add script_refresh-proxied-certs.sh

script_refresh-proxied-certs.sh

@@ -0,0 +1,50 @@
+#!/bin/sh
+
+# This script is used on a proxy to refresh the certificates
+# from the original servers.
+#
+# Typical arborescence is :
+# /etc/ssl/proxy-certs/www.foobar.com.crt
+# /etc/ssl/proxy-certs/www.foobar.com.key
+# 
+# note : don't forget to make the webserver reload the new certificates.
+
+# Stop at the first error
+set -e
+
+EXIT_STATUS=0
+TMPFILE="$( mktemp )"
+
+for i in *.crt; do
+	FQDN_HOSTNAME="$( echo $i | sed 's/\.crt$//' )"
+
+	# We don't refresh when there is a certificate request:
+	# those are locally served websites
+	if [ ! -f "$FQDN_HOSTNAME.csr" ] && [ "$FQDN_HOSTNAME.key" ]; then
+		# Fetch the certificate from the origin server and store
+		# in a temporary file.
+		openssl s_client \
+			-showcerts \
+			-servername "$FQDN_HOSTNAME" \
+			-connect "$FQDN_HOSTNAME:443" < /dev/null 2>/dev/null | \
+		sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > "$TMPFILE"
+
+		# Check that the new cert still match the local key
+		if [ "$( ( openssl x509 -noout -modulus -in "$FQDN_HOSTNAME.crt"; openssl rsa -noout -modulus -in "$FQDN_HOSTNAME.key" ) | uniq | wc -l )" -ne 1 ]; then
+			# Mismatch : raise an alert
+			echo "WARNING: retrieved certificate does not match '$FQDN_HOSTNAME.key'" >&2
+			EXIT_STATUS=1
+		else
+			# Note: we try not to uselessly write and update the files' mtime,
+			#       but do it anyway if 'diff' is not available.
+			if ! which diff >/dev/null || ! diff -q "$FQDN_HOSTNAME.crt" "$TMPFILE" >/dev/null ; then
+				# Update the local certificate without changing ACL
+				cat "$TMPFILE" > "$FQDN_HOSTNAME.crt"
+			fi
+		fi
+	fi
+done
+
+# Cleanup and exit
+rm -f "$TMPFILE"
+exit "$EXIT_STATUS"