Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save mcarbonneaux/9665c5a149e3290928a191e58db0b2a2 to your computer and use it in GitHub Desktop.
Save mcarbonneaux/9665c5a149e3290928a191e58db0b2a2 to your computer and use it in GitHub Desktop.
opnsense/haproxy: add OCSP stapling support

Here is a work around to automate OCSP stapling on Opnsense with HAproxy plugin.

Hope it helps :)

I created a script based on acme.sh's haproxy deploy hook.

As /tmp is emptied on reboot you need to regenerate ocsp files on startup so I put the script as a startup script: /usr/local/etc/rc.syshook.d/start/99-ocsp (symoblic links in rc.syshook.d don't work).

#!/bin/sh                          
                                   
HAPROXY_DIR="/tmp/haproxy/ssl"     
ACME_DIR="/var/etc/acme-client/home"
                                   
for _pem in "$HAPROXY_DIR"/*.pem; do
        cert_file="$(basename "$_pem")"
        _issuer="${HAPROXY_DIR}/${cert_file%.pem}.issuer"                                                                                                                                                                                                                                                                      
        _ocsp="${_pem}.ocsp"       
        cert_cn="$(openssl x509 -in "$_pem" -noout -text | sed -nE 's/.*Subject:.*CN = ([^,]*)(,.*)?$/\1/p')"
        ca_file="${ACME_DIR}/${cert_cn}/ca.cer"
        if [ -f "$ca_file" ]; then 
                cp "$ca_file" "$_issuer"
        else                       
                continue           
        fi                         
                                   
        if [ -r "${_issuer}" ]; then
                _ocsp_url="$(openssl x509 -noout -ocsp_uri -in "$_pem")"
                if [ -n "$_ocsp_url" ]; then
                        _ocsp_host="$(echo "$_ocsp_url" | cut -d/ -f3)"
                        subjectdn="$(openssl x509 -in "$_issuer" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
                        issuerdn="$(openssl x509 -in "$_issuer" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
                        if [ "$subjectdn" = "$issuerdn" ]; then
                                _cafile_argument="-CAfile \"${_issuer}\""
                        else       
                                _cafile_argument=""
                        fi         
                        _openssl_version=$(openssl version | cut -d' ' -f2)
                        _openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
                        _openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
                        if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
                                _header_sep="="
                        else       
                                _header_sep=" "
                        fi         
                                   
                        _openssl_ocsp_cmd="openssl ocsp \
                                -issuer \"${_issuer}\" \
                                -cert \"${_pem}\" \
                                -url \"${_ocsp_url}\" \
                                -header Host${_header_sep}\"${_ocsp_host}\" \
                                -respout \"${_ocsp}\" \
                                -verify_other \"${_issuer}\" \
                                ${_cafile_argument} \
                                | grep -q \"${_pem}: good\""
                                   
                        eval "${_openssl_ocsp_cmd}"
                        _ret=$?    
                                   
                        if [ "${_ret}" != "0" ]; then
                                echo "Updating OCSP stapling failed with return code ${_ret}"
                        fi         
                fi                 
        fi                         
done                               
                                   
/usr/local/etc/rc.d/haproxy reload

Then created an action (/usr/local/opnsense/service/conf/actions_ocsp.conf) so I can configure it as an automation for Let's Encrypt plugin.

[update]                           
command:/usr/local/etc/rc.syshook.d/start/99-ocsp
parameters:                        
type:script                        
message:updating OCSP responses    
description:Update LE certificates OCSP responses for HAProxy

Restart configd to load the action.

service configd restart

You can now create an Automation in Let's Encrypt plugin config and add it on every Certificate configuration that HAproxy requires.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment