tomwassenberg / certbot-ocsp-fetcher Goto Github PK
View Code? Open in Web Editor NEWA tool that primes the OCSP cache of nginx for certificates managed by Certbot, in order to make OCSP stapling work reliably.
License: MIT License
A tool that primes the OCSP cache of nginx for certificates managed by Certbot, in order to make OCSP stapling work reliably.
License: MIT License
This is now hardcoded as /etc/letsencrypt
, while it can be different if a Certbot user uses a non-standard directory.
The command calls that take $CERTBOT_DIR
and $OUTPUT_DIR
as a parameter will now fail if any of these variables start with a hyphen, because those will assume they are flags instead of values.
Probably requires a temp file.
A certificate should normally never be in a "revoked" status, while still being present in Certbot's folder. So when the script encounters such a certificate, the script should halt and/or send an alert.
This is useful, because this script should be run periodically, since OCSP responses are valid for a maximum of 10 days, and a new response should be issued at least every 4 days.
Hi there. Thank you for this immensely useful tool, it really should be more well-known.
Currently, the only way to use it is to just manually take the script file that's found in the repo and put it where you want and execute it. You also have to also make sure that the dependencies are in place.
It would be nice though if you also published a Docker image to Docker Hub.
Let me know if this is somehow not feasible.
Thanks.
Because of a backwards-incompatible argument style change in OpenSSL 1.1.0, the current OpenSSL command that fetches the actual OCSP response doesn't work on OpenSSL <1.1.0.
I should check what OpenSSL version is on the system, and use the correct argument style for it.
This should print the usage and exit with success.
I should check when the openssl ocsp
command exits with exit code 0
, and when it exits with another exit code. In this way, errors can be caught.
Renewing an existing certificate for example.com and *.example.com
Hook 'deploy-hook' ran with output:
example.com updated
Hook 'deploy-hook' ran with error output:
Running as a deploy hook of Certbot...
LINEAGE RESULT REASON
Sounds like the message " Running as a deploy hook of Certbot..." is seen as an error message by certbot renew.
And " LINEAGE RESULT REASON" as well.
Therefore, I uncommented the lines in your code that print these two messages detected as error messages.
But even, after that, I get the "error" message:
"Hook 'deploy-hook' ran with error output:
example.com updated"
The directory where OCSP responses are saved is now hardcoded as /etc/nginx/ocsp-cache
. This should be configurable.
In "manual mode", you might not be using Certbot at all, so a way to specify the certificate(s) to process would be nice.
The check for root privileges should be conditional, so the script only halts if it actually needs root for the tasks it's about to perform. So if:
you wouldn't actually need root.
Blocked on #13.
This article lists some good design practices for Unix tools, especially regarding the output. I should check if there is stuff that can be used here.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.