aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorB Stack <bgstack15@gmail.com>2018-08-16 11:54:17 -0400
committerB Stack <bgstack15@gmail.com>2018-08-16 11:54:17 -0400
commite6825a9a221709bbdc4c224b746fc62881f56739 (patch)
tree56c892861b2bed10b2b8b35b63fd2a6bdf4298b3
parentadd error check for "401 - Unauthorized" (diff)
downloadcertreq-e6825a9a221709bbdc4c224b746fc62881f56739.tar.gz
certreq-e6825a9a221709bbdc4c224b746fc62881f56739.tar.bz2
certreq-e6825a9a221709bbdc4c224b746fc62881f56739.zip
update error checking and exit codes
Removing the final double-quote from the regular expression in the DISPOSITION check enables us to capture more interesting error messages from the server, including the "Denied" message when you request an incorrectly-named cert template. Performed major rewrite of exit codes, to fix issue #2.
-rwxr-xr-xfiles/certreq.sh67
1 files changed, 38 insertions, 29 deletions
diff --git a/files/certreq.sh b/files/certreq.sh
index 2aa27f8..5a21205 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -12,13 +12,14 @@
# 2018-05-07 Add actions for using a CA with manually-approved certs
# 2018-06-19 Fix get number of ca cert
# 2018-07-30 add error checking on the request and authorization
+# 2018-08-16 update error checking and exit codes
# Usage: in ansible role certreq
# Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
# Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
# fundamental curl statements https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983
# Improve:
fiversion="2017-10-10x"
-certreqversion="2018-07-30a"
+certreqversion="2018-08-16a"
usage() {
less -F >&2 <<ENDUSAGE
@@ -42,13 +43,9 @@ ACTIONS:
--request Only request a cert. Use if the cert needs to be approved manually by an admin on the server.
Return values under 1000: A non-zero value is the sum of the items listed here:
0 Everything worked
- 1 Cert file is still a CSR
- 2 Cert file is html, probably due to permissions/credentials issue
- 4 Return code of curl statement that saves cert file is non-zero
- 8 Cert file does not contain whole certificate
-16 Cert does not contain an issuer
-32 Cert request denied
-64 Invalid credentials
+ 1 interaction with website failed: invalid login credentials or curl returned non-zero value
+ 2 cert request denied
+ 4 invalid cert file: incomplete cert file, or no issuer
Return values above 1000:
1001 Help or version info displayed
1002 Count or type of flaglessvals is incorrect
@@ -155,7 +152,7 @@ submit_csr() {
esac
- DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*\"" )"
+ DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*" )"
MESSAGE="$( echo "${FULLPAGE}" | grep -oiE "<title>401.*" | grep -oiE ">.*<" | tr -d '<>' )"
MESSAGE="${MESSAGE:-${DISPOSITION}}" # use disposition if message is not available
@@ -164,7 +161,7 @@ submit_csr() {
fetch_signed_cert() {
# call: fetch_signed_cert "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTLINK}" "${CERTREQ_CNPARAM}" "${CERTREQ_ACTION}" "${CERTREQ_REQID}"
# output:
- # vars: ${finaloutput}
+ # vars: ${curloutput}
# files: ${CERTREQ_WORKDIR}/${this_filename}.crt
debuglev 9 && ferror "$FUNCNAME $@"
@@ -199,7 +196,7 @@ fetch_signed_cert() {
-H "Referer: ${this_ca}/certsrv/certrqxt.asp" \
-H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \
-H 'Content-Type: application/x-www-form-urlencoded' > "${CERTREQ_WORKDIR}/${this_filename}.crt"
- finaloutput=$?
+ curloutput=$?
}
@@ -253,7 +250,7 @@ get_latest_ca_cert_chain() {
# RENAME TO PROPER FILENAME
# will read only the first cert, so get domain of issuer of it.
- CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>&1 | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )"
+ CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )"
CHAIN_FILE="chain-${CA_DOMAIN}.crt"
mv -f "${CERTREQ_TEMPFILE}" "${CERTREQ_WORKDIR}/${CHAIN_FILE}" 1>/dev/null 2>&1
@@ -262,7 +259,7 @@ get_latest_ca_cert_chain() {
action_get_cert() {
# call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
# outputs:
- # vars: ${finaloutput}
+ # vars: ${curloutput}
# files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and
debuglev 9 && ferror "$FUNCNAME $@"
@@ -295,7 +292,7 @@ action_get_cert() {
# FETCH SIGNED CERTIFICATE
fetch_signed_cert "${this_user_string}" "${this_ca}" "${this_ca_host}" "${CERTLINK}" "${this_cnparam}" "${this_action}" "REQID-not-needed-for-this-action"
debuglev 8 && {
- echo "finaloutput=${finaloutput}"
+ echo "curloutput=${curloutput}"
}
if ! fistruthy "${CERTREQ_SKIP_CACERTS}" ;
@@ -362,7 +359,7 @@ action_fetch() {
fetch_signed_cert "${this_user_string}" "${this_ca}" "${this_ca_host}" "WILL-BE-REPLACED" "${this_cnparam}" "${this_action}" "${this_reqid}"
debuglev 8 && {
- echo "finaloutput=${finaloutput}"
+ echo "curloutput=${curloutput}"
}
if ! fistruthy "${CERTREQ_SKIP_CACERTS}" ;
@@ -626,21 +623,32 @@ debuglev 5 && {
# default action="generate"
# also catches "generate-csr"
action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
-
- # CHECK EVERYTHING
- failed=0
- openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
- grep -qE -- 'REQUEST--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" && failed=$(( failed + 1 ))
- grep -qiE '\<\/?body\>' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" && failed=$(( failed + 2 ))
- test ${finaloutput} -ne 0 && failed=$(( failed + 4 ))
- grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" || failed=$(( failed + 8 ))
- #echo "${openssloutput}" | grep -qE "subject.*${CERTREQ_SUBJECT}" || failed=$(( failed + 16 ))
- echo "${openssloutput}" | grep -qE "issuer.*" || failed=$(( failed + 16 ))
- echo "${MESSAGE}" | grep -qiE 'policy' && failed=$(( failed + 32 ))
- echo "${MESSAGE}" | grep -qiE 'unauthorized' && failed=$(( failed + 64 ))
;;
+
esac
+ # CHECK EVERYTHING
+ failed=0 # start out with everything worked
+ openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
+
+ # 1 interaction with website failed: invalid login credentials or curl returned non-zero value
+ if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ;
+ then
+ failed=$(( failed + 1 ))
+ fi
+
+ # 2 cert request denied
+ if echo "${MESSAGE}" | grep -qiE 'policy' ;
+ then
+ failed=$(( failed + 2 ))
+ fi
+
+ # 4 invalid cert file: incomplete cert file, or no issuer
+ if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ;
+ then
+ failed=$(( failed + 4 ))
+ fi
+
} 1> ${logfile} 2>&1
case "${CERTREQ_ACTION}" in
@@ -678,13 +686,14 @@ case "${CERTREQ_ACTION}" in
! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}"
echo "message: ${MESSAGE}"
echo "rc: ${failed}"
-
;;
esac
clean_certreq
-exit "${failed:-0}"
+
+exit_code() { return "${1:-0}" ; }
+exit_code "${failed:-0}"
# EMAIL LOGFILE
#${sendsh} ${sendopts} "${server} ${scriptfile} out" ${logfile} ${interestedparties}
bgstack15