puppetserver-ca 2.0.2 → 2.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +3 -3
- data/lib/puppetserver/ca/action/clean.rb +2 -2
- data/lib/puppetserver/ca/action/generate.rb +3 -3
- data/lib/puppetserver/ca/action/import.rb +11 -11
- data/lib/puppetserver/ca/action/migrate.rb +3 -2
- data/lib/puppetserver/ca/action/revoke.rb +2 -2
- data/lib/puppetserver/ca/action/setup.rb +12 -12
- data/lib/puppetserver/ca/config/puppet.rb +6 -3
- data/lib/puppetserver/ca/host.rb +2 -2
- data/lib/puppetserver/ca/local_certificate_authority.rb +9 -9
- data/lib/puppetserver/ca/utils/http_client.rb +1 -1
- data/lib/puppetserver/ca/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 497bfffece8f53a956a7b1e668e9e822cd96e1e14ee9491c8e7cc88d9344a373
|
4
|
+
data.tar.gz: a77a2b34ef63e9952daf7b67f90ba895427584e02e859739a93092246775a5a6
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 175e6787a090312bca7d48f042fba739e35b0eb41bde6059408ad1490788049906b5ccfa1c4408c1c391491c7ea73a98ba31b34062ec61eeb101aad20aaf749e
|
7
|
+
data.tar.gz: 1fd6b2216952dca8053b03d5f2b09db65e6b4b3529a6c025ebb86331901f56aa3f1a25bb2c7cda3bbd7da3592ecd691a1e3b169b6e2166b57802b48adb0c6101
|
data/README.md
CHANGED
@@ -61,7 +61,7 @@ puppetserver ca --help
|
|
61
61
|
```
|
62
62
|
|
63
63
|
This code in this project is licensed under the Apache Software License v2,
|
64
|
-
please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
64
|
+
please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/LICENSE.md)
|
65
65
|
for more details.
|
66
66
|
|
67
67
|
|
@@ -105,9 +105,9 @@ Freenode, or the Puppet Community Slack channel.
|
|
105
105
|
|
106
106
|
Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
|
107
107
|
Contributors should both be sure to read the
|
108
|
-
[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
108
|
+
[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CONTRIBUTING.md)
|
109
109
|
and sign the [contributor license agreement](https://cla.puppet.com/).
|
110
110
|
|
111
111
|
Everyone interacting with the project’s codebase, issue tracker, etc is expected
|
112
112
|
to follow the
|
113
|
-
[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/
|
113
|
+
[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CODE_OF_CONDUCT.md).
|
@@ -14,7 +14,7 @@ module Puppetserver
|
|
14
14
|
|
15
15
|
include Puppetserver::Ca::Utils
|
16
16
|
|
17
|
-
|
17
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
18
18
|
|
19
19
|
SUMMARY = 'Revoke cert(s) and remove related files from CA'
|
20
20
|
BANNER = <<-BANNER
|
@@ -59,7 +59,7 @@ BANNER
|
|
59
59
|
errors = CliParsing.parse_with_errors(parser, args)
|
60
60
|
|
61
61
|
results['certnames'].each do |certname|
|
62
|
-
if
|
62
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
63
63
|
errors << " Cannot manage cert named `#{certname}` from " +
|
64
64
|
"the CLI, if needed use the HTTP API directly"
|
65
65
|
end
|
@@ -18,7 +18,7 @@ module Puppetserver
|
|
18
18
|
|
19
19
|
# Only allow printing ascii characters, excluding /
|
20
20
|
VALID_CERTNAME = /\A[ -.0-~]+\Z/
|
21
|
-
|
21
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
22
22
|
|
23
23
|
SUMMARY = "Generate a new certificate signed by the CA"
|
24
24
|
BANNER = <<-BANNER
|
@@ -35,7 +35,7 @@ Description:
|
|
35
35
|
If the `--ca-client` flag is passed, the cert will be generated
|
36
36
|
offline, without using Puppet Server's signing code, and will add
|
37
37
|
a special extension authorizing it to talk to the CA API. This can
|
38
|
-
be used for regenerating the
|
38
|
+
be used for regenerating the server's host cert, or for manually
|
39
39
|
setting up other nodes to be CA clients. Do not distribute certs
|
40
40
|
generated this way to any node that you do not intend to have
|
41
41
|
administrative access to the CA (e.g. the ability to sign a cert).
