getssl icon indicating copy to clipboard operation
getssl copied to clipboard
verified publisher icon srvrco

Automatic renewal when a certificate is revoked.

Open rdebath opened this issue 5 years ago • 1 comments

Is your feature request related to a problem? Please describe. The problem is: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864 That is, a certificate has been revoked for whatever reason and needs renewal before it's expiry.

Describe the solution you'd like When the enddate of the last certificate is checked (and is less than 30 days away) it can also be checked to see if it has been revoked.

The easiest way to do this seems to be to check the OCSP status: https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked

From that Serverfault page ...

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http://ocsp.int-x1.letsencrypt.org/
$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http://ocsp.int-x1.letsencrypt.org/ -header "HOST"="ocsp.int-x1.letsencrypt.org"
....
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT

rdebath avatar Mar 03 '20 18:03 rdebath

as a very quick script that runs through a server you can try;

#!/bin/bash

WORKING_DIR=~/.getssl
DOMAIN_STORAGE="${DOMAIN_STORAGE:=$WORKING_DIR}"

# read any variables from config in working directory
if [[ -s "$WORKING_DIR/getssl.cfg" ]]; then
  echo "reading config from $WORKING_DIR/getssl.cfg"
  # shellcheck source=/dev/null
  . "$WORKING_DIR/getssl.cfg"
fi

for dir in "${DOMAIN_STORAGE}"/*; do
  if [[ -d "$dir" ]]; then
    # check if $dir is a directory with a getssl.cfg in it
    if [[ -f "$dir/getssl.cfg" ]]; then
      domain=$(basename "$dir")
      cert="${dir}/${domain}.crt"
      chain="${dir}/chain.crt"
      ocsp_uri=$(openssl x509 -noout -ocsp_uri -in $cert 2>/dev/null)
      ocsp=${ocsp_uri##*/}
      result=$(openssl ocsp -issuer $chain -cert $cert -text -url $ocsp_uri -header "HOST" "$ocsp" 2>/dev/null)
      if [[ $(echo $result | grep -c "${cert}: good") -ge 1 ]]; then
        echo "$domain is OK"
      else
        echo "$domain may be a revoked cert"
      fi
    fi
  fi
done

exit

I'd like to double check all the failure cases before I'd add something into the main code. I't may be safe to autorun getssl with a force if "Revocation Time" is in the response I suspect

serverco-a avatar Mar 03 '20 20:03 serverco-a