...
Code Block | ||
---|---|---|
| ||
cat <<EOFF > /usr/local/bin/haproxy_ocsp_update.sh #!/bin/bash # Certificates path and names DIR="/etc/haproxy" CERT="haproxy.pem" # Get the issuer URI, download it's certificate and convert into PEM format ISSUER_URI=\$(openssl x509 -in \${DIR}/\${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3) ISSUER_NAME=\$(echo \${ISSUER_URI##*/} | while read -r fname; do echo \${fname%.*}; done) wget -q -O- \$ISSUER_URI | openssl x509 -inform DER -outform PEM -out \${DIR}/\${ISSUER_NAME}.pem # Get the OCSP URL from the certificate ocsp_url=\$(openssl x509 -noout -ocsp_uri -in \${DIR}/\${CERT}) # Extract the hostname from the OCSP URL ocsp_host=\$(echo \$ocsp_url | cut -d/ -f3) # Create/update the ocsp response file and update HAProxy openssl ocsp -noverify -no_nonce -issuer \${DIR}/\${ISSUER_NAME}.pem -cert \${DIR}/\${CERT} -url \$ocsp_url -header Host \$ocsp_host -respout \${DIR}/\${CERT}.ocsp [[ \$? -eq 0 ]] && [[ \$(pidof haproxy) ]] && [[ -s \${DIR}/\${CERT}.ocsp ]] && echo "set ssl ocsp-response \$(/usr/bin/base64 -w 10000 \${DIR}/\${CERT}.ocsp)" | socat stdio unix-connect:/var/runlib/haproxy.sock/stats exit 0 EOFF chmod +x /usr/local/bin/haproxy_ocsp_update.sh |
...