icinga-cert-service 0.18.4

data/bin/installer.sh

@@ -0,0 +1,33 @@
+#!/bin/sh
+
+DESTINATION_DIR="/usr/local/icinga2-cert-service"
+SOURCE_DIR="/tmp/ruby-icinga-cert-service"
+
+# ---------------------------------------------------------------------
+
+echo "install icinga2-cert-service .."
+
+[[ -d ${DESTINATION_DIR} ]] || mkdir -p ${DESTINATION_DIR}
+
+cd ${SOURCE_DIR}
+
+bundle update --quiet
+gem uninstall --quiet io-console bundler
+
+for i in lib bin templates assets
+do
+  cp -a ${SOURCE_DIR}/${i} ${DESTINATION_DIR}/
+done
+
+if [[ -e /sbin/openrc-run ]]
+then
+  cat << EOF >> /etc/conf.d/icinga2-cert-service
+
+# Icinga2 cert service
+CERT_SERVICE_BIN="/usr/local/icinga2-cert-service/bin/icinga2-cert-service.rb"
+
+EOF
+  cp ${SOURCE_DIR}/init-script/openrc/icinga2-cert-service /etc/init.d/
+fi
+
+export CERT_SERVICE=${DESTINATION_DIR}

data/bin/test.rb

@@ -0,0 +1,28 @@
+#!/usr/bin/env ruby
+#
+# 05.10.2016 - Bodo Schulz
+#
+#
+# v2.1.0
+
+# -----------------------------------------------------------------------------
+
+require 'ruby_dig' if RUBY_VERSION < '2.3'
+
+require 'sinatra/base'
+require 'sinatra/basic_auth'
+require 'json'
+require 'yaml'
+
+require_relative '../lib/cert-service'
+require_relative '../lib/logging'
+
+# -----------------------------------------------------------------------------
+
+config = {
+  icinga_master: 'localhost'
+}
+
+ics = IcingaCertService::Client.new(config)
+
+# -----------------------------------------------------------------------------

data/lib/cert-service.rb

@@ -0,0 +1,323 @@
+#
+#
+#
+
+require 'socket'
+require 'open3'
+require 'resolv'
+require 'fileutils'
+require 'rest-client'
+require 'erb'
+require 'time'
+require 'date'
+
+require_relative 'logging'
+require_relative 'util'
+require_relative 'monkey_patches'
+require_relative 'validator'
+require_relative 'cert-service/version'
+require_relative 'cert-service/templates'
+require_relative 'cert-service/executor'
+require_relative 'cert-service/certificate_handler'
+require_relative 'cert-service/endpoint_handler'
+require_relative 'cert-service/zone_handler'
+require_relative 'cert-service/in-memory-cache'
+require_relative 'cert-service/backup'
+require_relative 'cert-service/download'
+
+# -----------------------------------------------------------------------------
+
+module IcingaCertService
+  # Client Class to create on-the-fly a certificate to connect automaticly as satellite to an icinga2-master
+  #
+  #
+  class Client
+
+    include Logging
+    include Util::Tar
+    include IcingaCertService::Validator
+    include IcingaCertService::Templates
+    include IcingaCertService::Executor
+    include IcingaCertService::CertificateHandler
+    include IcingaCertService::EndpointHandler
+    include IcingaCertService::ZoneHandler
+    include IcingaCertService::InMemoryDataCache
+    include IcingaCertService::Backup
+    include IcingaCertService::Download
+
+    attr_accessor :icinga_version
+
+    # create a new instance
+    #
+    # @param [Hash, #read] settings to configure the Client
+    # @option params [String] :icinga_master The name (FQDN or IP) of the icinga2 master
+    #
+    # @example
+    #    IcingaCertService::Client.new( icinga_master: 'icinga2-master.example.com' )
+    #
+    def initialize( settings )
+
+      raise ArgumentError.new('only Hash are allowed') unless( settings.is_a?(Hash) )
+      raise ArgumentError.new('missing settings') if( settings.size.zero? )
+
+      @icinga_master       = settings.dig(:icinga, :server)
+      @icinga_port         = settings.dig(:icinga, :api, :port)     || 5665
+      @icinga_api_user     = settings.dig(:icinga, :api, :user)     || 'root'
+      @icinga_api_password = settings.dig(:icinga, :api, :password) || 'icinga'
+
+      @base_directory      = ENV.fetch('CERT_SERVICE', '/usr/local/icinga2-cert-service')
+
+      raise ArgumentError.new('missing \'icinga server\'') if( @icinga_master.nil? )
