alokjani/puppet_master_crl_cache_update

## puppet_master_crl_cache_update
#!/usr/bin/env bash

# This script will connect to the rest api of the puppetca listed in your
# puppet config and update the local copy certificate revocation list.
#
# This is useful when you have distributed puppet masters fronted by
# a webserver and passenger.
#
# https://docs.puppetlabs.com/guides/rest_api.html#certificate-revocation-list
# https://ask.puppetlabs.com/question/3843/multiple-puppet-masters-with-single-ca-server/

status='NOTSET'

puppetuser=`puppet config print user`
puppetgroup=`puppet config print group`

ssldir=`puppet config print ssldir`
certname=`hostname -f`
puppetca=`puppet config print ca_server`

environment=`puppet config print environment`
headers="Accept: s"
caendpoint="https://${puppetca}:8140/${environment}/certificate_revocation_list/ca"

local_crl_file=`puppet config print hostcrl`
newtmp_local_crl_file="/tmp/puppet_ca_crlpem.tmp"

curl --output "${newtmp_local_crl_file}" \
--cacert "${ssldir}/certs/ca.pem" \
--cert "${ssldir}/certs/${certname}.pem" \
--key "${ssldir}/private_keys/${certname}.pem" \
-H "${headers}" "${caendpoint}"

openssl crl -text -in "${newtmp_local_crl_file}" -CAfile "${puppetca}" -noout && status='VALID'

if [ "x${status}" == "xVALID" ]; then
  mv -f "${newtmp_local_crl_file}" "${local_crl_file}"
  chown ${puppetuser}:${puppetgroup} "${local_crl_file}"
fi
	#!/usr/bin/env bash

	# This script will connect to the rest api of the puppetca listed in your
	# puppet config and update the local copy certificate revocation list.
	#
	# This is useful when you have distributed puppet masters fronted by
	# a webserver and passenger.
	#
	# https://docs.puppetlabs.com/guides/rest_api.html#certificate-revocation-list
	# https://ask.puppetlabs.com/question/3843/multiple-puppet-masters-with-single-ca-server/

	status='NOTSET'

	puppetuser=`puppet config print user`
	puppetgroup=`puppet config print group`

	ssldir=`puppet config print ssldir`
	certname=`hostname -f`
	puppetca=`puppet config print ca_server`

	environment=`puppet config print environment`
	headers="Accept: s"
	caendpoint="https://${puppetca}:8140/${environment}/certificate_revocation_list/ca"

	local_crl_file=`puppet config print hostcrl`
	newtmp_local_crl_file="/tmp/puppet_ca_crlpem.tmp"

	curl --output "${newtmp_local_crl_file}" \
	--cacert "${ssldir}/certs/ca.pem" \
	--cert "${ssldir}/certs/${certname}.pem" \
	--key "${ssldir}/private_keys/${certname}.pem" \
	-H "${headers}" "${caendpoint}"

	openssl crl -text -in "${newtmp_local_crl_file}" -CAfile "${puppetca}" -noout && status='VALID'

	if [ "x${status}" == "xVALID" ]; then
	mv -f "${newtmp_local_crl_file}" "${local_crl_file}"
	chown ${puppetuser}:${puppetgroup} "${local_crl_file}"
	fi