From c82c4d6f5a7afc70542d6d7c787bbe41055baac1 Mon Sep 17 00:00:00 2001 From: "B. Stack" Date: Tue, 6 Jun 2023 09:22:27 -0400 Subject: fix #4 --- files/certreq.sh | 39 ++++++++++++++++++++++++--------------- 1 file changed, 24 insertions(+), 15 deletions(-) (limited to 'files/certreq.sh') diff --git a/files/certreq.sh b/files/certreq.sh index 8751b39..e5b5b40 100755 --- a/files/certreq.sh +++ b/files/certreq.sh @@ -15,6 +15,7 @@ # 2018-08-16 update error checking and exit codes # 2018-09-10 add CERTREQ_OPENSSL_BIN and CERTREQ_OPENSSL_CONF values, and SAN support # 2019-07-25 fix chain_file name if DN is a particular format +# 2023-06-06 Fix #4: bug related to compressed responses from server # Usage: in ansible role certreq # Microsoft CA cert templates have permissions on them. A user must be able to "enroll" on the template. # Reference: ftemplate.sh 2017-10-10x; framework.sh 2017-10-09a @@ -22,16 +23,16 @@ # subjectaltname in openssl.cnf https://bgstack15.wordpress.com/2017/05/21/generate-certificate-with-subjectaltname-attributes-in-freeipa/ # Improve: fiversion="2017-10-10x" -certreqversion="2019-07-25a" +certreqversion="2023-06-06a" usage() { less -F >&2 <] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] +usage: certreq.sh [-dhV] [-u username] [-p password] [-w tempdir] [-t template] [--cn CN] [--ca ] [-l|-g] [--list|--csr /path/to/file|--fetch|--request] [--no-ca] [--reqid ] [--openssl-bin /bin/openssl] [--openssl-conf /opt/openssl.cnf] [--auth ntlm|negotiate] version ${certreqversion} -d debug Show debugging info, including parsed variables. -h usage Show this usage block. -V version Show script version number. - -u username User to connect via ntlm to CA. Can be "username" or "domain\\username" + -u username User to connect via ntlm (or negotiate) to CA. Can be "username" or "domain\\username" -p password -w workdir Temp directory to work in. Default is \$(mktemp -d). -t template Template to request from CA. Default is "ConfigMgrLinuxClientCertificate" @@ -43,6 +44,7 @@ version ${certreqversion} --openssl-conf Use this config for openssl. Default is none. --dnssans Use a pipe-delimited set of values as subjectAltName dns entries. --ipsans Use a pipe-delimited set of values as subjectAltName ip entries. + --auth Either ntlm or negotiate, for the curl statements. Negotiate uses the kerberos ticket for the host, so use the kerberos object name for -u and a blank -p. Default is "ntlm" ACTIONS: --list list available templates and exit. --csr filename Provide a .csr file instead of making a new csr. Accepts "stdin" to read from standard in. @@ -127,10 +129,10 @@ submit_csr() { request) # request-only - FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \ + FULLPAGE="$( curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \ "${this_ca}/certsrv/certfnsh.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -144,10 +146,10 @@ submit_csr() { *) # get cert - FULLPAGE="$( curl -k -u "${this_user_string}" --ntlm \ + FULLPAGE="$( curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \ "${this_ca}/certsrv/certfnsh.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -196,9 +198,9 @@ fetch_signed_cert() { ;; esac - curl -k -u "${this_user_string}" --ntlm "${this_certlink}" \ + curl -k -u "${this_user_string}" --"${CERTREQ_AUTH}" "${this_certlink}" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -218,10 +220,10 @@ get_number_of_current_ca_cert() { local this_ca="${2}" local this_ca_host="${3}" - RESPONSE="$( curl -s -k -u "${this_user_string}" --ntlm \ + RESPONSE="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \ "${this_ca}/certsrv/certcarc.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -243,10 +245,10 @@ get_latest_ca_cert_chain() { local this_ca_host="${3}" local this_num="${4}" - CURRENT_P7B="$( curl -s -k -u "${this_user_string}" --ntlm \ + CURRENT_P7B="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \ "${this_ca}/certsrv/certnew.p7b?ReqID=CACert&Renewal=${this_num}" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -404,10 +406,10 @@ action_list_templates() { local this_ca="${2}" local this_ca_host="${3}" - RESPONSE="$( curl -s -k -u "${this_user_string}" --ntlm \ + RESPONSE="$( curl -s -k -u "${this_user_string}" --"${CERTREQ_AUTH}" \ "${this_ca}/certsrv/certrqxt.asp" \ -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' \ - -H 'Accept-Encoding: gzip, deflate' \ + -H 'Accept-Encoding: gzip, deflate' --compressed \ -H 'Accept-Language: en-US,en;q=0.5' \ -H 'Connection: keep-alive' \ -H "Host: ${this_ca_host}" \ @@ -481,6 +483,13 @@ parseFlag() { "openssl-conf" | "opensslconf" | "openssl_conf" ) getval; CERTREQ_OPENSSL_CONF="${tempval}";; "dnssans" | "dns-sans" | "dnssan" | "dns-san" ) getval; CERTREQ_DNSSANS="${tempval}";; "ipsans" | "ip-sans" | "ipsan" | "ip-san" ) getval; CERTREQ_IPSANS="${tempval}";; + "auth" ) getval ; + case "${tempval}" in + "ntlm") CERTREQ_AUTH=ntlm ;; + "negotiate") CERTREQ_AUTH=negotiate ;; + *) ferror "Warning: --auth must be either \"ntlm\" or \"negotiate\". Using \"ntlm.\"" CERTREQ_AUTH=ntlm ;; + esac + ;; esac debuglev 10 && { test ${hasval} -eq 1 && ferror "flag: ${flag} = ${tempval}" || ferror "flag: ${flag}"; } -- cgit