From 2b2601c0c54e807384b8ed2337ecccd1fd2705a0 Mon Sep 17 00:00:00 2001 From: Michael Rennecke Date: Wed, 17 Jul 2019 22:13:58 +0200 Subject: [PATCH] add ocsp --- roles/haproxy/files/ocsp_update.sh | 31 +++++++++++++++++++++ roles/haproxy/files/update_haproxy_certs.sh | 2 ++ roles/haproxy/tasks/main.yaml | 21 ++++++++++++-- roles/haproxy/templates/haproxy.cfg | 2 +- 4 files changed, 53 insertions(+), 3 deletions(-) create mode 100644 roles/haproxy/files/ocsp_update.sh diff --git a/roles/haproxy/files/ocsp_update.sh b/roles/haproxy/files/ocsp_update.sh new file mode 100644 index 0000000..94b3f63 --- /dev/null +++ b/roles/haproxy/files/ocsp_update.sh @@ -0,0 +1,31 @@ +#!/bin/bash + +shopt -u nullglob + +# Certificates path and names +SSL_DIR="/etc/haproxy/certs" +DIR="/etc/haproxy/ssl.ocsp" +CERTS="${SSL_DIR}/*.pem" + +[ ! -d "$DIR" ] && mkdir -p "$DIR" + +for CERT in $CERTS; do + # Get the issuer URI, download it's certificate and convert into PEM format + ISSUER_URI=$(openssl x509 -in "$CERT" -text -noout | grep 'CA Issuers' | cut -d: -f2,3) + ISSUER_PEM="${DIR}/$(echo "$ISSUER_URI" | cut -d/ -f3).pem" + curl --silent "$ISSUER_URI" | openssl x509 -inform DER -outform PEM -out "$ISSUER_PEM" + + # Get the OCSP URL from the certificate + ocsp_url=$(openssl x509 -noout -ocsp_uri -in "$CERT") + + # Extract the hostname from the OCSP URL + ocsp_host=$(echo "$ocsp_url" | cut -d/ -f3) + + # Create/update the ocsp response file and update HAProxy + OCSP_FILE="${SSL_DIR}/${CERT##*/}.ocsp" + openssl ocsp -noverify -no_nonce -issuer "$ISSUER_PEM" -cert "$CERT" -url "$ocsp_url" -header "Host=$ocsp_host" -respout "$OCSP_FILE" +done + +systemctl reload haproxy + +exit 0 diff --git a/roles/haproxy/files/update_haproxy_certs.sh b/roles/haproxy/files/update_haproxy_certs.sh index 8c0bf58..db93f45 100755 --- a/roles/haproxy/files/update_haproxy_certs.sh +++ b/roles/haproxy/files/update_haproxy_certs.sh @@ -38,7 +38,9 @@ do done systemctl reload haproxy +/usr/local/bin/ocsp_update.sh # prosody cert prosodyctl --root cert import /etc/letsencrypt/live systemctl restart prosody.service + diff --git a/roles/haproxy/tasks/main.yaml b/roles/haproxy/tasks/main.yaml index fe18e11..fc77389 100644 --- a/roles/haproxy/tasks/main.yaml +++ b/roles/haproxy/tasks/main.yaml @@ -44,9 +44,12 @@ - name: copy scripts copy: - src: update_haproxy_certs.sh + src: "{{ item }}" dest: /usr/local/bin mode: 0755 + with_items: + - update_haproxy_certs.sh + - ocsp_update.sh - name: create basic HAProxy configs template: @@ -83,4 +86,18 @@ name: haproxy enabled: yes state: started - \ No newline at end of file + +- name: renew certificates every sunday + cron: + name: renew certificates + weekday: SUN + minute: "{{59|random(seed=inventory_hostname+'renew certificates')}}" + hour: "{{23|random(seed=inventory_hostname+'renew certificates')}}" + job: /usr/local/bin/update_haproxy_certs.sh + +- name: renew ocsp information + cron: + name: renew ocsp + minute: "{{59|random(seed=inventory_hostname+'renew ocsp')}}" + hour: "{{23|random(seed=inventory_hostname+'renew ocsp')}}" + job: /usr/local/bin/ocsp_update.sh diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg index 5b7f0f4..5c39191 100644 --- a/roles/haproxy/templates/haproxy.cfg +++ b/roles/haproxy/templates/haproxy.cfg @@ -35,7 +35,7 @@ defaults option forwardfor option socket-stats - no option http-use-htx +# no option http-use-htx timeout http-request 20s timeout connect 5s