#!/bin/bash # # Check puppet fingerprints, hydractl perspective. # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU Affero General Public License as # published by the Free Software Foundation, either version 3 of the # License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU Affero General Public License for more details. # # You should have received a copy of the GNU Affero General Public # License along with this program. If not, see # <http://www.gnu.org/licenses/>. # Load source $APP_BASE/lib/hydra/functions || exit 1 hydra_config_load # Command line arguments BASENAME="`basename $0`" # Execute openssl function puppet_openssl { if [ -z "$1" ]; then return fi openssl x509 -text -noout -fingerprint -in $1 | grep "^SHA1 Fingerprint=" | \ sed -e 's/^SHA1 Fingerprint=//' } # Print a fingerprint with correct padding. function print_fingerprint { if [ -z "$2" ]; then return fi len="`echo $1 | wc -c`" offset="$((85 - $len))" printf "$1: %${offset}s\n" "$2" } # Master: # # openssl x509 -text -noout -fingerprint -in /var/lib/puppetmaster/ssl/ca/signed/fqdn.pem # openssl x509 -text -noout -fingerprint -in /var/lib/puppetmaster/ssl/certs/ca.pem # if [ -d "/var/lib/puppetmaster/ssl" ]; then if [ -d "/var/lib/puppetmaster/ssl/ca/signed" ]; then for file in `ls /var/lib/puppetmaster/ssl/ca/signed`; do fp="`puppet_openssl /var/lib/puppetmaster/ssl/ca/signed/$file`" print_fingerprint `basename $file .pem` $fp done fi if [ -f "/var/lib/puppetmaster/ssl/certs/ca.pem" ]; then print_fingerprint ca `puppet_openssl /var/lib/puppetmaster/ssl/certs/ca.pem` fi fi # Node: # # openssl x509 -text -noout -fingerprint -in /var/lib/puppet/ssl/certs/fqdn.pem # openssl x509 -text -noout -fingerprint -in /var/lib/puppet/ssl/certs/ca.pem # if [ -d "/var/lib/puppet/ssl" ]; then fqdn="`facter fqdn`" print_fingerprint $fqdn `puppet_openssl /var/lib/puppet/ssl/certs/$fqdn.pem` print_fingerprint ca `puppet_openssl /var/lib/puppet/ssl/certs/ca.pem` fi