cat <<'EOFF' > /usr/local/bin/haproxy_ocsp_update.sh #!/bin/bash # Certificates path and names DIR="/etc/haproxy" CERT="haproxy.pem" # Get the issuer URI, download it's certificate and convert into PEM format ISSUER_URI=$(openssl x509 -in ${DIR}/${CERT} -text -noout | grep 'CA Issuers' | cut -d: -f2,3) ISSUER_NAME=$(echo ${ISSUER_URI##*/} | while read -r fname; do echo ${fname%.*}; done) wget -q -O- $ISSUER_URI | openssl x509 -inform DER -outform PEM -out ${DIR}/${ISSUER_NAME}.pem # Get the OCSP URL from the certificate ocsp_url=$(openssl x509 -noout -ocsp_uri -in ${DIR}/${CERT}) # Extract the hostname from the OCSP URL ocsp_host=$(echo $ocsp_url | cut -d/ -f3) # Create/update the ocsp response file and update HAProxy openssl ocsp -noverify -no_nonce -issuer ${DIR}/${ISSUER_NAME}.pem -cert ${DIR}/${CERT} -url $ocsp_url -header "Host=$ocsp_host" -respout ${DIR}/${CERT}.ocsp [[ $? -eq 0 ]] && [[ $(pidof haproxy) ]] && [[ -s ${DIR}/${CERT}.ocsp ]] && echo "set ssl ocsp-response $(/usr/bin/base64 -w 10000 ${DIR}/${CERT}.ocsp)" | socat stdio unix-connect:/var/lib/haproxy/stats exit 0 EOFF chmod +x /usr/local/bin/haproxy_ocsp_update.sh | 