|
@@ -91,7 +91,7 @@ BANNER
|
|
91
91
|
errors << ' At least one certname is required to generate'
|
92
92
|
else
|
93
93
|
results['certnames'].each do |certname|
|
94
|
-
if
|
94
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
95
95
|
errors << " Cannot manage cert named `#{certname}` from " +
|
96
96
|
"the CLI, if needed use the HTTP API directly"
|
97
97
|
end
|
@@ -15,7 +15,7 @@ module Puppetserver
|
|
15
15
|
class Import
|
16
16
|
include Puppetserver::Ca::Utils
|
17
17
|
|
18
|
-
SUMMARY = "Import an external CA chain and generate
|
18
|
+
SUMMARY = "Import an external CA chain and generate server PKI"
|
19
19
|
BANNER = <<-BANNER
|
20
20
|
Usage:
|
21
21
|
puppetserver ca import [--help]
|
@@ -73,7 +73,7 @@ BANNER
|
|
73
73
|
def import(loader, settings, signing_digest)
|
74
74
|
ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
|
75
75
|
ca.initialize_ssl_components(loader)
|
76
|
-
|
76
|
+
server_key, server_cert = ca.create_server_cert
|
77
77
|
return ca.errors if ca.errors.any?
|
78
78
|
|
79
79
|
FileSystem.ensure_dirs([settings[:ssldir],
|
@@ -89,25 +89,25 @@ BANNER
|
|
89
89
|
[settings[:cadir] + '/infra_crl.pem', loader.crls],
|
90
90
|
[settings[:localcacert], loader.certs],
|
91
91
|
[settings[:hostcrl], loader.crls],
|
92
|
-
[settings[:hostpubkey],
|
93
|
-
[settings[:hostcert],
|
94
|
-
[settings[:cert_inventory], ca.inventory_entry(
|
92
|
+
[settings[:hostpubkey], server_key.public_key],
|
93
|
+
[settings[:hostcert], server_cert],
|
94
|
+
[settings[:cert_inventory], ca.inventory_entry(server_cert)],
|
95
95
|
[settings[:capub], loader.key.public_key],
|
96
96
|
[settings[:cadir] + '/infra_inventory.txt', ''],
|
97
97
|
[settings[:cadir] + '/infra_serials', ''],
|
98
98
|
[settings[:serial], "002"],
|
99
|
-
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"),
|
99
|
+
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert]
|
100
100
|
]
|
101
101
|
|
102
102
|
private_files = [
|
103
|
-
[settings[:hostprivkey],
|
103
|
+
[settings[:hostprivkey], server_key],
|
104
104
|
[settings[:cakey], loader.key],
|
105
105
|
]
|
106
106
|
|
107
107
|
files_to_check = public_files + private_files
|
108
|
-
# We don't want to error if
|
108
|
+
# We don't want to error if server's keys exist. Certain workflows
|
109
109
|
# allow the agent to have already be installed with keys and then
|
110
|
-
# upgraded to be a
|
110
|
+
# upgraded to be a server. The host class will honor keys, if both
|
111
111
|
# public and private exist, and error if only one exists - as is
|
112
112
|
# previous behavior.
|
113
113
|
files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
|
@@ -181,11 +181,11 @@ ERR
|
|
181
181
|
parsed['crl-chain'] = chain
|
182
182
|
end
|
183
183
|
opts.on('--certname NAME',
|
184
|
-
'Common name to use for the
|
184
|
+
'Common name to use for the server cert') do |name|
|
185
185
|
parsed['certname'] = name
|
186
186
|
end
|
187
187
|
opts.on('--subject-alt-names NAME[,NAME]',
|
188
|
-
'Subject alternative names for the
|
188
|
+
'Subject alternative names for the server cert') do |sans|
|
189
189
|
parsed['subject-alt-names'] = sans
|
190
190
|
end
|
191
191
|
end
|
@@ -18,8 +18,9 @@ Usage:
|
|
18
18
|
|
19
19
|
Description:
|
20
20
|
Migrate an existing CA directory to #{PUPPETSERVER_CA_DIR}. This is for
|
21
|
-
upgrading from Puppet Platform 6.x to Puppet 7.
|
22
|
-
|
21
|
+
upgrading from Puppet Platform 6.x to Puppet 7. Uses the default puppet.conf
|
22
|
+
in your installation, or use a different config by supplying the `--config` flag.
|
23
|
+
|
23
24
|
Options:
|
24
25
|
BANNER
|
25
26
|
|
@@ -12,7 +12,7 @@ module Puppetserver
|
|
12
12
|
|
13
13
|
include Puppetserver::Ca::Utils
|
14
14
|
|
15
|
-
|
15
|
+
CERTNAME_BLOCKLIST = %w{--all --config}
|
16
16
|
|
17
17
|
SUMMARY = 'Revoke certificate(s)'
|
18
18
|
BANNER = <<-BANNER
|
@@ -55,7 +55,7 @@ BANNER
|
|
55
55
|
errors = CliParsing.parse_with_errors(parser, args)
|
56
56
|
|
57
57
|
results['certnames'].each do |certname|
|
58
|
-
if
|
58
|
+
if CERTNAME_BLOCKLIST.include?(certname)
|
59
59
|
errors << " Cannot manage cert named `#{certname}` from " +
|
60
60
|
"the CLI, if needed use the HTTP API directly"
|
61
61
|
end
|
@@ -24,10 +24,10 @@ Usage:
|
|
24
24
|
Description:
|
25
25
|
Setup a root and intermediate signing CA for Puppet Server
|
26
26
|
and store generated CA keys, certs, crls, and associated
|
27
|
-
|
27
|
+
server related files on disk.
|
28
28
|
|
29
29
|
The `--subject-alt-names` flag can be used to add SANs to the
|
30
|
-
certificate generated for the Puppet
|
30
|
+
certificate generated for the Puppet server. Multiple names can be
|
31
31
|
listed as a comma separated string. These can be either DNS names or
|
32
32
|
IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
|
33
33
|
Names with no prefix will be treated as DNS names.
|
@@ -77,7 +77,7 @@ BANNER
|
|
77
77
|
|
78
78
|
root_key, root_cert, root_crl = ca.create_root_cert
|
79
79
|
ca.create_intermediate_cert(root_key, root_cert)
|
80
|
-
|
80
|
+
server_key, server_cert = ca.create_server_cert
|
81
81
|
return ca.errors if ca.errors.any?
|
82
82
|
|
83
83
|
FileSystem.ensure_dirs([settings[:ssldir],
|
@@ -91,28 +91,28 @@ BANNER
|
|
91
91
|
[settings[:cacert], [ca.cert, root_cert]],
|
92
92
|
[settings[:cacrl], [ca.crl, root_crl]],
|
93
93
|
[settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
|
94
|
-
[settings[:hostcert],
|
94
|
+
[settings[:hostcert], server_cert],
|
95
95
|
[settings[:localcacert], [ca.cert, root_cert]],
|
96
96
|
[settings[:hostcrl], [ca.crl, root_crl]],
|
97
|
-
[settings[:hostpubkey],
|
97
|
+
[settings[:hostpubkey], server_key.public_key],
|
98
98
|
[settings[:capub], ca.key.public_key],
|
99
|
-
[settings[:cert_inventory], ca.inventory_entry(
|
99
|
+
[settings[:cert_inventory], ca.inventory_entry(server_cert)],
|
100
100
|
[settings[:cadir] + '/infra_inventory.txt', ''],
|
101
101
|
[settings[:cadir] + '/infra_serials', ''],
|
102
102
|
[settings[:serial], "002"],
|
103
|
-
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"),
|
103
|
+
[File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
|
104
104
|
]
|
105
105
|
|
106
106
|
private_files = [
|
107
|
-
[settings[:hostprivkey],
|
107
|
+
[settings[:hostprivkey], server_key],
|
108
108
|
[settings[:rootkey], root_key],
|
109
109
|
[settings[:cakey], ca.key],
|
110
110
|
]