+
+      raise ArgumentError.new(format('wrong type. \'icinga api port\' must be an Integer, given \'%s\'', @icinga_port.class.to_s)) unless( @icinga_port.is_a?(Integer) )
+      raise ArgumentError.new(format('wrong type. \'icinga api user\' must be an String, given \'%s\''    , @icinga_api_user.class.to_s)) unless( @icinga_api_user.is_a?(String) )
+      raise ArgumentError.new(format('wrong type. \'icinga api password\' must be an String, given \'%s\'', @icinga_api_password.class.to_s)) unless( @icinga_api_password.is_a?(String) )
+
+      @tmp_directory       = '/tmp/icinga-pki'
+
+      version       = IcingaCertService::VERSION
+      date          = '2018-08-20'
+      detect_version
+
+      logger.info('-----------------------------------------------------------------')
+      logger.info('  certificate service for Icinga2')
+      logger.info(format('    Version %s (%s)', version, date))
+      logger.info('    Copyright 2017-2018 Bodo Schulz')
+      logger.info(format('    Icinga2 base version %s', @icinga_version))
+      logger.info('-----------------------------------------------------------------')
+      logger.info('')
+
+    end
+
+    # detect the Icinga2 Version
+    #
+    # @example
+    #    detect_version
+    #
+    def detect_version
+
+      max_retries  = 20
+      sleep_between_retries = 8
+      retried = 0
+
+      @icinga_version = 'unknown'
+
+      begin
+        #response = rest_client.get( headers )
+        response = RestClient::Request.execute(
+          method: :get,
+          url: format('https://%s:%d/v1/status/IcingaApplication', @icinga_master, @icinga_port ),
+          timeout: 5,
+          headers: { 'Content-Type' => 'application/json', 'Accept' => 'application/json' },
+          user: @icinga_api_user,
+          password: @icinga_api_password,
+          verify_ssl: OpenSSL::SSL::VERIFY_NONE
+        )
+
+        response = response.body if(response.is_a?(RestClient::Response))
+        response = JSON.parse(response) if(response.is_a?(String))
+        results  = response.dig('results') if(response.is_a?(Hash))
+        results  = results.first if(results.is_a?(Array))
+        app_data = results.dig('status','icingaapplication','app')
+        version  = app_data.dig('version') if(app_data.is_a?(Hash))
+
+        if(version.is_a?(String))
+          parts    = version.match(/^r(?<v>[0-9]+\.{0}\.[0-9]+)(.*)/i)
+          @icinga_version = parts['v'].to_s.strip if(parts)
+        end
+
+      rescue Errno::ECONNREFUSED, Errno::EHOSTUNREACH => e
+        sleep( sleep_between_retries )
+        retry
+      rescue RestClient::ExceptionWithResponse => e
+
+        if( retried < max_retries )
+          retried += 1
+          logger.debug( format( 'connection refused (retry %d / %d)', retried, max_retries ) )
+          sleep( sleep_between_retries )
+          retry
+        else
+          raise format( 'Maximum retries (%d) reached. Giving up ...', max_retries )
+        end
+      end
+    end
+
+    # function to read API Credentials from icinga2 Configuration
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :api_user the API User, default is 'cert-service'
+    #
+    # @example
+    #    read_api_credentials( api_user: 'admin' )
+    #
+    # @return [String, #read] the configured Password or nil
+    #
+    def read_api_credentials(params = {})
+
+      api_user     = params.dig(:api_user) || 'cert-service'
+
+      file_name    = '/etc/icinga2/conf.d/api-users.conf'
+
+      file        = File.open(file_name, 'r')
+      contents    = file.read
+      password    = nil
+
+      regexp_long = / # Match she-bang style C-comment
+        \/\*          # Opening delimiter.
+        [^*]*\*+      # {normal*} Zero or more non-*, one or more *
+        (?:           # Begin {(special normal*)*} construct.
+          [^*\/]      # {special} a non-*, non-\/ following star.
