32 lines
979 B
Bash
32 lines
979 B
Bash
#!/bin/bash
|
|
|
|
shopt -u nullglob
|
|
|
|
# Certificates path and names
|
|
SSL_DIR="/etc/haproxy/certs"
|
|
DIR="/etc/haproxy/ssl.ocsp"
|
|
CERTS="${SSL_DIR}/*.pem"
|
|
|
|
[ ! -d "$DIR" ] && mkdir -p "$DIR"
|
|
|
|
for CERT in $CERTS; do
|
|
# Get the issuer URI, download it's certificate and convert into PEM format
|
|
ISSUER_URI=$(openssl x509 -in "$CERT" -text -noout | grep 'CA Issuers' | cut -d: -f2,3)
|
|
ISSUER_PEM="${DIR}/$(echo "$ISSUER_URI" | cut -d/ -f3).pem"
|
|
curl --silent "$ISSUER_URI" | openssl x509 -inform DER -outform PEM -out "$ISSUER_PEM"
|
|
|
|
# Get the OCSP URL from the certificate
|
|
ocsp_url=$(openssl x509 -noout -ocsp_uri -in "$CERT")
|
|
|
|
# Extract the hostname from the OCSP URL
|
|
ocsp_host=$(echo "$ocsp_url" | cut -d/ -f3)
|
|
|
|
# Create/update the ocsp response file and update HAProxy
|
|
OCSP_FILE="${SSL_DIR}/${CERT##*/}.ocsp"
|
|
openssl ocsp -noverify -no_nonce -issuer "$ISSUER_PEM" -cert "$CERT" -url "$ocsp_url" -header "Host=$ocsp_host" -respout "$OCSP_FILE"
|
|
done
|
|
|
|
systemctl reload haproxy
|
|
|
|
exit 0
|