|
111
111
|
|
112
112
|
files_to_check = public_files + private_files
|
113
|
-
# We don't want to error if
|
113
|
+
# We don't want to error if server's keys exist. Certain workflows
|
114
114
|
# allow the agent to have already be installed with keys and then
|
115
|
-
# upgraded to be a
|
115
|
+
# upgraded to be a server. The host class will honor keys, if both
|
116
116
|
# public and private exist, and error if only one exists - as is
|
117
117
|
# previous behavior.
|
118
118
|
files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
|
@@ -163,7 +163,7 @@ ERR
|
|
163
163
|
parsed['config'] = conf
|
164
164
|
end
|
165
165
|
opts.on('--subject-alt-names NAME[,NAME]',
|
166
|
-
'Subject alternative names for the
|
166
|
+
'Subject alternative names for the server cert') do |sans|
|
167
167
|
parsed['subject-alt-names'] = sans
|
168
168
|
end
|
169
169
|
opts.on('--ca-name NAME',
|
@@ -171,7 +171,7 @@ ERR
|
|
171
171
|
parsed['ca-name'] = name
|
172
172
|
end
|
173
173
|
opts.on('--certname NAME',
|
174
|
-
'Common name to use for the
|
174
|
+
'Common name to use for the server cert') do |name|
|
175
175
|
parsed['certname'] = name
|
176
176
|
end
|
177
177
|
end
|
@@ -69,6 +69,9 @@ module Puppetserver
|
|
69
69
|
|
70
70
|
overrides = results[:agent].merge(results[:main]).merge(results[:master]).merge(results[:server])
|
71
71
|
overrides.merge!(cli_overrides)
|
72
|
+
if overrides[:masterport]
|
73
|
+
overrides[:serverport] ||= overrides.delete(:masterport)
|
74
|
+
end
|
72
75
|
|
73
76
|
@settings = resolve_settings(overrides, logger, ca_dir_warn: ca_dir_warn).freeze
|
74
77
|
end
|
@@ -103,7 +106,7 @@ module Puppetserver
|
|
103
106
|
[:certdir, '$ssldir/certs'],
|
104
107
|
[:certname, default_certname],
|
105
108
|
[:server, 'puppet'],
|
106
|
-
[:
|
109
|
+
[:serverport, '8140'],
|
107
110
|
[:privatekeydir, '$ssldir/private_keys'],
|
108
111
|
[:publickeydir, '$ssldir/public_keys'],
|
109
112
|
]
|
@@ -121,7 +124,7 @@ module Puppetserver
|
|
121
124
|
:serial => '$cadir/serial',
|
122
125
|
:cert_inventory => '$cadir/inventory.txt',
|
123
126
|
:ca_server => '$server',
|
124
|
-
:ca_port => '$
|
127
|
+
:ca_port => '$serverport',
|
125
128
|
:localcacert => '$certdir/ca.pem',
|
126
129
|
:hostcrl => '$ssldir/crl.pem',
|
127
130
|
:hostcert => '$certdir/$certname.pem',
|
@@ -287,7 +290,7 @@ module Puppetserver
|
|
287
290
|
end
|
288
291
|
|
289
292
|
if settings.dig(:server_list, 0, 1) &&
|
290
|
-
settings[:ca_port] == '$
|
293
|
+
settings[:ca_port] == '$serverport'
|
291
294
|
|
292
295
|
settings[:ca_port] = settings.dig(:server_list, 0, 1)
|
293
296
|
end
|
data/lib/puppetserver/ca/host.rb
CHANGED
@@ -58,10 +58,10 @@ module Puppetserver
|
|
58
58
|
@errors = []
