aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rwxr-xr-xfiles/certreq.sh43
1 files changed, 33 insertions, 10 deletions
diff --git a/files/certreq.sh b/files/certreq.sh
index e5b5b40..9249bf1 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -16,6 +16,7 @@
# 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support
# 2019-07-25 fix chain_file name if DN is a particular format
# 2023-06-06 Fix #4: bug related to compressed responses from server
+# 2023-06-21 Add basic auth method and attempt at adding password file argument
# Usage: in ansible role certreq
# Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
# Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
@@ -27,13 +28,14 @@ certreqversion="2023-06-06a"
usage() {
less -F >&2 <<ENDUSAGE
-usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate]
+usage: certreq.sh [-dhV] [-u username] [-p password] [-pf passwordfile ][-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate]
version ${certreqversion}
-d debug Show debugging info, including parsed variables.
-h usage Show this usage block.
-V version Show script version number.
- -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username"
+ -u username User to connect via basic or ntlm auth (or negotiate) to CA. Can be "username" or "domain\\username"
-p password
+ -pf --password-file Passwordfile in case you don't want to write password in clear text.
-w workdir Temp directory to work in. Default is \$(mktemp -d).
-t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate"
--cn CN to request. Default is \$( hostname -f )
@@ -44,7 +46,7 @@ version ${certreqversion}
--openssl-conf <value> Use this config for openssl. Default is none.
--dnssans <value> Use a pipe-delimited set of values as subjectAltName dns entries.
--ipsans <value> Use a pipe-delimited set of values as subjectAltName ip entries.
- --auth <value> Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm"
+ --auth <value> Either basic, ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "basic"
ACTIONS:
--list list available templates and exit.
--csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in.
@@ -466,6 +468,23 @@ parseFlag() {
"V" | "fcheck" | "version" ) ferror "${scriptfile} version ${certreqversion}"; exit 1001;;
"u" | "user" | "username" ) getval; CERTREQ_USER="${tempval}";;
"p" | "pass" | "password" ) getval; CERTREQ_PASS="${tempval}";;
+ # I am struggling to find a way to add a option for -p|--password-file. When enabling this code the script just prints a newline with no output to tmpfiles.
+ # "pf" | "password-file" )
+ # shift # Skip the flag itself
+ # if [ $# -gt 0 ]; then
+ # password_file="$1"
+ # if [ -r "$password_file" ]; then
+ # CERTREQ_PASS=$(cat "$password_file")
+ # else
+ # ferror "Unable to read password file: $password_file"
+ # exit 1
+ # fi
+ # hasval=1
+ # else
+ # ferror "Missing value for flag: $flag"
+ # exit 1
+ # fi
+ # ;;
"w" | "work" | "workdir" ) getval; CERTREQ_WORKDIR="${tempval}";;
"t" | "temp" | "template" ) getval; CERTREQ_TEMPLATE="${tempval}";;
"cn" | "common-name" | "commonname" ) getval; CERTREQ_CNPARAM="${tempval}";;
@@ -485,9 +504,10 @@ parseFlag() {
"ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";;
"auth" ) getval ;
case "${tempval}" in
+ "basic") CERTREQ_AUTH=basic ;;
"ntlm") CERTREQ_AUTH=ntlm ;;
"negotiate") CERTREQ_AUTH=negotiate ;;
- *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;;
+ *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" CERTREQ_AUTH=basic ;;
esac
;;
esac
@@ -608,9 +628,9 @@ if test -n "${CERTREQ_CAPARAM}";
then
# trim down to just the hostname
CERTREQ_CAPARAM="$( echo "${CERTREQ_CAPARAM}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )"
- CERTREQ_CA="http://${CERTREQ_CAPARAM}"
+ CERTREQ_CA="https://${CERTREQ_CAPARAM}"
fi
-define_if_new CERTREQ_CA "http://ca2.ad.example.com"
+define_if_new CERTREQ_CA "https://ca2.ad.example.com"
# generate cahost
CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )"
@@ -763,7 +783,7 @@ debuglev 5 && {
openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
# 1 interaction with website failed: invalid login credentials or curl returned non-zero value
- if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ;
+ if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput:-0} -ne 0 ;
then
failed=$(( failed + 1 ))
fi
@@ -775,9 +795,12 @@ debuglev 5 && {
fi
# 4 invalid cert file: incomplete cert file, or no issuer
- if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ;
- then
- failed=$(( failed + 4 ))
+ # Wrapped in if statement to not grep when doing --list since no cert is created during that process.
+ if [[ "$CERTREQ_ACTION" != "list" ]]; then
+ if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ;
+ then
+ failed=$(( failed + 4 ))
+ fi
fi
} 1> ${logfile} 2>&1
bgstack15