91 lines
2.8 KiB
Bash
Executable file
91 lines
2.8 KiB
Bash
Executable file
#!/bin/sh
|
|
|
|
# This script is used on a proxy to refresh the certificates
|
|
# from the original servers.
|
|
#
|
|
# Typical arborescence is :
|
|
# /etc/ssl/proxy-certs/www.foobar.com.crt
|
|
# /etc/ssl/proxy-certs/www.foobar.com.key
|
|
#
|
|
# It supports RSA/ECDSA duo :
|
|
# /etc/ssl/proxy-certs/www.foobar.com.sigalg-rsa.crt
|
|
# /etc/ssl/proxy-certs/www.foobar.com.sigalg-rsa.key
|
|
# /etc/ssl/proxy-certs/www.foobar.com.sigalg-ecc.crt
|
|
# /etc/ssl/proxy-certs/www.foobar.com.sigalg-ecc.key
|
|
#
|
|
# note : don't forget to make the webserver reload the new certificates.
|
|
|
|
# Stop at the first error
|
|
set -e
|
|
|
|
EXIT_STATUS=0
|
|
TMPFILE="$( mktemp )"
|
|
|
|
for i in *.key; do
|
|
# Filename may be in the form :
|
|
# - www.foobar.com.key
|
|
# - www.foobar.com.sigalg-rsa.key
|
|
# - www.foobar.com.sigalg-ecc.key
|
|
BASENAME="$( echo "$i" | sed 's/\.key$//' )"
|
|
FQDN_HOSTNAME="$( echo "$BASENAME" | sed 's/\.sigalg-.*$//' )"
|
|
SIGALG="$( echo "$BASENAME" | sed -n 's/.*sigalg-\(.*\)$/\1/p' )" # 'rsa', 'ecc' or ''
|
|
|
|
# We don't refresh when there is a certificate request:
|
|
# those are locally served websites
|
|
if [ ! -f "$BASENAME.csr" ] && [ ! -f "$BASENAME.req" ]; then
|
|
# Prepare sigalg/ciphers options
|
|
case "$SIGALG" in
|
|
'ecc')
|
|
SIGALG_OPTIONS="-tls1_2 -cipher ECDSA"
|
|
;;
|
|
'rsa')
|
|
SIGALG_OPTIONS="-tls1_2 -cipher RSA"
|
|
;;
|
|
'')
|
|
SIGALG_OPTIONS=""
|
|
;;
|
|
?)
|
|
echo "ERROR: unknown sigalg." >&2
|
|
EXIT_STATUS=1
|
|
# This may not be critical. We continue, hoping for the best...
|
|
SIGALG_OPTIONS=""
|
|
;;
|
|
esac
|
|
|
|
# Fetch the certificate from the origin server and store
|
|
# in a temporary file.
|
|
openssl s_client \
|
|
-showcerts \
|
|
-servername "$FQDN_HOSTNAME" \
|
|
-connect "$FQDN_HOSTNAME:443" $SIGALG_OPTIONS < /dev/null 2>/dev/null | \
|
|
sed -n '/^-----BEGIN CERTIFICATE-----$/,/^-----END CERTIFICATE-----$/p' > "$TMPFILE"
|
|
|
|
# Check that the new cert still match the local key
|
|
# (it should also fail safely when the host wasn't reachable)
|
|
if [ "$( openssl x509 -in "$TMPFILE" -pubkey -noout )" != "$( openssl pkey -in "$BASENAME.key" -pubout )" ]; then
|
|
# Mismatch : raise an alert
|
|
echo "WARNING: retrieved certificate does not match '$BASENAME.key'" >&2
|
|
EXIT_STATUS=1
|
|
else
|
|
# Note: we try not to uselessly write and update the files' mtime,
|
|
# but do it anyway if 'diff' is not available.
|
|
if [ ! -f "$BASENAME.crt" ] || ! which diff >/dev/null || ! diff -q "$BASENAME.crt" "$TMPFILE" >/dev/null ; then
|
|
# Update the local certificate without changing ACL
|
|
cat "$TMPFILE" > "$BASENAME.crt"
|
|
fi
|
|
fi
|
|
fi
|
|
done
|
|
|
|
# While we are at it, let's check the expiry dates
|
|
for i in *.crt; do
|
|
if [ "$( date --date="$( openssl x509 -noout -dates -in "$i" | sed -n '/^notAfter/s/^notAfter=//p' )" +%s )" -lt "$(( $( date +%s ) + 86400 ))" ]; then
|
|
echo "WARNING: certificate '$i' near or already expired." >&2
|
|
EXIT_STATUS=1
|
|
fi
|
|
done
|
|
|
|
# Cleanup and exit
|
|
rm -f "$TMPFILE"
|
|
exit "$EXIT_STATUS"
|