From c6866d134c90e75f37e1a501f7dd702bd71c72ab Mon Sep 17 00:00:00 2001
From: pierreozoux <pierre@ozoux.net>
Date: Tue, 17 Feb 2015 11:25:26 +0000
Subject: [PATCH] Adds OCSP support. closes #2

---
 scripts/ocsp.sh         | 12 ++++++++++++
 unit-files/ocsp.service | 11 +++++++++++
 unit-files/ocsp.timer   |  6 ++++++
 3 files changed, 29 insertions(+)
 create mode 100644 scripts/ocsp.sh
 create mode 100644 unit-files/ocsp.service
 create mode 100644 unit-files/ocsp.timer

diff --git a/scripts/ocsp.sh b/scripts/ocsp.sh
new file mode 100644
index 0000000..b246964
--- /dev/null
+++ b/scripts/ocsp.sh
@@ -0,0 +1,12 @@
+#!/bin/bash -eux
+
+PEM_FILE=${1}
+CRT_FILE=/tmp/`basename ${PEM_FILE} | sed 's/pem/crt/'`
+DIR=`dirname ${PEM_FILE}`
+URL=`openssl x509 -in ${PEM_FILE} -text | grep OCSP | cut -d: -f2,3`
+HEADER=`echo $URL | cut -d/ -f3`
+ISSUER_CRT_URL=`openssl x509 -in ${PEM_FILE} -text | grep Issuers | cut -d: -f2,3`
+wget ${ISSUER_CRT_URL} -q -O - | openssl x509 -inform DER -outform PEM > ${PEM_FILE}.issuer
+openssl x509 -outform PEM -in ${PEM_FILE} > ${CRT_FILE}
+openssl ocsp -noverify -issuer ${PEM_FILE}.issuer -cert ${CRT_FILE} -url ${URL} -no_nonce -header Host ${HEADER}  -respout ${PEM_FILE}.ocsp
+
diff --git a/unit-files/ocsp.service b/unit-files/ocsp.service
new file mode 100644
index 0000000..02a54f0
--- /dev/null
+++ b/unit-files/ocsp.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Get the OCSP data from the cert provider
+
+[Service]
+Type=oneshot
+TimeoutStartSec=0
+ExecStart=/bin/bash -euxc ' \
+  for cert in `ls /data/runtime/haproxy/approved-certs/*.pem`;do \
+    /data/indiehosters/scripts/ocsp.sh $cert; \
+  done'
+
diff --git a/unit-files/ocsp.timer b/unit-files/ocsp.timer
new file mode 100644
index 0000000..891b45f
--- /dev/null
+++ b/unit-files/ocsp.timer
@@ -0,0 +1,6 @@
+[Unit]
+Description=Daily timer for OCSP stapling
+
+[Timer]
+OnUnitActiveSec=1day
+
-- 
GitLab