|
59
59
|
end
|
60
60
|
|
61
|
-
# If both the private and public keys exist for a
|
61
|
+
# If both the private and public keys exist for a server then we want
|
62
62
|
# to honor them here, if only one key exists we want to surface an error,
|
63
63
|
# and if neither exist we generate a new key. This logic is necessary for
|
64
|
-
# proper bootstrapping for certain
|
64
|
+
# proper bootstrapping for certain server workflows.
|
65
65
|
def create_private_key(keylength, private_path = '', public_path = '')
|
66
66
|
if File.exists?(private_path) && File.exists?(public_path)
|
67
67
|
return OpenSSL::PKey.read(File.read(private_path))
|
@@ -20,7 +20,7 @@ module Puppetserver
|
|
20
20
|
|
21
21
|
CLI_AUTH_EXT_OID = "1.3.6.1.4.1.34380.1.3.39"
|
22
22
|
|
23
|
-
|
23
|
+
SERVER_EXTENSIONS = [
|
24
24
|
["basicConstraints", "CA:FALSE", true],
|
25
25
|
["nsComment", "Puppet Server Internal Certificate", false],
|
26
26
|
["authorityKeyIdentifier", "keyid:always", false],
|
@@ -132,23 +132,23 @@ module Puppetserver
|
|
132
132
|
time.strftime('%Y-%m-%dT%H:%M:%S%Z')
|
133
133
|
end
|
134
134
|
|
135
|
-
def
|
136
|
-
|
137
|
-
|
135
|
+
def create_server_cert
|
136
|
+
server_cert = nil
|
137
|
+
server_key = @host.create_private_key(@settings[:keylength],
|
138
138
|
@settings[:hostprivkey],
|
139
139
|
@settings[:hostpubkey])
|
140
|
-
if
|
141
|
-
|
140
|
+
if server_key
|
141
|
+
server_csr = @host.create_csr(name: @settings[:certname], key: server_key)
|
142
142
|
if @settings[:subject_alt_names].empty?
|
143
143
|
alt_names = "DNS:puppet, DNS:#{@settings[:certname]}"
|
144
144
|
else
|
145
145
|
alt_names = @settings[:subject_alt_names]
|
146
146
|
end
|
147
147
|
|
148
|
-
|
148
|
+
server_cert = sign_authorized_cert(server_csr, alt_names)
|
149
149
|
end
|
150
150
|
|
151
|
-
return
|
151
|
+
return server_key, server_cert
|
152
152
|
end
|
153
153
|
|
154
154
|
def sign_authorized_cert(csr, alt_names = '')
|
@@ -176,7 +176,7 @@ module Puppetserver
|
|
176
176
|
end
|
177
177
|
|
178
178
|
def add_authorized_extensions(cert, ef)
|
179
|
-
|
179
|
+
SERVER_EXTENSIONS.each do |ext|
|
180
180
|
extension = ef.create_extension(*ext)
|
181
181
|
cert.add_extension(extension)
|
182
182
|
end
|
@@ -166,7 +166,7 @@ module Puppetserver
|
|
166
166
|
def self.check_server_online(settings, logger)
|
167
167
|
status_url = URL.new('https', settings[:ca_server], settings[:ca_port], 'status', 'v1', 'simple', 'ca')
|
168
168
|
begin
|
169
|
-
# Generating certs offline is necessary if the
|
169
|
+
# Generating certs offline is necessary if the server cert has been destroyed
|
170
170
|
# or compromised. Since querying the status endpoint does not require a client cert, and
|
171
171
|
# we commonly won't have one, don't require one for creating the connection.
|
172
172
|
# Additionally, we want to ensure the server is stopped before migrating the CA dir to
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: puppetserver-ca
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 2.0
|
4
|
+
version: 2.1.0
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Puppet, Inc.
|
8
8
|
autorequire:
|
9
9
|
bindir: exe
|
10
10
|
cert_chain: []
|
11
|
-
date: 2021-
|
11
|
+
date: 2021-04-21 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: facter
|