+          [^*]*\*+    # More {normal*}
+        )*            # Finish "Unrolling-the-Loop"
+        \/            # Closing delimiter.
+      /x
+
+      regex       = /\"#{api_user}\"(.*){(.*)password(.*)=(.*)\"(?<password>.+[a-zA-Z0-9])\"(.*)}\n/m
+
+      # remove comments
+      result      = contents.gsub(regexp_long, '')
+
+      # split our string into more parts
+      result      = result.split('object ApiUser')
+
+      # now, iterate over all blocks and get the password
+      #
+      result.each do |block|
+        password = block.scan(regex)
+
+        next unless password.is_a?(Array) && password.count == 1
+
+        password = password.flatten.first
+        break
+      end
+
+      password
+    end
+
+    # add a host to 'api-users.conf'
+    #
+    # https://monitoring-portal.org/index.php?thread/41172-icinga2-api-mit-zertifikaten/&postID=251902#post251902
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :host
+    #
+    # @example
+    #    add_api_user( host: 'icinga2-satellite' )
+    #
+    # @return [Hash, #read] if config already created:
+    #  * :status [Integer] 204
+    #  * :message [String] Message
+    # @return nil if successful
+    #
+    def add_api_user(params)
+
+      host = params.dig(:host)
+
+      return { status: 500, message: 'no hostname to create an api user' } if( host.nil? )
+
+      file_name = '/etc/icinga2/conf.d/api-users.conf'
+
+      return { status: 500, message: format( 'api user not successful configured! file %s missing', file_name ) } unless( File.exist?(file_name) )
+
+      file     = File.open(file_name, 'r')
+      contents = file.read
+
+      regexp_long = / # Match she-bang style C-comment
+        \/\*          # Opening delimiter.
+        [^*]*\*+      # {normal*} Zero or more non-*, one or more *
+        (?:           # Begin {(special normal*)*} construct.
+          [^*\/]      # {special} a non-*, non-\/ following star.
+          [^*]*\*+    # More {normal*}
+        )*            # Finish "Unrolling-the-Loop"
+        \/            # Closing delimiter.
+      /x
+      result = contents.gsub(regexp_long, '')
+
+      scan_api_user     = result.scan(/object ApiUser(.*)"(?<zone>.+\S)"(.*){(.*)/).flatten
+
+      return { status: 200, message: format('the configuration for the api user %s already exists', host) } if( scan_api_user.include?(host) == true )
+
+      logger.debug(format('i miss an configuration for api user %s', host))
+
+      begin
+
+        result = write_template(
+          template: 'templates/conf.d/api_users.conf.erb',
+          destination_file: file_name,
+          environment: {
+            host: host
+          }
+        )
+
+        # logger.debug( result )
+      rescue => error
+
+        logger.debug(error)
+      end
+
+      return { status: 200, message: format('configuration for api user %s has been created', host) }
+    end
+
+    # reload the icinga2-master using the api
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :request
+    #   * HTTP_X_API_USER
+    #   * HTTP_X_API_PASSWORD
+    #
+    def reload_icinga_config(params)
+
+      logger.info( 'restart icinga2 process')
+
+      api_user     = params.dig(:request, 'HTTP_X_API_USER')
+      api_password = params.dig(:request, 'HTTP_X_API_PASSWORD')
+
+      return { status: 500, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
+      return { status: 500, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
+
+      password = read_api_credentials( api_user: api_user )
+
+      return { status: 500, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
+
+      options = { user: api_user, password: api_password, verify_ssl: OpenSSL::SSL::VERIFY_NONE }
+      headers = { 'Content-Type' => 'application/json', 'Accept' => 'application/json' }
+      url     = format('https://%s:5665/v1/actions/restart-process', @icinga_master )
+
+      rest_client = RestClient::Resource.new( URI.encode( url ), options )
+
+      begin
+
+        response = rest_client.post( {}.to_json, headers )
+
