From 5cafdd98bb3d07e02c925a029656f9711e03550a Mon Sep 17 00:00:00 2001 From: Chl Date: Wed, 2 Oct 2019 02:00:41 +0200 Subject: [PATCH] add script_refresh-proxied-certs.sh --- script_refresh-proxied-certs.sh | 50 +++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) create mode 100755 script_refresh-proxied-certs.sh diff --git a/script_refresh-proxied-certs.sh b/script_refresh-proxied-certs.sh new file mode 100755 index 0000000..7b48e18 --- /dev/null +++ b/script_refresh-proxied-certs.sh @@ -0,0 +1,50 @@ +#!/bin/sh + +# This script is used on a proxy to refresh the certificates +# from the original servers. +# +# Typical arborescence is : +# /etc/ssl/proxy-certs/www.foobar.com.crt +# /etc/ssl/proxy-certs/www.foobar.com.key +# +# note : don't forget to make the webserver reload the new certificates. + +# Stop at the first error +set -e + +EXIT_STATUS=0 +TMPFILE="$( mktemp )" + +for i in *.crt; do + FQDN_HOSTNAME="$( echo $i | sed 's/\.crt$//' )" + + # We don't refresh when there is a certificate request: + # those are locally served websites + if [ ! -f "$FQDN_HOSTNAME.csr" ] && [ "$FQDN_HOSTNAME.key" ]; then + # Fetch the certificate from the origin server and store + # in a temporary file. + openssl s_client \ + -showcerts \ + -servername "$FQDN_HOSTNAME" \ + -connect "$FQDN_HOSTNAME:443" < /dev/null 2>/dev/null | \ + sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > "$TMPFILE" + + # Check that the new cert still match the local key + if [ "$( ( openssl x509 -noout -modulus -in "$FQDN_HOSTNAME.crt"; openssl rsa -noout -modulus -in "$FQDN_HOSTNAME.key" ) | uniq | wc -l )" -ne 1 ]; then + # Mismatch : raise an alert + echo "WARNING: retrieved certificate does not match '$FQDN_HOSTNAME.key'" >&2 + EXIT_STATUS=1 + else + # Note: we try not to uselessly write and update the files' mtime, + # but do it anyway if 'diff' is not available. + if ! which diff >/dev/null || ! diff -q "$FQDN_HOSTNAME.crt" "$TMPFILE" >/dev/null ; then + # Update the local certificate without changing ACL + cat "$TMPFILE" > "$FQDN_HOSTNAME.crt" + fi + fi + fi +done + +# Cleanup and exit +rm -f "$TMPFILE" +exit "$EXIT_STATUS"