1
0
Fork 0

add script_refresh-proxied-certs.sh

This commit is contained in:
Chl 2019-10-02 02:00:41 +02:00
parent 9726fc885b
commit 5cafdd98bb
1 changed files with 50 additions and 0 deletions

50
script_refresh-proxied-certs.sh Executable file
View File

@ -0,0 +1,50 @@
#!/bin/sh
# This script is used on a proxy to refresh the certificates
# from the original servers.
#
# Typical arborescence is :
# /etc/ssl/proxy-certs/www.foobar.com.crt
# /etc/ssl/proxy-certs/www.foobar.com.key
#
# note : don't forget to make the webserver reload the new certificates.
# Stop at the first error
set -e
EXIT_STATUS=0
TMPFILE="$( mktemp )"
for i in *.crt; do
FQDN_HOSTNAME="$( echo $i | sed 's/\.crt$//' )"
# We don't refresh when there is a certificate request:
# those are locally served websites
if [ ! -f "$FQDN_HOSTNAME.csr" ] && [ "$FQDN_HOSTNAME.key" ]; then
# Fetch the certificate from the origin server and store
# in a temporary file.
openssl s_client \
-showcerts \
-servername "$FQDN_HOSTNAME" \
-connect "$FQDN_HOSTNAME:443" < /dev/null 2>/dev/null | \
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > "$TMPFILE"
# Check that the new cert still match the local key
if [ "$( ( openssl x509 -noout -modulus -in "$FQDN_HOSTNAME.crt"; openssl rsa -noout -modulus -in "$FQDN_HOSTNAME.key" ) | uniq | wc -l )" -ne 1 ]; then
# Mismatch : raise an alert
echo "WARNING: retrieved certificate does not match '$FQDN_HOSTNAME.key'" >&2
EXIT_STATUS=1
else
# Note: we try not to uselessly write and update the files' mtime,
# but do it anyway if 'diff' is not available.
if ! which diff >/dev/null || ! diff -q "$FQDN_HOSTNAME.crt" "$TMPFILE" >/dev/null ; then
# Update the local certificate without changing ACL
cat "$TMPFILE" > "$FQDN_HOSTNAME.crt"
fi
fi
fi
done
# Cleanup and exit
rm -f "$TMPFILE"
exit "$EXIT_STATUS"