Add a renew subcommand to puppet ssl

jay7x · jay7x · commit 366cc38ce08d · 2026-03-08T19:36:25.000+08:00
diff --git a/lib/puppet/application/ssl.rb b/lib/puppet/application/ssl.rb
@@ -54,6 +54,9 @@ def help
         Puppet setting, it can be specified as a time interval, such as 30s,
         5m, 1h.
 
+      * renew
+        Renew existing and non-expired client certificate.
+
       * submit_request:
         Generate a certificate signing request (CSR) and submit it to the CA. If
         a private and public key pair already exist, they will be used to generate
@@ -150,6 +153,8 @@ def main
       end
     when 'generate_request'
       generate_request(certname)
+    when 'renew'
+      renew_certificate(certname)
     when 'verify'
       verify(certname)
     when 'clean'
@@ -248,6 +253,26 @@ def download_cert(ssl_context)
     raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
   end
 
+  def renew_certificate(certname)
+    ssl_context = @ssl_provider.load_context(certname: certname)
+    route = create_route(ssl_context)
+    _, x509 = route.post_certificate_renewal(ssl_context)
+    cert = OpenSSL::X509::Certificate.new(x509)
+    Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % { name: Puppet[:certname], fingerprint: fingerprint(cert) }
+
+    @cert_provider.save_client_cert(certname, cert)
+    @cert_provider.delete_request(certname)
+    cert
+  rescue Puppet::HTTP::ResponseError => e
+    if e.response.code == 404
+      nil
+    else
+      raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
+    end
+  rescue => e
+    raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
+  end
+
   def verify(certname)
     password = @cert_provider.load_private_key_password
     ssl_context = @ssl_provider.load_context(certname: certname, password: password)
