add ocsp
This commit is contained in:
Michael Rennecke
parent
14f38641c5
commit
2b2601c0c5
|
|
@ -0,0 +1,31 @@
|
||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
shopt -u nullglob
|
||||||
|
|
||||||
|
# Certificates path and names
|
||||||
|
SSL_DIR="/etc/haproxy/certs"
|
||||||
|
DIR="/etc/haproxy/ssl.ocsp"
|
||||||
|
CERTS="${SSL_DIR}/*.pem"
|
||||||
|
|
||||||
|
[ ! -d "$DIR" ] && mkdir -p "$DIR"
|
||||||
|
|
||||||
|
for CERT in $CERTS; do
|
||||||
|
# Get the issuer URI, download it's certificate and convert into PEM format
|
||||||
|
ISSUER_URI=$(openssl x509 -in "$CERT" -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
|
||||||
|
ISSUER_PEM="${DIR}/$(echo "$ISSUER_URI" | cut -d/ -f3).pem"
|
||||||
|
curl --silent "$ISSUER_URI" | openssl x509 -inform DER -outform PEM -out "$ISSUER_PEM"
|
||||||
|
|
||||||
|
# Get the OCSP URL from the certificate
|
||||||
|
ocsp_url=$(openssl x509 -noout -ocsp_uri -in "$CERT")
|
||||||
|
|
||||||
|
# Extract the hostname from the OCSP URL
|
||||||
|
ocsp_host=$(echo "$ocsp_url" | cut -d/ -f3)
|
||||||
|
|
||||||
|
# Create/update the ocsp response file and update HAProxy
|
||||||
|
OCSP_FILE="${SSL_DIR}/${CERT##*/}.ocsp"
|
||||||
|
openssl ocsp -noverify -no_nonce -issuer "$ISSUER_PEM" -cert "$CERT" -url "$ocsp_url" -header "Host=$ocsp_host" -respout "$OCSP_FILE"
|
||||||
|
done
|
||||||
|
|
||||||
|
systemctl reload haproxy
|
||||||
|
|
||||||
|
exit 0
|
||||||
|
|
@ -38,7 +38,9 @@ do
|
||||||
done
|
done
|
||||||
|
|
||||||
systemctl reload haproxy
|
systemctl reload haproxy
|
||||||
|
/usr/local/bin/ocsp_update.sh
|
||||||
|
|
||||||
# prosody cert
|
# prosody cert
|
||||||
prosodyctl --root cert import /etc/letsencrypt/live
|
prosodyctl --root cert import /etc/letsencrypt/live
|
||||||
systemctl restart prosody.service
|
systemctl restart prosody.service
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -44,9 +44,12 @@
|
||||||
|
|
||||||
- name: copy scripts
|
- name: copy scripts
|
||||||
copy:
|
copy:
|
||||||
src: update_haproxy_certs.sh
|
src: "{{ item }}"
|
||||||
dest: /usr/local/bin
|
dest: /usr/local/bin
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
with_items:
|
||||||
|
- update_haproxy_certs.sh
|
||||||
|
- ocsp_update.sh
|
||||||
|
|
||||||
- name: create basic HAProxy configs
|
- name: create basic HAProxy configs
|
||||||
template:
|
template:
|
||||||
|
|
@ -84,3 +87,17 @@
|
||||||
enabled: yes
|
enabled: yes
|
||||||
state: started
|
state: started
|
||||||
|
|
||||||
|
- name: renew certificates every sunday
|
||||||
|
cron:
|
||||||
|
name: renew certificates
|
||||||
|
weekday: SUN
|
||||||
|
minute: "{{59|random(seed=inventory_hostname+'renew certificates')}}"
|
||||||
|
hour: "{{23|random(seed=inventory_hostname+'renew certificates')}}"
|
||||||
|
job: /usr/local/bin/update_haproxy_certs.sh
|
||||||
|
|
||||||
|
- name: renew ocsp information
|
||||||
|
cron:
|
||||||
|
name: renew ocsp
|
||||||
|
minute: "{{59|random(seed=inventory_hostname+'renew ocsp')}}"
|
||||||
|
hour: "{{23|random(seed=inventory_hostname+'renew ocsp')}}"
|
||||||
|
job: /usr/local/bin/ocsp_update.sh
|
||||||
|
|
|
||||||
|
|
@ -35,7 +35,7 @@ defaults
|
||||||
option forwardfor
|
option forwardfor
|
||||||
option socket-stats
|
option socket-stats
|
||||||
|
|
||||||
no option http-use-htx
|
# no option http-use-htx
|
||||||
|
|
||||||
timeout http-request 20s
|
timeout http-request 20s
|
||||||
timeout connect 5s
|
timeout connect 5s
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue