Update OCSP staple file for relayd via cron.

OCSP-Update.sh

#!/bin/sh

# save as /etc/OCSP-Update.sh
# script launched via cron to update OCSP staple file
# for use with relayd. Run script on first use to schedule
# next launch.
# sh /etc/OCSP-Update.sh

# Tested on OpenBSD 6.7

# get new OCSP staple file
/usr/sbin/ocspcheck -N -o /etc/ssl/127.0.0.1\:443.ocsp /etc/ssl/127.0.0.1\:443.crt

# reload relayd with new OCSP staple file
/usr/sbin/relayctl reload

# get expiration date of OCSP staple file
EXPIRES=`/usr/bin/openssl ocsp -resp_text -respin /etc/ssl/127.0.0.1\:443.ocsp | /usr/bin/grep "Next Update" | /usr/bin/awk -F ' ' '{print $6"-"$3"-"$4 $5}'`

# convert expiration date to epoch
EXPIRESEPOCH=$(/bin/date -j -u -f "%Y-%b-%d %T" $EXPIRES "+%s")
# get current time in epoch
NOW=$(/bin/date -j -r `expr $(/bin/date +%s)` "+%s")
# get number of seconds from now to ~60 seconds 
# before OCSP staple file expires
CRONTIME=`expr $EXPIRESEPOCH - $NOW - 60`

# export current crontab excluding the
# script's own entry
/usr/bin/crontab -l | grep -v "/etc/OCSP-Update.sh" > /tmp/tmpCron

# append a new entry to run the script ~60 seconds 
# before the OCSP staple file expires
/bin/echo $(date -j -r `expr $(date +%s) + $CRONTIME` "+%M %H %d %m")" * /bin/sh /etc/OCSP-Update.sh 2>&1" >> /tmp/tmpCron

# load new crontab
/usr/bin/crontab /tmp/tmpCron

# remove working file
/bin/rm /tmp/tmpCron