+        response = response.body if(response.is_a?(RestClient::Response))
+        response = JSON.parse(response) if(response.is_a?(String))
+
+        logger.debug(JSON.pretty_generate(response))
+
+      rescue RestClient::ExceptionWithResponse => e
+
+        logger.error("Error: restart-process has failed: '#{e}'")
+        logger.error(JSON.pretty_generate(params))
+
+        return { status: 500, message: e }
+      end
+
+      { status: 200, message: 'service restarted' }
+    end
+
+    # returns the hostname of itself
+    #
+    def icinga2_server_name
+      Socket.gethostbyname(Socket.gethostname).first
+    end
+
+    # returns the IP of name
+    #
+    # @param [String, #read] name
+    #
+    def icinga2_server_ip( name = Socket.gethostname )
+      IPSocket.getaddress(name)
+    end
+
+  end
+end

data/lib/cert-service/backup.rb

@@ -0,0 +1,42 @@
+
+module IcingaCertService
+  # Submodule for Backup
+  #
+  #
+  module Backup
+
+    # creates a backup and saves it under '/var/lib/icinga2/backup'
+    #
+    # generated files are:
+    #  - zones.conf
+    #  - conf.d/api-users.conf
+    #  - zones.d/*
+    #
+    def create_backup
+
+      source_directory = '/etc/icinga2'
+      backup_directory = '/var/lib/icinga2/backup'
+
+      FileUtils.mkpath(backup_directory) unless File.exist?(backup_directory)
+
+      white_list = %w[zones.d zones.conf conf.d/api-users.conf]
+
+      white_list.each do |p|
+
+        source_file = "#{source_directory}/#{p}"
+
+        destination_directory = File.dirname( source_file )
+        destination_directory.gsub!( source_directory, backup_directory )
+
+        FileUtils.mkpath(destination_directory) unless File.exist?(destination_directory)
+
+        if( File.directory?(source_file) )
+          FileUtils.cp_r(source_file, "#{backup_directory}/", noop: false, verbose: false )
+        else
+          FileUtils.cp_r(source_file, "#{backup_directory}/#{p}", noop: false, verbose: false )
+        end
+      end
+
+    end
+  end
+end

data/lib/cert-service/certificate_handler.rb

@@ -0,0 +1,466 @@
+
+module IcingaCertService
+  # Submodule for CertificateHandler
+  #
+  #
+  module CertificateHandler
+
+    # create a certificate
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :host
+    # @option params [Hash] :request
+    #
+    # @example
+    #    create_certificate( host: 'icinga2-satellite', request: { 'HTTP_X_API_USER => 'admin', HTTP_X_API_PASSWORD' => 'admin' } } )
+    #
+    # @return [Hash, #read]
+    #  * :status [Integer] 200 for successful, or 500 for an error
+    #  * :master_name [String] the Name of the Icinga2-master (need to configure the satellite correctly)
+    #  * :master_ip [String] the IP of the Icinga2-master (need to configure the satellite correctly)
+    #  * :checksum [String] a created Checksum to retrive the certificat archive
+    #  * :timestamp [Integer] a timestamp for the created archive
+    #  * :timeout [Integer] the timeout for the created archive
+    #  * :file_name [String] the archive Name
+    #  * :path [String] the Path who stored the certificate archive
+    #
+    def create_certificate( params )
+
+      host         = params.dig(:host)
+      api_user     = params.dig(:request, 'HTTP_X_API_USER')
+      api_password = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      remote_addr  = params.dig(:request, 'REMOTE_ADDR')
+
+      return { status: 500, message: 'no hostname' } if( host.nil? )
+      return { status: 500, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
+      return { status: 500, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
+
+      password = read_api_credentials( api_user: api_user )
+
+      return { status: 500, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
+
+      logger.info(format('got certificate request from %s', remote_addr))
+
+      if( @icinga_master.nil? )
+        begin
+          server_name = icinga2_server_name
+        rescue => e
+          logger.error(e)
+          server_name = @icinga_master
+        else
+          server_ip    = icinga2_server_ip
