Skip to content

Instantly share code, notes, and snippets.

@weldpua2008
Created August 15, 2018 11:41
Show Gist options
  • Save weldpua2008/5e80a20a3da2871299389915bf3a8c4c to your computer and use it in GitHub Desktop.
Save weldpua2008/5e80a20a3da2871299389915bf3a8c4c to your computer and use it in GitHub Desktop.
PRE-CACHED ssl_stapling_file UNDER EACH CERTIFICATE, DRAMATICALLY IMPROVE STARTUP TIME OF NGINX
#!/usr/bin/env bash
### CREATE TO SUPPORT PRE-CACHED ssl_stapling_file UNDER EACH CERTIFICATE, DRAMATICALLY IMPROVE STARTUP TIME
IFS=$'\n'
CERT_ROOT_PATH="${1:-/etc/ssl/certs}"
CERT_OCSP_CACHE="${CERT_ROOT_PATH}"
DIR=$CERT_ROOT_PATH/*.crt
CUR_TIMESTAMP="$(date '+%s')"
cache_expiration_minutes=$((60*13))
if [ ! -d "$CERT_OCSP_CACHE" ]; then
mkdir -p "$CERT_OCSP_CACHE"
fi
for file in $DIR; do
CERT_PUBLIC_KEY="$file"
CERT_TRUSTED_CHAIN=${CERT_PUBLIC_KEY/.crt/.pem}
CERT_FILE_NAME=$(basename "$CERT_PUBLIC_KEY")
#
cache_filemtime=$(stat -c '%Y' "${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der" 2> /dev/null)
if [[ "${CERT_FILE_NAME}" =~ "localhost" || "${CERT_FILE_NAME}" =~ "ca-bundle" ]]; then
echo "Skipping Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN"
elif [[ -f "${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der" ]] && [[ $((CUR_TIMESTAMP - cache_filemtime)) -le $((60*cache_expiration_minutes)) ]];then
echo "Skipping Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN due not expired ${CERT_OCSP_CACHE}/${CERT_FILE_NAME}.der"
else
echo "Processing Public Certificate: $CERT_PUBLIC_KEY, trusted key: $CERT_TRUSTED_CHAIN"
OSCP_URI=$(openssl x509 -in "$CERT_PUBLIC_KEY" -text | grep "OCSP - URI:" | cut -d: -f2,3)
if [[ $? -eq 0 ]]; then
GENERATE_OSCP_REPORT=$(openssl ocsp -no_nonce -respout "/tmp/${CERT_FILE_NAME}.der" -verify_other "${CERT_TRUSTED_CHAIN}" -issuer "${CERT_TRUSTED_CHAIN}" -cert "${CERT_PUBLIC_KEY}" -text -url "${OSCP_URI}")
OSCP_HEADER=$(echo "${OSCP_URI}" |sed -E -e 's_.*://([^/@]*@)?([^/:]+).*_\2_')
if [[ ! -e "/tmp/${CERT_FILE_NAME}.der" ]]; then
GENERATE_OSCP_REPORT=$(openssl ocsp -no_nonce -respout "/tmp/${CERT_FILE_NAME}.der" -verify_other "${CERT_TRUSTED_CHAIN}" -issuer "${CERT_TRUSTED_CHAIN}" -cert "${CERT_PUBLIC_KEY}" -text -url "${OSCP_URI}" -header "HOST" "${OSCP_HEADER}")
fi
if [[ -e "/tmp/${CERT_FILE_NAME}.der" ]] && [[ $? -eq 0 ]]; then
tee >(logger) <<< "Updating OSCP Cache for $CERT_FILE_NAME at $CERT_OCSP_CACHE/$CERT_FILE_NAME.der"
SYNC_OSCP_CACHE=$(/bin/cp "/tmp/${CERT_FILE_NAME}.der" "${CERT_OCSP_CACHE}/")
CLEANUP_OSCP_TMP_FILE=$(/bin/rm -f "/tmp/${CERT_FILE_NAME}.der")
else
tee >(logger) <<< "OSCP Cache has been failed to created for $CERT_FILE_NAME"
fi
fi
fi
done
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment