getcert (Puppet::Network::Handler::CA)

     # File lib/puppet/network/handler/ca.rb, line 70
 70:     def getcert(csrtext, client = nil, clientip = nil)
 71:       csr = OpenSSL::X509::Request.new(csrtext)
 72: 
 73:       # Use the hostname from the CSR, not from the network.
 74:       subject = csr.subject
 75: 
 76:       nameary = subject.to_a.find { |ary|
 77:         ary[0] == "CN"
 78:       }
 79: 
 80:       if nameary.nil?
 81:         Puppet.err(
 82:           "Invalid certificate request: could not retrieve server name"
 83:         )
 84:         return "invalid"
 85:       end
 86: 
 87:       hostname = nameary[1]
 88: 
 89:       unless @ca
 90:         Puppet.notice "Host #{hostname} asked for signing from non-CA master"
 91:         return ""
 92:       end
 93: 
 94:       # We used to save the public key, but it's basically unnecessary
 95:       # and it mucks with the permissions requirements.
 96:       # save_pk(hostname, csr.public_key)
 97: 
 98:       certfile = File.join(Puppet[:certdir], [hostname, "pem"].join("."))
 99: 
100:       # first check to see if we already have a signed cert for the host
101:       cert, cacert = ca.getclientcert(hostname)
102:       if cert and cacert
103:         Puppet.info "Retrieving existing certificate for #{hostname}"
104:         unless csr.public_key.to_s == cert.public_key.to_s
105:           raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean #{hostname}'."
106:         end
107:         return [cert.to_pem, cacert.to_pem]
108:       elsif @ca
109:         if self.autosign?(hostname) or client.nil?
110:           Puppet.info "Signing certificate for CA server" if client.nil?
111:           # okay, we don't have a signed cert
112:           # if we're a CA and autosign is turned on, then go ahead and sign
113:           # the csr and return the results
114:           Puppet.info "Signing certificate for #{hostname}"
115:           cert, cacert = @ca.sign(csr)
116:           #Puppet.info "Cert: #{cert.class}; Cacert: #{cacert.class}"
117:           return [cert.to_pem, cacert.to_pem]
118:         else # just write out the csr for later signing
119:           if @ca.getclientcsr(hostname)
120:             Puppet.info "Not replacing existing request from #{hostname}"
121:           else
122:             Puppet.notice "Host #{hostname} has a waiting certificate request"
123:             @ca.storeclientcsr(csr)
124:           end
125:           return ["", ""]
126:         end
127:       else
128:         raise "huh?"
129:       end
130:     end