Couple of minor revisions. 1) Thank you Ohad Levy for the original cgi script. Sorry about not giving you credit.
2) if [ '$NVRAM' == 'no' ]; then should be if [ "$NVRAM" == 'no' ]; then --- Thanks, Allan Marcus 505-667-5666 On Jul 9, 2009, at 7:12 PM, Allan Marcus wrote: > > Putting it all together, here's what I have for cert management on > Macs. > > 1) A launchd job to launch puppet every hour > 2) a script on the client to determine a unique attribute of the Mac > and use it for cert name > 3) a CGI on the server to clean a cert if the machine was re-imaged > 3a) note: alter /etc/sudoers on the server to allow the cgi to run > puppetca > > Testing is rather easy. Runt he puppetd.sh script on the client (as > root). Delete the /etc/puppet/ssl dir then run again. The system > should clean the cert on the server > > > > (1) This plist file should be in /Library/LaunchDaemons/ > <?xml version="1.0" encoding="UTF-8"?> > <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" > "http://www.apple.com/DTDs/PropertyList-1.0.dtd > "> > <plist version="1.0"> > <dict> > <key>Label</key> > <string>com.mycompany.puppetd</string> > <key>ProgramArguments</key> > <array> > <string>/usr/bin/puppetd.sh</string> > </array> > <key>QueueDirectories</key> > <array/> > <key>StartInterval</key> > <integer>3600</integer> > <key>WatchPaths</key> > <array/> > </dict> > </plist> > > > (2) /usr/bin/puppet.sh and chmod 700 and chown root:wheel > #!/bin/sh > # puppetd.sh script > # Script to run puppet and use the "correct" certname > # we need the certname to be unique, so hostname is not great > > # by Allan Marcus of LANL > > # Version History > # 2009-07-08: initial version > > # this script is run from a launchd job > > # this suffix is added to the value to make it look like a FQDN. > # This allows for auto sign to work on the server with a simply > wildcard > SUFFIX=mycompany.com > > # this is the server to sent a puppetca clean to > SERVER=www.mycompany.com > > > # --------------- > > # see if the MAC_UID is in nvram already > MAC_UID=`nvram MAC_UID 2>/dev/null | awk '{print $2}'` > if [ -z "$MAC_UID" ]; then > # flag that nothing is in nvram yet > NVRAM="no" > fi > > # get the serial number for this Mac > if [ -z "$MAC_UID" ]; then > MAC_UID=`facter | grep sp_serial_number | awk '{print $3}'` > fi > > # if the MAC_UID is still null > # get the primary MAC address > if [ -z "$MAC_UID" ]; then > MAC_UID=`facter | grep 'macaddress =>' | awk '{print $3}'` > fi > > # if all the above fails, get the hostname > if [ -z "$MAC_UID" ]; then > MAC_UID=`hostname` > fi > > # assuming we have something, write it to nvram > # getting it from nvram is much faster and is limited to this > # specific computer > if [ '$NVRAM' == 'no' ]; then > # cert names must be lowercase > MAC_UID=`echo $MAC_UID | tr "[:upper:]" "[:lower:]"` > MAC_UID=${MAC_UID}.${SUFFIX} > nvram MAC_UID=${MAC_UID} > fi > > RESULTS=`puppetd -o --no-daemonize -v --certname=$MAC_UID 2>&1` > RESULTS=`echo $RESULTS | grep 'Certificate request does not match > existing certificate'` > > if [ -z "$RESULTS" ]; then > exit 0 > else > # curl call to a CGI to clean the cert > curl "http://${SERVER}/cgi-bin/cleanCert.rb?certname=${MAC_UID}"; > fi > > ### end puppetd.sh script #### > > (3) On the server in the CGI directory. On a Mac server you also need > to allow CGI's in server admin. > #!/usr/bin/ruby > > # clearCert.rb > # cgi to clean a cert > > class Puppetca > # removes old certificate if it exists > # parameter is the certname to use > # need to allow the _www user to use sudo with the puppetca command > # added using visudo > # _www ALL = NOPASSWD: /usr/bin/puppetca, !/usr/bin/puppetca -- > clean --all > def self.clean certname, addr > command = "/usr/bin/sudo /usr/bin/puppetca --clean #{certname}" > # for some reason the "system" command causes Mac apache to > crash > # when used here > %x{#{command}} > %x{"logger #{addr} cleaned #{certname}"} > return true > end > end > > =begin > CGI starts here > =end > > # get the value of the passed param in the URL Query_string > require 'cgi' > cgi=CGI.new > certname = cgi["certname"] > > # define the characters that are allow to avoid an injection attack > # 0-9, a-z, period, dash, and colon are allowed. All else is not > pattern = /[^a-z0-9.\-:]/ > # determine if any other characters are in the certname > reject = (certname =~ pattern) ? 1 : 0 > > if ((reject == 0) && Puppetca.clean(certname, ENV['REMOTE_ADDR'])) > cgi.out("status" => "OK", "connection" => "close") {"OK #{certname} > cleaned\n"} > else > cgi.out("status" => "BAD_REQUEST", "connection" => "close") {"Not > Processed: #{certname}\n"} > end > > > --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
