Skip to content

Instantly share code, notes, and snippets.

@Da-Juan

Da-Juan/opnsense_add_OCSP_stapling.md

Last active February 21, 2024 15:00
Show Gist options
  • Star 5 You must be signed in to star a gist
  • Fork 2 You must be signed in to fork a gist
  • Save Da-Juan/0f765160e69a99882c5188b6ab4e13e1 to your computer and use it in GitHub Desktop.
Save Da-Juan/0f765160e69a99882c5188b6ab4e13e1 to your computer and use it in GitHub Desktop.
Download ZIP
opnsense/haproxy: add OCSP stapling support
Raw
opnsense_add_OCSP_stapling.md

Here is a work around to automate OCSP stapling on Opnsense with HAproxy plugin.

Hope it helps :)

I created a script based on acme.sh's haproxy deploy hook.

As /tmp is emptied on reboot you need to regenerate ocsp files on startup so I put the script as a startup script: /usr/local/etc/rc.syshook.d/start/99-ocsp (symoblic links in rc.syshook.d don't work).

#!/bin/sh                          
                                   
HAPROXY_DIR="/tmp/haproxy/ssl"     
ACME_DIR="/var/etc/acme-client/home"
                                   
for _pem in "$HAPROXY_DIR"/*.pem; do
        cert_file="$(basename "$_pem")"
        _issuer="${HAPROXY_DIR}/${cert_file%.pem}.issuer"                                                                                                                                                                                                                                                                      
        _ocsp="${_pem}.ocsp"       
        cert_cn="$(openssl x509 -in "$_pem" -noout -text | sed -nE 's/.*Subject:.*CN = ([^,]*)(,.*)?$/\1/p')"
        ca_file="${ACME_DIR}/${cert_cn}/ca.cer"
        if [ -f "$ca_file" ]; then 
                cp "$ca_file" "$_issuer"
        else                       
                continue           
        fi                         
                                   
        if [ -r "${_issuer}" ]; then
                _ocsp_url="$(openssl x509 -noout -ocsp_uri -in "$_pem")"
                if [ -n "$_ocsp_url" ]; then
                        _ocsp_host="$(echo "$_ocsp_url" | cut -d/ -f3)"
                        subjectdn="$(openssl x509 -in "$_issuer" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
                        issuerdn="$(openssl x509 -in "$_issuer" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
                        if [ "$subjectdn" = "$issuerdn" ]; then
                                _cafile_argument="-CAfile \"${_issuer}\""
                        else       
                                _cafile_argument=""
                        fi         
                        _openssl_version=$(openssl version | cut -d' ' -f2)
                        _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
                        _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
                        if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
                                _header_sep="="
                        else       
                                _header_sep=" "
                        fi         
                                   
                        _openssl_ocsp_cmd="openssl ocsp \
                                -issuer \"${_issuer}\" \
                                -cert \"${_pem}\" \
                                -url \"${_ocsp_url}\" \
                                -header Host${_header_sep}\"${_ocsp_host}\" \
                                -respout \"${_ocsp}\" \
                                -verify_other \"${_issuer}\" \
                                ${_cafile_argument} \
                                | grep -q \"${_pem}: good\""
                                   
                        eval "${_openssl_ocsp_cmd}"
                        _ret=$?    
                                   
                        if [ "${_ret}" != "0" ]; then
                                echo "Updating OCSP stapling failed with return code ${_ret}"
                        fi         
                fi                 
        fi                         
done                               
                                   
/usr/local/etc/rc.d/haproxy reload

Then created an action (/usr/local/opnsense/service/conf/actions_ocsp.conf) so I can configure it as an automation for Let's Encrypt plugin.

[update]                           
command:/usr/local/etc/rc.syshook.d/start/99-ocsp
parameters:                        
type:script                        
message:updating OCSP responses    
description:Update LE certificates OCSP responses for HAProxy

Restart configd to load the action.

service configd restart

You can now create an Automation in Let's Encrypt plugin config and add it on every Certificate configuration that HAproxy requires.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment