update_crl.sh

#!/usr/bin/env bash

set -euo pipefail

ROOT_CRL_S3=<ROOT CRL>
CA_HASH=<CA HASH>
PUPPET_CRL=$(/opt/puppetlabs/bin/puppet config print hostcrl)
PUPPET_CRL_DIR=$(dirname "$PUPPET_CRL")
PUPPET_CA_CRL=$(/opt/puppetlabs/bin/puppet config print cacrl)
PUPPET_CA_CRL_DIR=$(dirname "$PUPPET_CA_CRL")

WORKDIR=$(mktemp -d)

cleanup() {
  if [[ -n "${WORKDIR:-}" && -d "$WORKDIR" ]]; then
    rm -rf "$WORKDIR"
  fi
  popd > /dev/null
}

if [[ -z $PUPPET_CRL ]]; then
  echo "ERROR: Unable to determine location of CRL file" 1>&2
  exit 1
fi

pushd "$WORKDIR" > /dev/null
trap cleanup EXIT

aws s3 cp "s3://${ROOT_CRL_S3}/${CA_HASH}.crl" raw.crl
openssl crl -inform DER -in raw.crl -outform PEM -out root_crl.pem

csplit -s -z -f crl- "$PUPPET_CRL" '/-----BEGIN X509 CRL-----/' '{*}'
oldroot=$(find . -type f -name 'crl-*' | sort -n | tail -n 1)
if [[ -f "$oldroot" ]]; then
  rm -f "$oldroot"
fi

cat -- crl-* root_crl.pem > "${PUPPET_CRL_DIR}/crl.pem.new"
(cd "$PUPPET_CRL_DIR" && mv -bS .old crl.pem.new crl.pem)
if [[ -f "$PUPPET_CA_CRL" ]]; then
  ca_crl=$(basename "$PUPPET_CA_CRL")
  cat -- crl-* root_crl.pem > "${PUPPET_CA_CRL_DIR}/${ca_crl}.new"
  chown puppet:puppet "${PUPPET_CA_CRL_DIR}/${ca_crl}.new"
  (cd "$PUPPET_CA_CRL_DIR" && mv -bS .old "${ca_crl}.new" "$ca_crl")
fi