diff options
Diffstat (limited to 'files')
-rwxr-xr-x | files/certreq.sh | 27 |
1 files changed, 17 insertions, 10 deletions
diff --git a/files/certreq.sh b/files/certreq.sh index e5b5b40..459df53 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -16,6 +16,7 @@ # 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support # 2019-07-25 fix chain_file name if DN is a particular format # 2023-06-06 Fix #4: bug related to compressed responses from server +# 2023-06-21 Add basic auth method and attempt at adding password file argument # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a @@ -27,15 +28,16 @@ certreqversion="2023-06-06a" usage() { less -F >&2 <<ENDUSAGE -usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate] +usage: certreq.sh [-dhV] [-u username] [-p password] [--pf passwordfile ][-w tempdir] [-t template] [--cn CN] [--ca <CA hostname>] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid <reqid_string>] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth basic|ntlm|negotiate] version ${certreqversion} -d debug Show debugging info, including parsed variables. -h usage Show this usage block. -V version Show script version number. - -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username" + -u username User to connect via basic or ntlm auth (or negotiate) to CA. Can be "username" or "domain\\username" -p password -w workdir Temp directory to work in. Default is \$(mktemp -d). -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate" + --pf --password-file Passwordfile in case you don't want to write password in clear text. --cn CN to request. Default is \$( hostname -f ) --ca CA hostname or base URL. Example: ca2.example.com --reqid <value> Request ID. Needed by --fetch action. @@ -44,7 +46,7 @@ version ${certreqversion} --openssl-conf <value> Use this config for openssl. Default is none. --dnssans <value> Use a pipe-delimited set of values as subjectAltName dns entries. --ipsans <value> Use a pipe-delimited set of values as subjectAltName ip entries. - --auth <value> Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm" + --auth <value> Either basic, ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "basic" ACTIONS: --list list available templates and exit. --csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in. @@ -466,6 +468,7 @@ parseFlag() { "V" | "fcheck" | "version" ) ferror "${scriptfile} version ${certreqversion}"; exit 1001;; "u" | "user" | "username" ) getval; CERTREQ_USER="${tempval}";; "p" | "pass" | "password" ) getval; CERTREQ_PASS="${tempval}";; + "pf" | "password-file" ) getval; test -r "${tempval}" && CERTREQ_PASS="$( cat "${tempval}" )" || ferror "Invalid password file ${tempval}; leaving password blank!";; # Read password from file "w" | "work" | "workdir" ) getval; CERTREQ_WORKDIR="${tempval}";; "t" | "temp" | "template" ) getval; CERTREQ_TEMPLATE="${tempval}";; "cn" | "common-name" | "commonname" ) getval; CERTREQ_CNPARAM="${tempval}";; @@ -485,9 +488,10 @@ parseFlag() { "ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";; "auth" ) getval ; case "${tempval}" in + "basic") CERTREQ_AUTH=basic ;; "ntlm") CERTREQ_AUTH=ntlm ;; "negotiate") CERTREQ_AUTH=negotiate ;; - *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;; + *) ferror "Warning: --auth must be either \"basic\", \"ntlm\" or \"negotiate\". Using \"basic.\"" ; CERTREQ_AUTH=basic ;; esac ;; esac @@ -608,9 +612,9 @@ if test -n "${CERTREQ_CAPARAM}"; then # trim down to just the hostname CERTREQ_CAPARAM="$( echo "${CERTREQ_CAPARAM}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )" - CERTREQ_CA="http://${CERTREQ_CAPARAM}" + CERTREQ_CA="https://${CERTREQ_CAPARAM}" fi -define_if_new CERTREQ_CA "http://ca2.ad.example.com" +define_if_new CERTREQ_CA "https://ca2.ad.example.com" # generate cahost CERTREQ_CAHOST="$( echo "${CERTREQ_CA}" | sed -r -e 's/https?:\/\///g' -e 's/(\.[a-z]{2,3})\/$/\1/;' )" @@ -763,7 +767,7 @@ debuglev 5 && { openssloutput="$( "${CERTREQ_OPENSSL_BIN}" x509 -in "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" -noout -subject -issuer -startdate -enddate 2>/dev/null )" # 1 interaction with website failed: invalid login credentials or curl returned non-zero value - if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput} -ne 0 ; + if echo "${MESSAGE}" | grep -qiE 'unauthorized' || test ${curloutput:-0} -ne 0 ; then failed=$(( failed + 1 )) fi @@ -775,9 +779,12 @@ debuglev 5 && { fi # 4 invalid cert file: incomplete cert file, or no issuer - if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; - then - failed=$(( failed + 4 )) + # Wrapped in if statement to not grep when doing --list since no cert is created during that process. + if test "${CERTREQ_ACTION}" != "list" ; then + if { ! grep -qE -- '--END CERTIFICATE--' "${CERTREQ_WORKDIR}/${CERTREQ_CNPARAM}.crt" ; } || { ! echo "${openssloutput}" | grep -qE "issuer.*" ; } ; + then + failed=$(( failed + 4 )) + fi fi } 1> ${logfile} 2>&1 |