Here is a work around to automate OCSP stapling on Opnsense with HAproxy plugin.
Hope it helps :)
I created a script based on acme.sh's haproxy deploy hook.
As /tmp is emptied on reboot you need to regenerate ocsp files on startup so I put the script as a startup script: /usr/local/etc/rc.syshook.d/start/99-ocsp (symoblic links in rc.syshook.d don't work).
#!/bin/sh
HAPROXY_DIR="/tmp/haproxy/ssl"
ACME_DIR="/var/etc/acme-client/home"
for _pem in "$HAPROXY_DIR"/*.pem; do
cert_file="$(basename "$_pem")"
_issuer="${HAPROXY_DIR}/${cert_file%.pem}.issuer"
_ocsp="${_pem}.ocsp"
cert_cn="$(openssl x509 -in "$_pem" -noout -text | sed -nE 's/.*Subject:.*CN = ([^,]*)(,.*)?$/\1/p')"
ca_file="${ACME_DIR}/${cert_cn}/ca.cer"
if [ -f "$ca_file" ]; then
cp "$ca_file" "$_issuer"
else
continue
fi
if [ -r "${_issuer}" ]; then
_ocsp_url="$(openssl x509 -noout -ocsp_uri -in "$_pem")"
if [ -n "$_ocsp_url" ]; then
_ocsp_host="$(echo "$_ocsp_url" | cut -d/ -f3)"
subjectdn="$(openssl x509 -in "$_issuer" -subject -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
issuerdn="$(openssl x509 -in "$_issuer" -issuer -noout | cut -d'/' -f2,3,4,5,6,7,8,9,10)"
if [ "$subjectdn" = "$issuerdn" ]; then
_cafile_argument="-CAfile \"${_issuer}\""
else
_cafile_argument=""
fi
_openssl_version=$(openssl version | cut -d' ' -f2)
_openssl_major=$(echo "${_openssl_version}" | cut -d '.' -f1)
_openssl_minor=$(echo "${_openssl_version}" | cut -d '.' -f2)
if [ "${_openssl_major}" -eq "1" ] && [ "${_openssl_minor}" -ge "1" ] || [ "${_openssl_major}" -ge "2" ]; then
_header_sep="="
else
_header_sep=" "
fi
_openssl_ocsp_cmd="openssl ocsp \
-issuer \"${_issuer}\" \
-cert \"${_pem}\" \
-url \"${_ocsp_url}\" \
-header Host${_header_sep}\"${_ocsp_host}\" \
-respout \"${_ocsp}\" \
-verify_other \"${_issuer}\" \
${_cafile_argument} \
| grep -q \"${_pem}: good\""
eval "${_openssl_ocsp_cmd}"
_ret=$?
if [ "${_ret}" != "0" ]; then
echo "Updating OCSP stapling failed with return code ${_ret}"
fi
fi
fi
done
/usr/local/etc/rc.d/haproxy reloadThen created an action (/usr/local/opnsense/service/conf/actions_ocsp.conf) so I can configure it as an automation for Let's Encrypt plugin.
[update]
command:/usr/local/etc/rc.syshook.d/start/99-ocsp
parameters:
type:script
message:updating OCSP responses
description:Update LE certificates OCSP responses for HAProxy
Restart configd to load the action.
service configd restart
You can now create an Automation in Let's Encrypt plugin config and add it on every Certificate configuration that HAproxy requires.