add ocsp

2019-07-17 22:13:58 +02:00 · 2019-07-17 22:13:58 +02:00 · 2b2601c0c5
parent 14f38641c5
commit 2b2601c0c5
4 changed files with 53 additions and 3 deletions
--- a/roles/haproxy/files/ocsp_update.sh
+++ b/roles/haproxy/files/ocsp_update.sh
@ -0,0 +1,31 @@
+#!/bin/bash
+
+shopt -u nullglob
+
+# Certificates path and names
+SSL_DIR="/etc/haproxy/certs"
+DIR="/etc/haproxy/ssl.ocsp"
+CERTS="${SSL_DIR}/*.pem"
+
+[ ! -d "$DIR" ] && mkdir -p "$DIR"
+
+for CERT in $CERTS; do
+	# Get the issuer URI, download it's certificate and convert into PEM format
+	ISSUER_URI=$(openssl x509 -in "$CERT" -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
+	ISSUER_PEM="${DIR}/$(echo "$ISSUER_URI" | cut -d/ -f3).pem"
+	curl --silent "$ISSUER_URI" | openssl x509 -inform DER -outform PEM -out "$ISSUER_PEM"
+
+	# Get the OCSP URL from the certificate
+	ocsp_url=$(openssl x509 -noout -ocsp_uri -in "$CERT")
+
+	# Extract the hostname from the OCSP URL
+	ocsp_host=$(echo "$ocsp_url" | cut -d/ -f3)
+
+	# Create/update the ocsp response file and update HAProxy
+	OCSP_FILE="${SSL_DIR}/${CERT##*/}.ocsp"
+	openssl ocsp -noverify -no_nonce -issuer "$ISSUER_PEM" -cert "$CERT" -url "$ocsp_url" -header "Host=$ocsp_host" -respout "$OCSP_FILE"
+done
+
+systemctl reload haproxy
+
+exit 0
--- a/roles/haproxy/files/update_haproxy_certs.sh
+++ b/roles/haproxy/files/update_haproxy_certs.sh
@ -38,7 +38,9 @@ do
 done

 systemctl reload haproxy
+/usr/local/bin/ocsp_update.sh

 # prosody cert
 prosodyctl --root cert import /etc/letsencrypt/live
 systemctl restart prosody.service
+
--- a/roles/haproxy/tasks/main.yaml
+++ b/roles/haproxy/tasks/main.yaml
@ -44,9 +44,12 @@

 - name: copy scripts
  copy:
-    src: update_haproxy_certs.sh
+    src: "{{ item }}"
    dest: /usr/local/bin
    mode: 0755
+  with_items:
+    - update_haproxy_certs.sh
+    - ocsp_update.sh

 - name: create basic HAProxy configs
  template:
@ -83,4 +86,18 @@
    name: haproxy
    enabled: yes
    state: started
-  
+
+- name: renew certificates every sunday
+  cron:
+    name: renew certificates
+    weekday: SUN
+    minute: "{{59|random(seed=inventory_hostname+'renew certificates')}}"
+    hour: "{{23|random(seed=inventory_hostname+'renew certificates')}}"
+    job: /usr/local/bin/update_haproxy_certs.sh
+
+- name: renew ocsp information
+  cron:
+    name: renew ocsp
+    minute: "{{59|random(seed=inventory_hostname+'renew ocsp')}}"
+    hour: "{{23|random(seed=inventory_hostname+'renew ocsp')}}"
+    job: /usr/local/bin/ocsp_update.sh
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@ -35,7 +35,7 @@ defaults
    option  forwardfor
    option  socket-stats

-    no option http-use-htx
+#    no option http-use-htx

    timeout http-request 20s 
    timeout connect       5s