Created
August 18, 2020 19:20
-
-
Save phbits/f96161a82a933cfb133c7815d2438293 to your computer and use it in GitHub Desktop.
Update OCSP staple file for relayd via cron.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/sh | |
| # save as /etc/OCSP-Update.sh | |
| # script launched via cron to update OCSP staple file | |
| # for use with relayd. Run script on first use to schedule | |
| # next launch. | |
| # sh /etc/OCSP-Update.sh | |
| # Tested on OpenBSD 6.7 | |
| # get new OCSP staple file | |
| /usr/sbin/ocspcheck -N -o /etc/ssl/127.0.0.1\:443.ocsp /etc/ssl/127.0.0.1\:443.crt | |
| # reload relayd with new OCSP staple file | |
| /usr/sbin/relayctl reload | |
| # get expiration date of OCSP staple file | |
| EXPIRES=`/usr/bin/openssl ocsp -resp_text -respin /etc/ssl/127.0.0.1\:443.ocsp | /usr/bin/grep "Next Update" | /usr/bin/awk -F ' ' '{print $6"-"$3"-"$4 $5}'` | |
| # convert expiration date to epoch | |
| EXPIRESEPOCH=$(/bin/date -j -u -f "%Y-%b-%d %T" $EXPIRES "+%s") | |
| # get current time in epoch | |
| NOW=$(/bin/date -j -r `expr $(/bin/date +%s)` "+%s") | |
| # get number of seconds from now to ~60 seconds | |
| # before OCSP staple file expires | |
| CRONTIME=`expr $EXPIRESEPOCH - $NOW - 60` | |
| # export current crontab excluding the | |
| # script's own entry | |
| /usr/bin/crontab -l | grep -v "/etc/OCSP-Update.sh" > /tmp/tmpCron | |
| # append a new entry to run the script ~60 seconds | |
| # before the OCSP staple file expires | |
| /bin/echo $(date -j -r `expr $(date +%s) + $CRONTIME` "+%M %H %d %m")" * /bin/sh /etc/OCSP-Update.sh 2>&1" >> /tmp/tmpCron | |
| # load new crontab | |
| /usr/bin/crontab /tmp/tmpCron | |
| # remove working file | |
| /bin/rm /tmp/tmpCron |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment