
end
options = [
[ "--all", "-a", GetoptLong::NO_ARGUMENT ],
[ "--clean", "-c", GetoptLong::NO_ARGUMENT ],
[ "--debug", "-d", GetoptLong::NO_ARGUMENT ],
[ "--generate", "-g", GetoptLong::NO_ARGUMENT ],
[ "--help", "-h", GetoptLong::NO_ARGUMENT ],
[ "--list", "-l", GetoptLong::NO_ARGUMENT ],
[ "--revoke", "-r", GetoptLong::NO_ARGUMENT ],
[ "--sign", "-s", GetoptLong::NO_ARGUMENT ],
[ "--verbose", "-v", GetoptLong::NO_ARGUMENT ]
]
# Add all of the config parameters as valid options.
Puppet.config.addargs(options)
result = GetoptLong.new(*options)
mode = nil
all = false
generate = nil
begin
result.each { |opt,arg|
case opt
when "--all"
all = true
when "--clean"
mode = :clean
when "--debug"
Puppet::Log.level = :debug
when "--generate"
generate = arg
mode = :generate
when "--help"
if $haveusage
RDoc::usage && exit
else
puts "No help available unless you have RDoc::usage installed"
exit
end
when "--list"
mode = :list
when "--revoke"
mode = :revoke
when "--sign"
mode = :sign
when "--verbose"
Puppet::Log.level = :info
else
Puppet.config.handlearg(opt, arg)
end
}
rescue GetoptLong::InvalidOption => detail
$stderr.puts "Try '#{$0} --help'"
#if $haveusage
# RDoc::usage_no_exit('usage')
#end
exit(1)
end
# Now parse the config
if Puppet[:config] and File.exists? Puppet[:config]
Puppet.config.parse(Puppet[:config])
end
Puppet.genconfig
Puppet.genmanifest
begin
ca = Puppet::SSLCertificates::CA.new()
rescue => detail
if Puppet[:debug]
puts detail.backtrace
end
puts detail.to_s
exit(23)
end
unless mode
$stderr.puts "You must specify --list or --sign"
exit(12)
end
if mode == :generate or mode == :clean or mode == :revoke
hosts = ARGV
else
hosts = ca.list
unless hosts.length > 0
puts "No certificates to sign"
exit(0)
end
end
case mode
when :list
puts hosts.join("\n")
when :clean
hosts.each do |host|
ca.clean(host)
end
when :sign
unless ARGV.length > 0 or all
$stderr.puts(
"You must specify to sign all certificates or you must specify hostnames"
)
exit(24)
end
unless all
ARGV.each { |host|
unless hosts.include?(host)
$stderr.puts "No waiting request for %s" % host
end
}
hosts = hosts.find_all { |host|
ARGV.include?(host)
}
end
hosts.each { |host|
begin
csr = ca.getclientcsr(host)
rescue => detail
$stderr.puts "Could not retrieve request for %s: %s" % [host, detail]
end
begin
ca.sign(csr)
$stderr.puts "Signed %s" % host
rescue => detail
$stderr.puts "Could not sign request for %s: %s" % [host, detail]
end
begin
ca.removeclientcsr(host)
rescue => detail
$stderr.puts "Could not remove request for %s: %s" % [host, detail]
end
}
when :generate
# we need to generate a certificate for a host
hosts.each { |host|
puts "Generating certificate for %s" % host
cert = Puppet::SSLCertificates::Certificate.new(
:name => host
)
cert.mkcsr
signedcert, cacert = ca.sign(cert.csr)
cert.cert = signedcert
cert.cacert = cacert
cert.write
}
when :revoke
hosts.each { |h|
serial = nil
if h =~ /^0x[0-9a-f]+$/
serial = h.to_i(16)
elsif h =~ /^[0-9]+$/
serial = h.to_i
else
cert = ca.getclientcert(h)[0]
if cert.nil?
$stderr.puts "Could not find client certificate for %s" % h
else
serial = cert.serial
end
end
unless serial.nil?
ca.revoke(serial)
puts "Revoked certificate with serial #{serial}"
end
}
else
$stderr.puts "Invalid mode %s" % mode
exit(42)
end
# $Id$
|
