# File lib/puppet/network/handler/ca.rb, line 73
 73:         def getcert(csrtext, client = nil, clientip = nil)
 74:             csr = OpenSSL::X509::Request.new(csrtext)
 75: 
 76:             # Use the hostname from the CSR, not from the network.
 77:             subject = csr.subject
 78: 
 79:             nameary = subject.to_a.find { |ary|
 80:                 ary[0] == "CN"
 81:             }
 82: 
 83:             if nameary.nil?
 84:                 Puppet.err(
 85:                     "Invalid certificate request: could not retrieve server name"
 86:                 )
 87:                 return "invalid"
 88:             end
 89: 
 90:             hostname = nameary[1]
 91: 
 92:             unless @ca
 93:                 Puppet.notice "Host %s asked for signing from non-CA master" % hostname
 94:                 return ""
 95:             end
 96: 
 97:             # We used to save the public key, but it's basically unnecessary
 98:             # and it mucks with the permissions requirements.
 99:             # save_pk(hostname, csr.public_key)
100: 
101:             certfile = File.join(Puppet[:certdir], [hostname, "pem"].join("."))
102: 
103:             # first check to see if we already have a signed cert for the host
104:             cert, cacert = ca.getclientcert(hostname)
105:             if cert and cacert
106:                 Puppet.info "Retrieving existing certificate for %s" % hostname
107:                 unless csr.public_key.to_s == cert.public_key.to_s
108:                     raise Puppet::Error, "Certificate request does not match existing certificate; run 'puppetca --clean %s'." % hostname
109:                 end
110:                 return [cert.to_pem, cacert.to_pem]
111:             elsif @ca
112:                 if self.autosign?(hostname) or client.nil?
113:                     if client.nil?
114:                         Puppet.info "Signing certificate for CA server"
115:                     end
116:                     # okay, we don't have a signed cert
117:                     # if we're a CA and autosign is turned on, then go ahead and sign
118:                     # the csr and return the results
119:                     Puppet.info "Signing certificate for %s" % hostname
120:                     cert, cacert = @ca.sign(csr)
121:                     #Puppet.info "Cert: %s; Cacert: %s" % [cert.class, cacert.class]
122:                     return [cert.to_pem, cacert.to_pem]
123:                 else # just write out the csr for later signing
124:                     if @ca.getclientcsr(hostname)
125:                         Puppet.info "Not replacing existing request from %s" % hostname
126:                     else
127:                         Puppet.notice "Host %s has a waiting certificate request" %
128:                             hostname
129:                         @ca.storeclientcsr(csr)
130:                     end
131:                     return ["", ""]
132:                 end
133:             else
134:                 raise "huh?"
135:             end
136:         end