#!/bin/sh

# This script is used on a proxy to refresh the certificates
# from the original servers.
#
# Typical arborescence is :
# /etc/ssl/proxy-certs/www.foobar.com.crt
# /etc/ssl/proxy-certs/www.foobar.com.key
# 
# note : don't forget to make the webserver reload the new certificates.

# Stop at the first error
set -e

EXIT_STATUS=0
TMPFILE="$( mktemp )"

for i in *.crt; do
	FQDN_HOSTNAME="$( echo $i | sed 's/\.crt$//' )"

	# We don't refresh when there is a certificate request:
	# those are locally served websites
	if [ ! -f "$FQDN_HOSTNAME.csr" ] && [ "$FQDN_HOSTNAME.key" ]; then
		# Fetch the certificate from the origin server and store
		# in a temporary file.
		openssl s_client \
			-showcerts \
			-servername "$FQDN_HOSTNAME" \
			-connect "$FQDN_HOSTNAME:443" < /dev/null 2>/dev/null | \
		sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > "$TMPFILE"

		# Check that the new cert still match the local key
		# (it should also fail safely when the host wasn't reachable)
		if [ "$( ( openssl x509 -noout -modulus -in "$TMPFILE"; openssl rsa -noout -modulus -in "$FQDN_HOSTNAME.key" ) | uniq | wc -l )" -ne 1 ]; then
			# Mismatch : raise an alert
			echo "WARNING: retrieved certificate does not match '$FQDN_HOSTNAME.key'" >&2
			EXIT_STATUS=1
		else
			# Note: we try not to uselessly write and update the files' mtime,
			#       but do it anyway if 'diff' is not available.
			if ! which diff >/dev/null || ! diff -q "$FQDN_HOSTNAME.crt" "$TMPFILE" >/dev/null ; then
				# Update the local certificate without changing ACL
				cat "$TMPFILE" > "$FQDN_HOSTNAME.crt"
			fi
		fi
	fi

	# While we are at it, let's check the expiry dates
	if [ "$( date --date="$( openssl x509 -noout -dates -in "$i" | sed -n '/^notAfter/s/^notAfter=//p' )" +%s )" -lt "$(( $( date +%s ) + 86400 ))" ]; then
		echo "WARNING: certificate '$i' near or already expired." >&2
		EXIT_STATUS=1
	fi
done

# Cleanup and exit
rm -f "$TMPFILE"
exit "$EXIT_STATUS"