puppetserver-ca 1.11.2 → 1.11.6
Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 9db462f676901c02e176c9b77066f58f98c01bef5d4f4ed73b5216619007e756
|
|
4
|
+
data.tar.gz: bf80399c93b5622093d8c80a5d3b16f3c9ff1afa27edfe7c46551825c07aa512
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: c407ef1a22634dc8affbf35d9484978dd8845109efe16bc0e6a62b29286eb0cb5d97571d9ad074da4156118d407a5f0569c1d71f9a3e4aa9a29e701144ca0eec
|
|
7
|
+
data.tar.gz: 77e2518267853bddebdaaff1e657870a09eba2642cd0392fcea7a14096dd88329bcb547af9664903e0f34892e5f667ad19b66c455dc0d4f9f41f0cc63230d19f
|
|
@@ -26,7 +26,7 @@ Usage:
|
|
|
26
26
|
puppetserver ca generate [--help]
|
|
27
27
|
puppetserver ca generate --certname NAME[,NAME] [--config PATH]
|
|
28
28
|
[--subject-alt-names NAME[,NAME]]
|
|
29
|
-
[--ca-client]
|
|
29
|
+
[--ca-client [--force]]
|
|
30
30
|
|
|
31
31
|
Description:
|
|
32
32
|
Generates a new certificate signed by the intermediate CA
|
|
@@ -75,6 +75,10 @@ BANNER
|
|
|
75
75
|
'Causes the cert to be generated offline.') do |ca_client|
|
|
76
76
|
parsed['ca-client'] = true
|
|
77
77
|
end
|
|
78
|
+
opts.on('--force', 'Suppress errors when signing cert offline.',
|
|
79
|
+
"To be used with '--ca-client'") do |force|
|
|
80
|
+
parsed['force'] = true
|
|
81
|
+
end
|
|
78
82
|
opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
|
|
79
83
|
parsed['ttl'] = ttl
|
|
80
84
|
end
|
|
@@ -139,8 +143,21 @@ BANNER
|
|
|
139
143
|
|
|
140
144
|
# Generate and save certs and associated keys
|
|
141
145
|
if input['ca-client']
|
|
142
|
-
#
|
|
143
|
-
|
|
146
|
+
# Refuse to generate certs offline if the CA service is running
|
|
147
|
+
begin
|
|
148
|
+
return 1 if HttpClient.check_server_online(puppet.settings, @logger)
|
|
149
|
+
rescue Puppetserver::Ca::ConnectionFailed => e
|
|
150
|
+
base_message = "Could not determine whether Puppet Server is online."
|
|
151
|
+
if input['force']
|
|
152
|
+
@logger.inform("#{base_message} Connection check failed with " \
|
|
153
|
+
"error: #{e.wrapped}\nContinuing with certificate signing.")
|
|
154
|
+
else
|
|
155
|
+
@logger.inform("#{base_message} If you are certain that the " \
|
|
156
|
+
"Puppetserver service is stopped, run this command again " \
|
|
157
|
+
"with the '--force' flag.")
|
|
158
|
+
raise e
|
|
159
|
+
end
|
|
160
|
+
end
|
|
144
161
|
all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
|
|
145
162
|
else
|
|
146
163
|
all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
require 'optparse'
|
|
2
2
|
require 'openssl'
|
|
3
|
+
require 'set'
|
|
3
4
|
require 'puppetserver/ca/errors'
|
|
4
5
|
require 'puppetserver/ca/utils/cli_parsing'
|
|
5
6
|
require 'puppetserver/ca/utils/file_system'
|
|
@@ -31,6 +32,7 @@ BANNER
|
|
|
31
32
|
|
|
32
33
|
def run(inputs)
|
|
33
34
|
config_path = inputs['config']
|
|
35
|
+
exit_code = 0
|
|
34
36
|
|
|
35
37
|
# Validate the config path.
|
|
36
38
|
if config_path
|
|
@@ -49,55 +51,59 @@ BANNER
|
|
|
49
51
|
# Getting the CRL(s)
|
|
50
52
|
loader = X509Loader.new(puppet.settings[:cacert], puppet.settings[:cakey], puppet.settings[:cacrl])
|
|
51
53
|
|
|
52
|
-
|
|
53
|
-
number_of_removed_duplicates = prune_CRLs(puppet_crl)
|
|
54
|
+
verified_crls = loader.crls.select { |crl| crl.verify(loader.key) }
|
|
54
55
|
|
|
55
|
-
if
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
56
|
+
if verified_crls.length == 1
|
|
57
|
+
puppet_crl = verified_crls.first
|
|
58
|
+
@logger.inform("Total number of certificates found in Puppet's CRL is: #{puppet_crl.revoked.length}.")
