1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
|
#!/usr/bin/env ruby
#
# = Synopsis
#
# Stand-alone certificate authority. Capable of generating certificates
# but mostly meant for signing certificate requests from puppet clients.
#
# = Usage
#
# puppetca [-h|--help] [-V|--version] [-d|--debug] [-v|--verbose]
# [-g|--generate] [-l|--list] [-s|--sign] [-r|--revoke]
# [-p|--print] [-c|--clean] [--verify] [host]
#
# = Description
#
# Because the puppetmasterd daemon defaults to not signing client certificate
# requests, this script is available for signing outstanding requests. It
# can be used to list outstanding requests and then either sign them individually
# or sign all of them.
#
# = Options
#
# Note that any configuration parameter that's valid in the configuration file
# is also a valid long argument. For example, 'ssldir' is a valid configuration
# parameter, so you can specify '--ssldir <directory>' as an argument.
#
# See the configuration file documentation at
# http://reductivelabs.com/projects/puppet/reference/configref.html for
# the full list of acceptable parameters. A commented list of all
# configuration options can also be generated by running puppetca with
# '--genconfig'.
#
# all::
# Operate on all outstanding requests. Only makes sense with '--sign',
# or '--list'.
#
# clean::
# Remove all files related to a host from puppetca's storage. This is
# useful when rebuilding hosts, since new certificate signing requests
# will only be honored if puppetca does not have a copy of a signed
# certificate for that host. The certificate of the host remains valid.
#
# debug::
# Enable full debugging.
#
# generate::
# Generate a certificate for a named client. A certificate/keypair will be
# generated for each client named on the command line.
#
# help::
# Print this help message
#
# list::
# List outstanding certificate requests. If '--all' is specified,
# signed certificates are also listed, prefixed by '+'.
#
# print::
# Print the full-text version of a host's certificate.
#
# revoke::
# Revoke the certificate of a client. The certificate can be specified
# either by its serial number, given as a decimal number or a hexadecimal
# number prefixed by '0x', or by its hostname. The certificate is revoked
# by adding it to the Certificate Revocation List given by the 'cacrl'
# config parameter. Note that the puppetmasterd needs to be restarted
# after revoking certificates.
#
# sign::
# Sign an outstanding certificate request. Unless '--all' is specified,
# hosts must be listed after all flags.
#
# verbose::
# Enable verbosity.
#
# version::
# Print the puppet version number and exit.
#
# verify::
# Verify the named certificate against the local CA certificate.
#
# = Example
#
# $ puppetca -l
# culain.madstop.com
# $ puppetca -s culain.madstop.com
#
# = Author
#
# Luke Kanies
#
# = Copyright
#
# Copyright (c) 2005 Reductive Labs, LLC
# Licensed under the GNU Public License
require 'puppet'
require 'puppet/sslcertificates'
require 'getoptlong'
options = [
[ "--all", "-a", GetoptLong::NO_ARGUMENT ],
[ "--clean", "-c", GetoptLong::NO_ARGUMENT ],
[ "--debug", "-d", GetoptLong::NO_ARGUMENT ],
[ "--generate", "-g", GetoptLong::NO_ARGUMENT ],
[ "--help", "-h", GetoptLong::NO_ARGUMENT ],
[ "--list", "-l", GetoptLong::NO_ARGUMENT ],
[ "--print", "-p", GetoptLong::NO_ARGUMENT ],
[ "--revoke", "-r", GetoptLong::NO_ARGUMENT ],
[ "--sign", "-s", GetoptLong::NO_ARGUMENT ],
[ "--verify", GetoptLong::NO_ARGUMENT ],
[ "--version", "-V", GetoptLong::NO_ARGUMENT ],
[ "--verbose", "-v", GetoptLong::NO_ARGUMENT ]
]
# Add all of the config parameters as valid options.
Puppet.settings.addargs(options)
result = GetoptLong.new(*options)
mode = nil
all = false
generate = nil
modes = [:clean, :list, :revoke, :generate, :sign, :print, :verify]
begin
result.each { |opt,arg|
case opt
when "--all"
all = true
when "--debug"
Puppet::Util::Log.level = :debug
when "--generate"
generate = arg
mode = :generate
when "--help"
if Puppet.features.usage?
