diff options
-rwxr-xr-x | files/certreq.sh | 67 |
1 files changed, 38 insertions, 29 deletions
diff --git a/files/certreq.sh b/files/certreq.sh index 2aa27f8..5a21205 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -12,13 +12,14 @@ # 2018-05-07 Add actions for using a CA with manually-approved certs # 2018-06-19 Fix get number of ca cert # 2018-07-30 add error checking on the request and authorization +# 2018-08-16 update error checking and exit codes # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a # fundamental curl statements https://stackoverflow.com/questions/31283476/submitting-base64-csr-to-a-microsoft-ca-via-curl/39722983#39722983 # Improve: fiversion="2017-10-10x" -certreqversion="2018-07-30a" +certreqversion="2018-08-16a" usage() { less -F >&2 <<ENDUSAGE @@ -42,13 +43,9 @@ ACTIONS: --request Only request a cert. Use if the cert needs to be approved manually by an admin on the server. Return values under 1000: A non-zero value is the sum of the items listed here: 0 Everything worked - 1 Cert file is still a CSR - 2 Cert file is html, probably due to permissions/credentials issue - 4 Return code of curl statement that saves cert file is non-zero - 8 Cert file does not contain whole certificate -16 Cert does not contain an issuer -32 Cert request denied -64 Invalid credentials + 1 interaction with website failed: invalid login credentials or curl returned non-zero value + 2 cert request denied + 4 invalid cert file: incomplete cert file, or no issuer Return values above 1000: 1001 Help or version info displayed 1002 Count or type of flaglessvals is incorrect @@ -155,7 +152,7 @@ submit_csr() { esac - DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*\"" )" + DISPOSITION="$( echo "${FULLPAGE}" | grep -oiE "The disposition message is.*" | grep -oiE "\".*" )" MESSAGE="$( echo "${FULLPAGE}" | grep -oiE "<title>401.*" | grep -oiE ">.*<" | tr -d '<>' )" MESSAGE="${MESSAGE:-${DISPOSITION}}" # use disposition if message is not available @@ -164,7 +161,7 @@ submit_csr() { fetch_signed_cert() { # call: fetch_signed_cert "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTLINK}" "${CERTREQ_CNPARAM}" "${CERTREQ_ACTION}" "${CERTREQ_REQID}" # output: - # vars: ${finaloutput} + # vars: ${curloutput} # files: ${CERTREQ_WORKDIR}/${this_filename}.crt debuglev 9 && ferror "$FUNCNAME $@" @@ -199,7 +196,7 @@ fetch_signed_cert() { -H "Referer: ${this_ca}/certsrv/certrqxt.asp" \ -H 'User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko' \ -H 'Content-Type: application/x-www-form-urlencoded' > "${CERTREQ_WORKDIR}/${this_filename}.crt" - finaloutput=$? + curloutput=$? } @@ -253,7 +250,7 @@ get_latest_ca_cert_chain() { # RENAME TO PROPER FILENAME # will read only the first cert, so get domain of issuer of it. - CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>&1 | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )" + CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )" CHAIN_FILE="chain-${CA_DOMAIN}.crt" mv -f "${CERTREQ_TEMPFILE}" "${CERTREQ_WORKDIR}/${CHAIN_FILE}" 1>/dev/null 2>&1 @@ -262,7 +259,7 @@ get_latest_ca_cert_chain() { action_get_cert() { # call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" # outputs: - # vars: ${finaloutput} + # vars: ${curloutput} # files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and debuglev 9 && ferror "$FUNCNAME $@" @@ -295,7 +292,7 @@ action_get_cert() { # FETCH SIGNED CERTIFICATE fetch_signed_cert "${this_user_string}" "${this_ca}" "${this_ca_host}" "${CERTLINK}" "${this_cnparam}" "${this_action}" "REQID-not-needed-for-this-action" debuglev 8 && { - echo "finaloutput=${finaloutput}" + echo "curloutput=${curloutput}" } if ! fistruthy "${CERTREQ_SKIP_CACERTS}" ; @@ -362,7 +359,7 @@ action_fetch() { fetch_signed_cert "${this_user_string}" "${this_ca}" "${this_ca_host}" "WILL-BE-REPLACED" "${this_cnparam}" "${this_action}" "${this_reqid}" debuglev 8 && { - echo "finaloutput=${finaloutput}" + echo "curloutput=${curloutput}" } if ! fistruthy "${CERTREQ_SKIP_CACERTS}" ; @@ -626,21 +623,32 @@ debuglev 5 && { # default action="generate" # also catches "generate-csr" action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" - - # CHECK EVERYTHING - failed=0 - openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" - grep -qE -- 'REQUEST--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" && failed=$(( failed + 1 )) - grep -qiE '\<\/?body\>' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" && failed=$(( failed + 2 )) - test ${finaloutput} -ne 0 && failed=$(( failed + 4 )) - grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" || failed=$(( failed + 8 )) - #echo "${openssloutput}" | grep -qE "subject.*${CERTREQ_SUBJECT}" || failed=$(( failed + 16 )) - echo "${openssloutput}" | grep -qE "issuer.*" || failed=$(( failed + 16 )) - echo "${MESSAGE}" | grep -qiE 'policy' && failed=$(( failed + 32 )) - echo "${MESSAGE}" | grep -qiE 'unauthorized' && failed=$(( failed + 64 )) ;; + esac + # CHECK EVERYTHING + failed=0 # start out with everything worked + openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" + + # 1 interaction with website failed: invalid login credentials or curl returned non-zero value + if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ; + then + failed=$(( failed + 1 )) + fi + + # 2 cert request denied + if echo "${MESSAGE}" | grep -qiE 'policy' ; + then + failed=$(( failed + 2 )) + fi + + # 4 invalid cert file: incomplete cert file, or no issuer + if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; + then + failed=$(( failed + 4 )) + fi + } 1> ${logfile} 2>&1 case "${CERTREQ_ACTION}" in @@ -678,13 +686,14 @@ case "${CERTREQ_ACTION}" in ! fistruthy "${CERTREQ_SKIP_CACERTS}" && echo "chain: ${CERTREQ_WORKDIR}/${CHAIN_FILE}" echo "message: ${MESSAGE}" echo "rc: ${failed}" - ;; esac clean_certreq -exit "${failed:-0}" + +exit_code() { return "${1:-0}" ; } +exit_code "${failed:-0}" # EMAIL LOGFILE #${sendsh} ${sendopts} "${server} ${scriptfile} out" ${logfile} ${interestedparties} |