|
|
59
|
+
number_of_removed_duplicates = prune_CRL(puppet_crl)
|
|
60
|
+
|
|
61
|
+
if number_of_removed_duplicates > 0
|
|
62
|
+
update_pruned_CRL(puppet_crl, loader.key)
|
|
63
|
+
FileSystem.write_file(puppet.settings[:cacrl], loader.crls, 0644)
|
|
64
|
+
@logger.inform("Removed #{number_of_removed_duplicates} duplicated certs from Puppet's CRL.")
|
|
65
|
+
else
|
|
66
|
+
@logger.inform("No duplicate revocations found in the CRL.")
|
|
67
|
+
end
|
|
59
68
|
else
|
|
60
|
-
@logger.
|
|
69
|
+
@logger.err("Could not identify Puppet's CRL. Aborting prune action.")
|
|
70
|
+
exit_code = 1
|
|
61
71
|
end
|
|
62
72
|
|
|
63
|
-
return
|
|
73
|
+
return exit_code
|
|
64
74
|
end
|
|
65
75
|
|
|
66
|
-
def
|
|
76
|
+
def prune_CRL(crl)
|
|
67
77
|
number_of_removed_duplicates = 0
|
|
68
78
|
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
true
|
|
83
|
-
end
|
|
79
|
+
existed_serial_number = Set.new()
|
|
80
|
+
revoked_list = crl.revoked
|
|
81
|
+
@logger.debug("Pruning duplicate entries in CRL for issuer " \
|
|
82
|
+
"#{crl.issuer.to_s(OpenSSL::X509::Name::RFC2253)}") if @logger.debug?
|
|
83
|
+
|
|
84
|
+
revoked_list.delete_if do |revoked|
|
|
85
|
+
if existed_serial_number.add?(revoked.serial)
|
|
86
|
+
false
|
|
87
|
+
else
|
|
88
|
+
number_of_removed_duplicates += 1
|
|
89
|
+
@logger.debug("Removing duplicate of #{revoked.serial}, " \
|
|
90
|
+
"revoked on #{revoked.time}\n") if @logger.debug?
|
|
91
|
+
true
|
|
84
92
|
end
|
|
85
|
-
crl.revoked=(revoked_list)
|
|
86
93
|
end
|
|
94
|
+
crl.revoked=(revoked_list)
|
|
87
95
|
|
|
88
96
|
return number_of_removed_duplicates
|
|
89
97
|
end
|
|
90
98
|
|
|
91
|
-
def update_pruned_CRL(
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
|
|
97
|
-
end
|
|
98
|
-
crl.extensions=(number_ext + other_ext)
|
|
99
|
-
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
99
|
+
def update_pruned_CRL(crl, pkey)
|
|
100
|
+
number_ext, other_ext = crl.extensions.partition{ |ext| ext.oid == "crlNumber" }
|
|
101
|
+
number_ext.each do |crl_number|
|
|
102
|
+
updated_crl_number = OpenSSL::BN.new(crl_number.value) + OpenSSL::BN.new(1)
|
|
103
|
+
crl_number.value=(OpenSSL::ASN1::Integer(updated_crl_number))
|
|
100
104
|
end
|
|
105
|
+
crl.extensions=(number_ext + other_ext)
|
|
106
|
+
crl.sign(pkey, OpenSSL::Digest::SHA256.new)
|
|
101
107
|
end
|
|
102
108
|
|
|
103
109
|
def self.parser(parsed = {})
|
|
@@ -141,7 +141,7 @@ module Puppetserver
|
|
|
141
141
|
url = protocol + '://' + host + ':' + port + '/' +
|
|
142
142
|
[endpoint, version, resource_type, resource_name].join('/')
|
|
143
143
|
|
|
144
|
-
url = url + "?" + URI.encode_www_form(query) unless query.empty?
|
|
144
|
+
url = url + "?" + URI.encode_www_form(query) unless query.nil? || query.empty?
|
|
145
145
|
return url
|
|
146
146
|
end
|
|
147
147
|
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: puppetserver-ca
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.11.
|
|
4
|
+
version: 1.11.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Puppet, Inc.
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2021-
|
|
11
|
+
date: 2021-09-07 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: facter
|