aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore1
-rwxr-xr-xfiles/certreq.sh41
2 files changed, 31 insertions, 11 deletions
diff --git a/.gitignore b/.gitignore
index fee9217..7eace93 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
*.conf
+.*.swp
diff --git a/files/certreq.sh b/files/certreq.sh
index 5a21205..132c049 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -13,6 +13,7 @@
# 2018-06-19 Fix get number of ca cert
# 2018-07-30 add error checking on the request and authorization
# 2018-08-16 update error checking and exit codes
+# 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values
# Usage: in ansible role certreq
# Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
# Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
@@ -36,6 +37,8 @@ version ${certreqversion}
--ca CA hostname or base URL. Example: ca2.example.com
--reqid <value> Request ID. Needed by --fetch action.
--no-ca Skip downloading the CA cert chain.
+ --openssl-bin <value> Use this binary for openssl. Default is "openssl"
+ --openssl-conf <value> Use this config for openssl. Default is none.
ACTIONS:
--list list available templates and exit.
--csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in.
@@ -59,7 +62,7 @@ ENDUSAGE
# DEFINE FUNCTIONS
openssl_req() {
- # call: openssl_req "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ # call: openssl_req "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}"
# outputs:
# vars: ${CSR} ${DATA} ${CERTATTRIB}
# files: ${CERTREQ_WORKDIR}/${this_filename}.crt ${CERTREQ_WORKDIR}/${thisfilename}.key
@@ -69,6 +72,8 @@ openssl_req() {
local this_subject="${2}"
local this_action="${3}"
local this_csr="${4}"
+ local this_openssl_bin="${5}"
+ local this_openssl_config="${6}"
debuglev 8 && echo "Action ${this_action}"
case "${this_action}" in
@@ -88,7 +93,7 @@ openssl_req() {
esac
;;
*)
- openssl req -new -nodes \
+ "${this_openssl_bin}" req ${this_openssl_config} -new -nodes \
-out "${CERTREQ_WORKDIR}/${this_filename}.csr" \
-keyout "${CERTREQ_WORKDIR}/${this_filename}.key" \
-subj "${this_subject}"
@@ -246,18 +251,18 @@ get_latest_ca_cert_chain() {
-H 'Content-Type: application/x-www-form-urlencoded' )"
# CONVERT TO PEM
- echo "${CURRENT_P7B}" | openssl pkcs7 -print_certs -out "${CERTREQ_TEMPFILE}"
+ echo "${CURRENT_P7B}" | "${CERTREQ_OPENSSL_BIN}" pkcs7 -print_certs -out "${CERTREQ_TEMPFILE}"
# RENAME TO PROPER FILENAME
# will read only the first cert, so get domain of issuer of it.
- CA_DOMAIN="$( openssl x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )"
+ CA_DOMAIN="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_TEMPFILE}" -noout -issuer 2>/dev/null | sed -r -e 's/^.*CN=[A-Za-z0-9]+\.//;' )"
CHAIN_FILE="chain-${CA_DOMAIN}.crt"
mv -f "${CERTREQ_TEMPFILE}" "${CERTREQ_WORKDIR}/${CHAIN_FILE}" 1>/dev/null 2>&1
}
action_get_cert() {
- # call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ # call: action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_config_string}"
# outputs:
# vars: ${curloutput}
# files: ${CHAIN_FILE} ${CERTREQ_CNPARAM}.crt and .key and
@@ -270,9 +275,11 @@ action_get_cert() {
local this_ca_host="${5}"
local this_action="${6}"
local this_csr="${7}"
+ local this_openssl_bin="${8}"
+ local this_openssl_config="${9}"
# GENERATE PRIVATE KEY
- openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}"
+ openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" "${this_openssl_bin}" "${this_openssl_config}"
debuglev 8 && {
echo "CSR=${CSR}"
echo "DATA=${DATA}"
@@ -315,7 +322,7 @@ action_get_cert() {
}
action_request() {
- # call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ # call: action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}"
debuglev 9 && ferror "$FUNCNAME $@"
local this_cnparam="${1}"
@@ -325,9 +332,11 @@ action_request() {
local this_ca_host="${5}"
local this_action="${6}"
local this_csr="${7}"
+ local this_openssl_bin="${8}"
+ local this_openssl_config="${9}"
# GENERATE PRIVATE KEY
- openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}"
+ openssl_req "${this_cnparam}" "${this_subject}" "${this_action}" "${this_csr}" "${this_openssl_bin}" "${this_openssl_config}"
debuglev 8 && {
echo "CSR=${CSR}"
echo "DATA=${DATA}"
@@ -453,6 +462,8 @@ parseFlag() {
"request" | "request-only" ) CERTREQ_ACTION="request";;
"no-ca" | "noca" ) CERTREQ_SKIP_CACERTS=1;;
"req" | "reqid" | "req-id" | "request" | "requestid" | "request-id" ) getval; CERTREQ_REQID="${tempval}";;
+ "openssl-bin" | "openssl" | "opensslbin" | "openssl-binary" | "opensslexec" | "openssl-exec" ) getval; CERTREQ_OPENSSL_BIN="${tempval}";;
+ "openssl-conf" | "opensslconf" | "openssl_conf" ) getval; CERTREQ_OPENSSL_CONF="${tempval}";;
esac
debuglev 10 && { test ${hasval} -eq 1 && ferror "flag: ${flag} = ${tempval}" || ferror "flag: ${flag}"; }
@@ -546,6 +557,8 @@ define_if_new CERTREQ_CLEANUP_SEC 300
logfile="$( TMPDIR="${CERTREQ_WORKDIR}" mktemp -t tmp.XXXXXXXXXX )"
CERTREQ_TEMPFILE="$( TMPDIR="${CERTREQ_WORKDIR}" mktemp -t tmp.XXXXXXXXXX )"
define_if_new CERTREQ_ACTION "generate"
+define_if_new CERTREQ_OPENSSL_BIN "openssl"
+# no CERTREQ_OPENSSL_CONF defined by default. Just use the system default unless specified.
# calculate the subject
if test -n "${CERTREQ_CNPARAM}";
@@ -573,6 +586,12 @@ define_if_new CERTREQ_CA "http://ca2.ad.example.com"
# generate cahost
CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )"
+# calculate openssl_conf string if necessary
+if test -n "${CERTREQ_OPENSSL_CONF}" ;
+then
+ CERTREQ_openssl_config="-config ${CERTREQ_OPENSSL_CONF}"
+fi
+
## REACT TO BEING A CRONJOB
#if test ${is_cronjob} -eq 1;
#then
@@ -611,7 +630,7 @@ debuglev 5 && {
request)
# alias of "request-only"
- action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ action_request "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}"
;;
fetch)
@@ -622,14 +641,14 @@ debuglev 5 && {
*)
# default action="generate"
# also catches "generate-csr"
- action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}"
+ action_get_cert "${CERTREQ_CNPARAM}" "${CERTREQ_SUBJECT}" "${CERTREQ_USER}:${CERTREQ_PASS}" "${CERTREQ_CA}" "${CERTREQ_CAHOST}" "${CERTREQ_ACTION}" "${CERTREQ_CSR}" "${CERTREQ_OPENSSL_BIN}" "${CERTREQ_openssl_config}"
;;
esac
# CHECK EVERYTHING
failed=0 # start out with everything worked
- openssloutput="$( openssl x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
+ openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )"
# 1 interaction with website failed: invalid login credentials or curl returned non-zero value
if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ;
bgstack15