+        end
+      else
+        server_name = @icinga_master
+        begin
+          server_ip    = icinga2_server_ip(server_name)
+        rescue => e
+          logger.error(server_name)
+          logger.error(e)
+
+          server_ip = '127.0.0.1'
+        end
+      end
+
+      pki_base_directory = '/etc/icinga2/pki'
+      pki_base_directory = '/var/lib/icinga2/certs' if( @icinga_version != '2.7' )
+
+      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } if( pki_base_directory.nil? )
+
+      pki_master_key = format('%s/%s.key', pki_base_directory, server_name)
+      pki_master_csr = format('%s/%s.csr', pki_base_directory, server_name)
+      pki_master_crt = format('%s/%s.crt', pki_base_directory, server_name)
+      pki_master_ca  = format('%s/ca.crt', pki_base_directory)
+
+      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } unless( File.exist?(pki_base_directory) )
+
+      zone_base_directory = '/etc/icinga2/zone.d'
+
+      FileUtils.mkpath( format('%s/global-templates', zone_base_directory) )
+      FileUtils.mkpath( format('%s/%s', zone_base_directory, host) )
+
+      #
+      unless File.exist?(format('%s/global-templates/services.conf', zone_base_directory) )
+
+        if( File.exist?('/etc/icinga2/conf.d/services.conf') )
+          FileUtils.mv('/etc/icinga2/conf.d/services.conf', format('%s/global-templates/services.conf', zone_base_directory))
+        else
+          logger.error('missing services.conf under /etc/icinga2/conf.d')
+        end
+      end
+
+      logger.debug(format('search PKI files for the Master \'%s\'', server_name))
+
+      if( !File.exist?(pki_master_key) || !File.exist?(pki_master_csr) || !File.exist?(pki_master_crt) )
+        logger.error('missing file')
+        logger.debug(pki_master_key)
+        logger.debug(pki_master_csr)
+        logger.debug(pki_master_crt)
+
+        return { status: 500, message: format('missing PKI for Icinga2 Master \'%s\'', server_name) }
+      end
+
+      tmp_host_directory = format('%s/%s', @tmp_directory, host)
+      # uid         = File.stat('/etc/icinga2/conf.d').uid
+      # gid         = File.stat('/etc/icinga2/conf.d').gid
+
+      FileUtils.rmdir(tmp_host_directory) if(File.exist?(tmp_host_directory))
+      FileUtils.mkpath(tmp_host_directory) unless File.exist?(tmp_host_directory)
+      FileUtils.chmod_R(0o777, @tmp_directory) if File.exist?(tmp_host_directory)
+
+      return { status: 500, message: 'can\'t create temporary directory' } unless File.exist?(tmp_host_directory)
+
+      salt = Digest::SHA256.hexdigest(host)
+
+      pki_satellite_key = format('%s/%s.key', tmp_host_directory, host)
+      pki_satellite_csr = format('%s/%s.csr', tmp_host_directory, host)
+      pki_satellite_crt = format('%s/%s.crt', tmp_host_directory, host)
+      pki_ticket       = '%PKI_TICKET%'
+
+      commands = []
+
+      # icinga2 pki new-cert --cn $node --csr $node.csr --key $node.key
+      # icinga2 pki sign-csr --csr $node.csr --cert $node.crt
+      commands << format('icinga2 pki new-cert --cn %s --key %s --csr %s', host, pki_satellite_key, pki_satellite_csr)
+      commands << format('icinga2 pki sign-csr --csr %s --cert %s', pki_satellite_csr, pki_satellite_crt)
+
+      if( @icinga_version == '2.7' )
+        commands << format('icinga2 pki save-cert --key %s --cert %s --trustedcert %s/trusted-master.crt --host %s', pki_satellite_key, pki_satellite_crt, tmp_host_directory, server_name)
+        commands << format('icinga2 pki ticket --cn %s --salt %s', server_name, salt)
+        commands << format('icinga2 pki request --host %s --port 5665 --ticket %s --key %s --cert %s --trustedcert %s/trusted-master.crt --ca %s', server_name, pki_ticket, pki_satellite_key, pki_satellite_crt, tmp_host_directory, pki_master_ca)
+      end
+
+      pki_ticket = nil
+      next_command = nil
+
+      commands.each_with_index do |c, index|
+
+        next_command = commands[index + 1]
+        result       = exec_command(cmd: c)
+        exec_code    = result.dig(:code)
