aboutsummaryrefslogtreecommitdiff
path: root/files/certreq.sh
diff options
context:
space:
mode:
Diffstat (limited to 'files/certreq.sh')
-rwxr-xr-xfiles/certreq.sh39
1 files changed, 24 insertions, 15 deletions
diff --git a/files/certreq.sh b/files/certreq.sh
index 8751b39..e5b5b40 100755
--- a/files/certreq.sh
+++ b/files/certreq.sh
@@ -15,6 +15,7 @@
# 2018-08-16 update error checking and exit codes
# 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support
# 2019-07-25 fix chain_file name if DN is a particular format
+# 2023-06-06 Fix #4: bug related to compressed responses from server
# Usage: in ansible role certreq
# Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template.
# Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a
@@ -22,16 +23,16 @@
# subjectaltname in openssl.cnf https://bgstack15.wordpress.com/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/
# Improve:
fiversion="2017-10-10x"
-certreqversion="2019-07-25a"
+certreqversion="2023-06-06a"
usage() {
less -F >&2 <<ENDUSAGE
-usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf]
+usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate]
version ${certreqversion}
-d debug Show debugging info, including parsed variables.
-h usage Show this usage block.
-V version Show script version number.
- -u username User to connect via ntlm to CA. Can be "username" or "domain\\username"
+ -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username"
-p password
-w workdir Temp directory to work in. Default is \$(mktemp -d).
-t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate"
@@ -43,6 +44,7 @@ version ${certreqversion}
--openssl-conf <value> Use this config for openssl. Default is none.
--dnssans <value> Use a pipe-delimited set of values as subjectAltName dns entries.
--ipsans <value> Use a pipe-delimited set of values as subjectAltName ip entries.
+ --auth <value> Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm"
ACTIONS:
--list list available templates and exit.
--csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in.
@@ -127,10 +129,10 @@ submit_csr() {
request)
# request-only
- FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \
+ FULLPAGE="$( curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \
"${this_ca}/certsrv/certfnsh.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -144,10 +146,10 @@ submit_csr() {
*)
# get cert
- FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \
+ FULLPAGE="$( curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \
"${this_ca}/certsrv/certfnsh.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -196,9 +198,9 @@ fetch_signed_cert() {
;;
esac
- curl -k -u "${this_user_string}" --ntlm "${this_certlink}" \
+ curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" "${this_certlink}" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -218,10 +220,10 @@ get_number_of_current_ca_cert() {
local this_ca="${2}"
local this_ca_host="${3}"
- RESPONSE="$( curl -s -k -u "${this_user_string}" --ntlm \
+ RESPONSE="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \
"${this_ca}/certsrv/certcarc.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -243,10 +245,10 @@ get_latest_ca_cert_chain() {
local this_ca_host="${3}"
local this_num="${4}"
- CURRENT_P7B="$( curl -s -k -u "${this_user_string}" --ntlm \
+ CURRENT_P7B="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \
"${this_ca}/certsrv/certnew.p7b?ReqID=CACert&Renewal=${this_num}" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -404,10 +406,10 @@ action_list_templates() {
local this_ca="${2}"
local this_ca_host="${3}"
- RESPONSE="$( curl -s -k -u "${this_user_string}" --ntlm \
+ RESPONSE="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \
"${this_ca}/certsrv/certrqxt.asp" \
-H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \
- -H 'Accept-Encoding: gzip, deflate' \
+ -H 'Accept-Encoding: gzip, deflate' --compressed \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Connection: keep-alive' \
-H "Host: ${this_ca_host}" \
@@ -481,6 +483,13 @@ parseFlag() {
"openssl-conf" | "opensslconf" | "openssl_conf" ) getval; CERTREQ_OPENSSL_CONF="${tempval}";;
"dnssans" | "dns-sans" | "dnssan" | "dns-san" ) getval; CERTREQ_DNSSANS="${tempval}";;
"ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";;
+ "auth" ) getval ;
+ case "${tempval}" in
+ "ntlm") CERTREQ_AUTH=ntlm ;;
+ "negotiate") CERTREQ_AUTH=negotiate ;;
+ *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;;
+ esac
+ ;;
esac
debuglev 10 && { test ${hasval} -eq 1 && ferror "flag: ${flag} = ${tempval}" || ferror "flag: ${flag}"; }
bgstack15