Merge branch 'master' of gitlab.labs.nic.cz:turris/misc

3fbb9d55 · Martin Strbacka · 871a73ec · b1f5b775 · 3fbb9d55 · 3fbb9d55
Commit 3fbb9d55 authored 11 years ago by Martin Strbacka
--- a/cacerts/get-api-crl
+++ b/cacerts/get-api-crl
+#!/bin/sh
+
+set -ex
+
+# The time of 4 hours should be enough for the CRL not to time out. Hopefuly.
+if [ -f /tmp/crl.pem ] && [ "$((`date +%s`-4*3600))" -lt "$((`date -r /tmp/crl.pem +%s`))" ] ; then
+	exit
+fi
+
+mkdir /tmp/crldown
+trap 'rm -rf /tmp/crldown' EXIT ABRT QUIT TERM
+cd /tmp/crldown
+
+echo | openssl s_client -connect api.turris.cz:443 -showcerts | awk -v c=-1 '/-----BEGIN CERTIFICATE-----/{inc=1;c++} inc {print > (c ".pem")}'
+
+for i in *.pem ; do
+	# This is a hack a bit, we expect the hostname to be crl\. something. Our CA satisfies this now and if it breaks, we would find out.
+	openssl x509 -in "$i" -noout -text | grep -o 'http://crl\..*' | xargs curl | openssl crl -inform der -out tmp.pem
+	cat tmp.pem >>out.pem
+done
+mv out.pem /tmp/crl.pem
--- a/logsend/logsend.sh
+++ b/logsend/logsend.sh
@@ -28,6 +28,9 @@
 # Configuration
 set -ex

+# Download CRL for curl.
+get-api-crl
+
 # List of daemon names. Separate by \|, it's put into the regular expression.
 DAEMONS='ucollect\|updater\|watchdog\|oneshot\|nikola\|nethist'