RDoc::usage && exit
else
puts "No help available unless you have RDoc::usage installed"
exit
end
when "--list"
mode = :list
when "--revoke"
mode = :revoke
when "--sign"
mode = :sign
when "--version"
puts "%s" % Puppet.version
exit
when "--verbose"
Puppet::Util::Log.level = :info
else
tmp = opt.sub("--", '').to_sym
if modes.include?(tmp)
mode = tmp
else
Puppet.settings.handlearg(opt, arg)
end
end
}
rescue GetoptLong::InvalidOption => detail
$stderr.puts "Try '#{$0} --help'"
exit(1)
end
# Now parse the config
Puppet.parse_config
Puppet.genconfig
Puppet.genmanifest
begin
ca = Puppet::SSLCertificates::CA.new()
rescue => detail
if Puppet[:debug]
puts detail.backtrace
end
puts detail.to_s
exit(23)
end
unless mode
$stderr.puts "You must specify a mode; see the output from --help"
exit(12)
end
if [:verify, :print, :generate, :clean, :revoke, :list].include?(mode)
hosts = ARGV.collect { |h| h.downcase }
end
if [:sign, :list].include?(mode)
waiting = ca.list
unless waiting.length > 0 or (mode == :list and all)
puts "No certificates to sign"
if ARGV.length > 0
exit(17)
else
exit(0)
end
end
end
case mode
when :list
waiting = ca.list
if waiting.length > 0
puts waiting.join("\n")
end
if all
puts ca.list_signed.collect { |cert | cert.sub(/^/,"+ ") }.join("\n")
end
when :clean
if hosts.empty?
$stderr.puts "You must specify one or more hosts to clean"
exit(24)
end
cleaned = false
hosts.each do |host|
cert = ca.getclientcert(host)[0]
if cert.nil?
$stderr.puts "Could not find client certificate for %s" % host
next
end
ca.clean(host)
cleaned = true
end
unless cleaned
exit(27)
end
when :sign
to_sign = ARGV.collect { |h| h.downcase }
unless to_sign.length > 0 or all
$stderr.puts(
"You must specify to sign all certificates or you must specify hostnames"
)
exit(24)
end
unless all
to_sign.each { |host|
unless waiting.include?(host)
$stderr.puts "No waiting request for %s" % host
end
}
waiting = waiting.find_all { |host|
to_sign.include?(host)
}
end
waiting.each { |host|
begin
csr = ca.getclientcsr(host)
rescue => detail
$stderr.puts "Could not retrieve request for %s: %s" % [host, detail]
end
begin
ca.sign(csr)
$stderr.puts "Signed %s" % host
rescue => detail
$stderr.puts "Could not sign request for %s: %s" % [host, detail]
end
begin
ca.removeclientcsr(host)
rescue => detail
$stderr.puts "Could not remove request for %s: %s" % [host, detail]
end
}
when :generate
# we need to generate a certificate for a host
hosts.each { |host|
puts "Generating certificate for %s" % host
cert = Puppet::SSLCertificates::Certificate.new(
:name => host
)
cert.mkcsr
signedcert, cacert = ca.sign(cert.csr)
cert.cert = signedcert
cert.cacert = cacert
cert.write
}
when :print
hosts.each { |h|
cert = ca.getclientcert(h)[0]
puts cert.to_text
}
when :revoke
hosts.each { |h|
serial = nil
if h =~ /^0x[0-9a-f]+$/
serial = h.to_i(16)
elsif h =~ /^[0-9]+$/
serial = h.to_i
else
cert = ca.getclientcert(h)[0]
if cert.nil?
$stderr.puts "Could not find client certificate for %s" % h
else
serial = cert.serial
end
end
unless serial.nil?
ca.revoke(serial)
puts "Revoked certificate with serial #{serial}"
end
}
when :verify
unless ssl = %x{which openssl}.chomp
raise "Can't verify certificates without the openssl binary and could not find one"
end
success = true
cacert = Puppet[:localcacert]
hosts.each do |host|
print "%s: " % host
file = ca.host2certfile(host)
unless FileTest.exist?(file)
puts "no certificate found"
success = false
next
end
command = %{#{ssl} verify -CAfile #{cacert} #{file}}
output = %x{#{command}}
if $? == 0
puts "valid"
else
puts output
success = false
end
end
else
$stderr.puts "Invalid mode %s" % mode
exit(42)
end
|