diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2022-11-13 08:47:33 -0500 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2022-11-23 08:44:48 -0500 |
commit | 422e3569bb82ade44aec5b54a938ed4497cb218b (patch) | |
tree | 8bd9f642d141ff200ee17573ac712425b0034407 /doc | |
parent | d616dea236785733dd04e3765d54a7f3a793f10c (diff) | |
download | lighttpd-git-422e3569bb82ade44aec5b54a938ed4497cb218b.tar.gz |
[doc/scripts/cert-staple.sh] short-circuit checks
short-circuit checks if staple.der next update is > 25 hours in future
(allows script to be run daily and to exit quickly if CA staples are
issued for longer, e.g. a week at a time)
Diffstat (limited to 'doc')
-rwxr-xr-x | doc/scripts/cert-staple.sh | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/doc/scripts/cert-staple.sh b/doc/scripts/cert-staple.sh index 09f7bb3a..84946d3c 100755 --- a/doc/scripts/cert-staple.sh +++ b/doc/scripts/cert-staple.sh @@ -5,6 +5,7 @@ CHAIN_PEM="$2" # input (chain.pem) OCSP_DER="$3" # output symlink (staple.der) OCSP_TMP="" # temporary file +next_delta=90000 # 25 hours if [ -z "$CERT_PEM" ] || [ -z "$CHAIN_PEM" ] || [ -z "$OCSP_DER" ] \ || [ ! -f "$CERT_PEM" ] || [ ! -f "$CHAIN_PEM" ]; then @@ -17,6 +18,17 @@ errexit() { exit 1 } +# short-circuit if Next Update is > $next_delta in the future +next_ts=$(readlink "$OCSP_DER" 2>/dev/null) +if [ -n "$next_ts" ]; then + next_ts="${next_ts##*.}" + ts=$(date +%s) + ts=$(( $ts + $next_delta )) + if [ -n "$next_ts" ] && [ "$next_ts" -gt "$ts" ]; then + exit 0 + fi +fi + # get URI of OCSP responder from certificate OCSP_URI=$(openssl x509 -in "$CERT_PEM" -ocsp_uri -noout) [ $? = 0 ] && [ -n "$OCSP_URI" ] || exit 1 |