+        exec_message = result.dig(:message)
+
+        logger.debug( format( ' => %s', c ) )
+        logger.debug( format( '    - [%s]  %s', exec_code, exec_message ) )
+
+        if( exec_code != true )
+          logger.error(exec_message)
+          logger.error(format('  command \'%s\'', c))
+          logger.error(format('  returned with exit-code \'%s\'', exec_code))
+
+          return { status: 500, message: format('Internal Error: \'%s\' - \'cmd %s\'', exec_message, c) }
+        end
+
+        if( exec_message =~ %r{/information\//} )
+          # logger.debug( 'no ticket' )
+        else
+          pki_ticket   = exec_message.strip
+          next_command = next_command.gsub!('%PKI_TICKET%', pki_ticket) unless( next_command.nil? )
+        end
+      end
+
+      FileUtils.cp( pki_master_ca, format('%s/ca.crt', tmp_host_directory) )
+
+      #     # TODO
+      # Build Checksum
+      #       Dir[ sprintf( '%s/*', tmp_host_directory ) ].each do |file|
+      #         if( File.directory?( file ) )
+      #           next
+      #         end
+      #
+      #         Digest::SHA2.hexdigest( File.read( file ) )
+      #       end
+      #
+
+      # create TAR File
+      io = tar(tmp_host_directory)
+      # and compress
+      gz = gzip(io)
+
+      # write to filesystem
+
+      archive_name = format('%s/%s.tgz', @tmp_directory, host)
+
+      begin
+        file = File.open(archive_name, 'w')
+
+        file.binmode
+        file.write(gz.read)
+      rescue IOError => e
+        # some error occur, dir not writable etc.
+        logger.error(e)
+      ensure
+        file.close unless file.nil?
+      end
+
+      checksum  = Digest::SHA2.hexdigest(File.read(archive_name))
+      timestamp = Time.now
+      timeout   = timestamp.add_minutes(10)
+
+      logger.debug(format(' timestamp : %s', timestamp.to_datetime.strftime('%d-%m-%Y %H:%M:%S')))
+      logger.debug(format(' timeout   : %s', timeout.to_datetime.strftime('%d-%m-%Y %H:%M:%S')))
+
+      # store datas in-memory
+      #
+      save(checksum, timestamp: timestamp, timeout: timeout, host: host)
+
+      # remove the temporary data
+      #
+      FileUtils.rm_rf(tmp_host_directory)
+
+      {
+        status: 200,
+        master_name: server_name,
+        master_ip: server_ip,
+        checksum: checksum,
+        timestamp: timestamp.to_i,
+        timeout: timeout.to_i,
+        file_name: format('%s.tgz', host),
+        path: @tmp_directory
+      }
+    end
+
+
+    # check the certificate Data
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :host
+    # @option params [Hash] :request
+    #
+    # @example
+    #    check_certificate( host: 'icinga2-satellite', request: { 'HTTP_X_CHECKSUM' => '000000000000000000000000000000000000' } )
+    #
+    # @return [Hash, #read] for an error:
+    #  * :status [Integer] 404 or 500
+    #  * :message [String] Error Message
+    #
+    # @return [Hash, #read] for succesfuly:
+    #  * :status [Integer] 200
+    #  * :file_name [String] Filename
+    #  * :path [String]
+    #
+    def check_certificate( params )
+
+      host         = params.dig(:host)
+      checksum     = params.dig(:request, 'HTTP_X_CHECKSUM')
+      api_user     = params.dig(:request, 'HTTP_X_API_USER')
+      api_password = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      remote_addr  = params.dig(:request, 'REMOTE_ADDR')
+
+      return { status: 500, message: 'no valid data to get the certificate' } if( host.nil? || checksum.nil? )
+
+      file = format('%s/%s.tgz', @tmp_directory, host)
+
+      return { status: 404, message: 'file doesn\'t exits' } unless( File.exist?(file) )
+
+      in_memory_data      = find_by_id(checksum)
+      generated_timeout   = in_memory_data.dig(:timeout)
+      generated_timeout   = File.mtime(file).add_minutes(10) if( generated_timeout.nil? )
+
+      check_timestamp = Time.now
+
+      return { status: 404, message: 'timed out. please ask for an new cert' } if( check_timestamp.to_i > generated_timeout.to_i )
+
+      # add params to create the endpoint not in zones.d
+      #
+      params[:satellite] = true
+
+      # add API User for this Endpoint
+      #
+      # add_api_user(params)
+
+      # add Endpoint (and API User)
+      # and create a backup of the generated files
+      #
+      add_endpoint(params)
+
+      # restart service to activate the new certificate
+      #
+      # reload_icinga_config(params)
+
+      { status: 200, file_name: format('%s.tgz', host), path: @tmp_directory }
+    end
+
+
+    # validate the CA against a checksum
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :checksum
+    #
+    def validate_certificate( params )
+
+      checksum = params.dig(:checksum)
+
+      return { status: 500, message: 'missing checksum' } if( checksum.nil? )
+
+      pki_base_directory = '/var/lib/icinga2/ca'
+      pki_master_ca  = format('%s/ca.crt', pki_base_directory)
+
+      return { status: 500, message: 'no PKI directory found. Please configure first the Icinga2 Master!' } unless( File.exist?(pki_base_directory) )
+
+      if( checksum.be_a_checksum )
+        pki_master_ca_checksum = nil
+        pki_master_ca_checksum = Digest::MD5.hexdigest(File.read(pki_master_ca)) if( checksum.produced_by(:md5) )
+        pki_master_ca_checksum = Digest::SHA256.hexdigest(File.read(pki_master_ca)) if( checksum.produced_by(:sha256) )
+        pki_master_ca_checksum = Digest::SHA384.hexdigest(File.read(pki_master_ca)) if( checksum.produced_by(:sha384) )
+        pki_master_ca_checksum = Digest::SHA512.hexdigest(File.read(pki_master_ca)) if( checksum.produced_by(:sha512) )
+
+        return { status: 500, message: 'wrong checksum type. only md5, sha256, sha384 and sha512 is supported' } if( pki_master_ca_checksum.nil? )
+        return { status: 404, message: 'checksum not match.' } if( checksum != pki_master_ca_checksum )
+        return { status: 200 }
+      end
+
+      { status: 500, message: 'checksum isn\'t a checksum' }
+    end
+
+
+    # sign a icinga2 satellite certificate with the new 2.8 pki feature
+    #
+    # @param [Hash, #read] params
+    # @option params [String] :host
+    # @option params [Hash] :request
+    #
+    # @example
+    #    sign_certificate( host: 'icinga2-satellite', request: { 'HTTP_X_API_USER => 'admin', HTTP_X_API_PASSWORD' => 'admin' } } )
+    #
+    # @return [Hash, #read] for an error:
+    #  * :status [Integer] 404 or 500
+    #  * :message [String] Error Message
+    #
+    # @return [Hash, #read] for succesfuly:
+    #  * :status [Integer] 200
+    #  * :message [String]
+    #  * :master_name [String]
+    #  * :master_ip [String]
+    #
+    def sign_certificate( params )
+
+      host          = params.dig(:host)
+      api_user      = params.dig(:request, 'HTTP_X_API_USER')
+      api_password  = params.dig(:request, 'HTTP_X_API_PASSWORD')
+      remote_addr   = params.dig(:request, 'REMOTE_ADDR')
+      real_ip       = params.dig(:request, 'HTTP_X_REAL_IP')
+      forwarded_for = params.dig(:request, 'HTTP_X_FORWARDED_FOR')
+
+      # logger.debug(params)
+
+      logger.error('no hostname') if( host.nil? )
+      logger.error('missing API Credentials - API_USER') if( api_user.nil? )
+      logger.error('missing API Credentials - API_PASSWORD') if( api_password.nil? )
+
+      return { status: 401, message: 'no hostname' } if( host.nil? )
+      return { status: 401, message: 'missing API Credentials - API_USER' } if( api_user.nil?)
+      return { status: 401, message: 'missing API Credentials - API_PASSWORD' } if( api_password.nil? )
+
+      password = read_api_credentials( api_user: api_user )
+
+      logger.error('wrong API Credentials') if( password.nil? || api_password != password )
+      logger.error('wrong Icinga2 Version (the master required => 2.8)') if( @icinga_version == '2.7' )
+
+      return { status: 401, message: 'wrong API Credentials' } if( password.nil? || api_password != password )
+      return { status: 401, message: 'wrong Icinga2 Version (the master required => 2.8)' } if( @icinga_version == '2.7' )
+
+      unless(remote_addr.nil? && real_ip.nil?)
+        logger.info('we running behind a proxy')
+
+        logger.debug("remote addr   #{remote_addr}")
+        logger.debug("real ip       #{real_ip}")
+        logger.debug("forwarded for #{forwarded_for}")
+
+        remote_addr = forwarded_for
+      end
+
+      unless( remote_addr.nil? )
+        host_short   = host.split('.')
+        host_short   = if( host_short.count > 0 )
+          host_short.first
+        else
+          host
+        end
+
+        remote_fqdn    = Resolv.getnames(remote_addr).sort.last
+        remote_short   = remote_fqdn.split('.')
+        remote_short   = if( remote_short.count > 0 )
+          remote_short.first
+        else
+          remote_fqdn
+        end
+
+        logger.debug( "host_short   #{host_short}" )
+        logger.debug( "remote_short #{remote_short}" )
+
+        logger.error(format('This client (%s) cannot sign the certificate for %s', remote_fqdn, host ) ) unless( host_short == remote_short )
+
+        return { status: 409, message: format('This client cannot sign the certificate for %s', host ) } unless( host_short == remote_short )
+      end
+
+      logger.info( format('sign certificate for %s', host) )
+
+      # /etc/icinga2 # icinga2 ca list | grep icinga2-satellite-1.matrix.lan | sort -k2
+      # e39c0b4bab4d0d9d5f97f0f54da875f0a60273b4fa3d3ef5d9be0d379e7a058b | Jan 10 04:27:38 2018 GMT | *      | CN = icinga2-satellite-1.matrix.lan
+      # 5520324447b124a26107ded6d5e5b37d73e2cf2074bd2b5e9d8b860939f490df | Jan 10 04:51:38 2018 GMT |        | CN = icinga2-satellite-1.matrix.lan
+      # 6775ea210c7559cf58093dbb151de1aaa3635950f696165eb4beca28487d193c | Jan 10 05:03:36 2018 GMT |        | CN = icinga2-satellite-1.matrix.lan
+
+      commands = []
+      commands << format('icinga2 ca list | grep %s | sort -k2 | tail -1', host) # sort by date
+
+      commands.each_with_index do |c, index|
+
+        result       = exec_command(cmd: c)
+        exec_code    = result.dig(:code)
+        exec_message = result.dig(:message)
+
+        #logger.debug( "icinga2 ca list: '#{exec_message}'" )
+        #logger.debug( "exit code: '#{exec_code}' (#{exec_code.class})" )
+
+        return { status: 500, message: 'error to retrive the list of certificates with signing requests' } if( exec_code == false )
+
+        regex = /^(?<ticket>.+\S) \|(?<date>.*)\|(.*)\| CN = (?<cn>.+\S)$/
+        parts = exec_message.match(regex) if(exec_message.is_a?(String))
+
+        logger.debug( "parts: #{parts} (#{parts.class})" )
+
+        if(parts)
+          ticket = parts['ticket'].to_s.strip
+          date   = parts['date'].to_s.tr('GMT','').strip
+          cn     = parts['cn'].to_s.strip
+
+          result       = exec_command(cmd: format('icinga2 ca sign %s',ticket))
+          exec_code    = result.dig(:code)
+          exec_message = result.dig(:message)
+          message      = exec_message.gsub('information/cli: ','')
+
+          #logger.debug("exec code   : '#{exec_code}' (#{exec_code.class})" )
+          logger.debug("exec message: '#{exec_message.strip}'")
+          logger.debug("message     : '#{message.strip}'")
+
+          # add 2hour to convert into CET (bad feeling)
+          date_time = DateTime.parse(date).new_offset('+02:00')
+          timestamp = date_time.to_time.to_i
+
+          # create the endpoint and the reference zone
+          # the endpoint are only after an reload available!
+          #
+          add_endpoint(params)
+
+          return {
+            status: 200,
+            message: message,
+            master_name: icinga2_server_name,
+            master_ip: icinga2_server_ip,
+            date: date_time.strftime("%Y-%m-%d %H:%M:%S"),
+            timestamp: timestamp
+          }
+
+        else
+          logger.error(format('i can\'t find a Ticket for host \'%s\'',host))
+          logger.error( parts )
+
+          return { status: 404, message: format('i can\'t find a Ticket for host \'%s\'',host) }
+        end
+      end
+
+      { status: 204 }
+    end
+  end
+end