Forked from derektamsen/puppet_master_crl_cache_update
Last active
August 29, 2015 14:14
-
-
Save alokjani/112fb230dcf6701fa815 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
# This script will connect to the rest api of the puppetca listed in your | |
# puppet config and update the local copy certificate revocation list. | |
# | |
# This is useful when you have distributed puppet masters fronted by | |
# a webserver and passenger. | |
# | |
# https://docs.puppetlabs.com/guides/rest_api.html#certificate-revocation-list | |
# https://ask.puppetlabs.com/question/3843/multiple-puppet-masters-with-single-ca-server/ | |
status='NOTSET' | |
puppetuser=`puppet config print user` | |
puppetgroup=`puppet config print group` | |
ssldir=`puppet config print ssldir` | |
certname=`hostname -f` | |
puppetca=`puppet config print ca_server` | |
environment=`puppet config print environment` | |
headers="Accept: s" | |
caendpoint="https://${puppetca}:8140/${environment}/certificate_revocation_list/ca" | |
local_crl_file=`puppet config print hostcrl` | |
newtmp_local_crl_file="/tmp/puppet_ca_crlpem.tmp" | |
curl --output "${newtmp_local_crl_file}" \ | |
--cacert "${ssldir}/certs/ca.pem" \ | |
--cert "${ssldir}/certs/${certname}.pem" \ | |
--key "${ssldir}/private_keys/${certname}.pem" \ | |
-H "${headers}" "${caendpoint}" | |
openssl crl -text -in "${newtmp_local_crl_file}" -CAfile "${puppetca}" -noout && status='VALID' | |
if [ "x${status}" == "xVALID" ]; then | |
mv -f "${newtmp_local_crl_file}" "${local_crl_file}" | |
chown ${puppetuser}:${puppetgroup} "${local_crl_file}" | |
fi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment