diff options
Diffstat (limited to 'sbin/itzks-puppetserver-autosign-new-host-certificates')
| -rwxr-xr-x | sbin/itzks-puppetserver-autosign-new-host-certificates | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/sbin/itzks-puppetserver-autosign-new-host-certificates b/sbin/itzks-puppetserver-autosign-new-host-certificates new file mode 100755 index 0000000..56dc9bf --- /dev/null +++ b/sbin/itzks-puppetserver-autosign-new-host-certificates @@ -0,0 +1,111 @@ +#!/bin/bash + +# Copyright (C) 2022-2025 Mike Gabriel <mike.gabriel@das-netzwerkteam.de> +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License along +# with this program; if not, write to the Free Software Foundation, Inc., +# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + +if [ $(id -u) -gt 0 ]; then + echo "ERROR: This script has to run as super-user root." + exit 1 +fi + +unset http_proxy +unset https_proxy + +HOSTNAME="$(hostname -f)" +PUPPET_SERVER="$(dig puppet.intern +short | head -n1)" + +if [ "${HOSTNAME}." != "${PUPPET_SERVER}" ]; then + exit 0 +fi + +if [[ -n "${1}" ]]; then + ONLY_PUPPET_CLIENT="${1}" +fi + +source /etc/os-release + +if [ "${ID}" = "debian" ] && \ + ([ "${VERSION_CODENAME}" == "stretch" ] || \ + [ "${VERSION_CODENAME}" == "buster" ] || \ + [ "${VERSION_CODENAME}" == "bullseye" ]); then + + ### Puppet 5.x et al. (until Debian 11) + + # obtain list of puppet host certificate signing requests + NEW_PUPPET_SIGNING_REQUESTS="$(puppet cert list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" + + # if any, iterate over them individually + if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then + + echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do + + # Only process one specific client... + if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then + continue + fi + + # strip domain name + hostname_short="$(echo $host_csr | cut -d '.' -f1)" + + ## lookup host and see if it exists in LDAP: + ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` + + if [ -n "${ldapsystem}" ]; then + + # yes, we should sign this host CSR + puppet cert sign "${host_csr}" + + fi + + done + + fi + +else + + # Puppet 7.x and newer... (Debian 12 and beyond) + + # obtain list of puppet host certificate signing requests + NEW_PUPPET_SIGNING_REQUESTS="$(puppetserver ca list 2>/dev/null | awk '{ print $1 }' | sed 's/\"//g')" + + # if any, iterate over them individually + if [ -n "${NEW_PUPPET_SIGNING_REQUESTS}" ]; then + + echo "${NEW_PUPPET_SIGNING_REQUESTS}" | while read host_csr; do + + # Only process one specific client... + if [ -n "${ONLY_PUPPET_CLIENT}" ] && [ "${ONLY_PUPPET_CLIENT}" != "${host_csr}" ]; then + continue + fi + + # strip domain name + hostname_short="$(echo $host_csr | cut -d '.' -f1)" + + ## lookup host and see if it exists in LDAP: + ldapsystem=`ldapsearch -xLLL "(&(cn=${hostname_short})(|(objectClass=GOHard)(|(objectClass=ipHost))))" cn 2>/dev/null | perl -p00e 's/\r?\n //g' | grep -E '^cn:' | sed -e 's/^cn: //g'` + + if [ -n "${ldapsystem}" ]; then + + # yes, we should sign this host CSR + puppetserver ca sign --certname "${host_csr}" + + fi + + done + + fi + +fi |