tomwassenberg / certbot-ocsp-fetcher Goto Github PK

This is now hardcoded as /etc/letsencrypt, while it can be different if a Certbot user uses a non-standard directory.

The command calls that take $CERTBOT_DIR and $OUTPUT_DIR as a parameter will now fail if any of these variables start with a hyphen, because those will assume they are flags instead of values.

Probably requires a temp file.

A certificate should normally never be in a "revoked" status, while still being present in Certbot's folder. So when the script encounters such a certificate, the script should halt and/or send an alert.

This is useful, because this script should be run periodically, since OCSP responses are valid for a maximum of 10 days, and a new response should be issued at least every 4 days.

Hi there. Thank you for this immensely useful tool, it really should be more well-known.
Currently, the only way to use it is to just manually take the script file that's found in the repo and put it where you want and execute it. You also have to also make sure that the dependencies are in place.

It would be nice though if you also published a Docker image to Docker Hub.

Let me know if this is somehow not feasible.

Thanks.

Because of a backwards-incompatible argument style change in OpenSSL 1.1.0, the current OpenSSL command that fetches the actual OCSP response doesn't work on OpenSSL <1.1.0.

I should check what OpenSSL version is on the system, and use the correct argument style for it.

This should print the usage and exit with success.

I should check when the openssl ocsp command exits with exit code 0, and when it exits with another exit code. In this way, errors can be caught.

Renewing an existing certificate for example.com and *.example.com

Hook 'deploy-hook' ran with output:
 example.com	updated
Hook 'deploy-hook' ran with error output:
 Running as a deploy hook of Certbot...

 LINEAGE   	RESULT 	REASON

Sounds like the message " Running as a deploy hook of Certbot..." is seen as an error message by certbot renew.
And " LINEAGE RESULT REASON" as well.

Therefore, I uncommented the lines in your code that print these two messages detected as error messages.

But even, after that, I get the "error" message:

"Hook 'deploy-hook' ran with error output:
 example.com	updated"

The directory where OCSP responses are saved is now hardcoded as /etc/nginx/ocsp-cache. This should be configurable.

In "manual mode", you might not be using Certbot at all, so a way to specify the certificate(s) to process would be nice.

The check for root privileges should be conditional, so the script only halts if it actually needs root for the tasks it's about to perform. So if:

• your certificate chains are readable by the current user, AND
• the output directory is writeable by the current user, AND
• nginx can be restarted by the current user

you wouldn't actually need root.

Blocked on #13.

This article lists some good design practices for Unix tools, especially regarding the output. I should check if there is stuff that can be used here.