initial commit

usr/local/sbin/certbot

@@ -0,0 +1,3 @@
+#!/bin/sh
+[ -z "${VIRTUAL_ENV}" ] || exit 126
+exec certbot-venv certbot "$@"

usr/local/sbin/certbot-full-update

@@ -0,0 +1,10 @@
+#!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
+# (c) 2024, Konstantin Demin
+
+set -ef
+
+[ -n "${VIRTUAL_ENV}" ] || exec certbot-venv "$0" "$@"
+
+# pip list --format json | jq -r '.[].name' | xargs -r pip install -U
+pip list --format freeze | awk -F= '{print $1}' | xargs -r pip install -U

usr/local/sbin/certbot-ocsp

@@ -0,0 +1,62 @@
+#!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
+# (c) 2024, Konstantin Demin
+
+set -ef
+
+ocsp_valid_threshold=86400
+
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${0##*/} <in:issuer.pem> <in:cert.pem> <inout:ocsp.der>
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+arg_ok=
+while : ; do
+	[ -n "$1" ] || break
+	[ -s "$1" ] || break
+	[ -n "$2" ] || break
+	[ -s "$2" ] || break
+	[ -n "$3" ] || break
+	arg_ok=1
+break ; done
+[ -n "${arg_ok}" ] || usage 1
+unset arg_ok
+
+chain="$1"
+cert="$2"
+ocsp="$3"
+
+ossl_ocsp_read() {
+	openssl ocsp \
+	  -issuer "$1" -cert "$2" -respin "$3" -resp_text
+}
+
+ossl_ocsp_next_update() {
+	sed -En '/^\s*[Nn]ext [Uu]pdate:\s*(\S.+\S)\s*$/{s//\1/;p;q}'
+}
+
+need_update=1
+while : ; do
+	[ -s "${ocsp}" ] || break
+	ossl_ocsp_read "${chain}" "${cert}" "${ocsp}" >/dev/null || break
+
+	next_update=$(ossl_ocsp_read "${chain}" "${cert}" "${ocsp}.new" 2>/dev/null | ossl_ocsp_next_update)
+	ts_now=$(date '+%s')
+	ts_next=$(date -d "${next_update}" '+%s')
+
+	ts_diff=$((ts_next - ts_now))
+	[ ${ts_diff} -le ${ocsp_valid_threshold} ] || need_update=0
+
+	unset next_update ts_now ts_next ts_diff
+break ; done
+
+if [ ${need_update} = 0 ] ; then
+	env printf '%s: %q has valid and fresh OCSP response\n' "${0##*/}" "${cert}" >&2
+	exit 1
+fi
+
+exec openssl-ocsp "${chain}" "${cert}" "${ocsp}"

usr/local/sbin/certbot-pycache

@@ -0,0 +1,20 @@
+#!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
+# (c) 2024, Konstantin Demin
+
+set -ef
+
+[ -n "${VIRTUAL_ENV}" ] || exec certbot-venv "$0" "$@"
+
+find "${VIRTUAL_ENV}/" -name __pycache__ -exec rm -rf {} +
+find "${VIRTUAL_ENV}/" -name '*.pyc' -delete
+
+j=$(nproc) || j=0
+case "$j" in
+[1-4] ) ;;
+* ) j=1 ;;
+esac
+j=$(( j*2 + 1 ))
+
+unset SOURCE_DATE_EPOCH
+"${PYTHON3:-python3}" -m compileall -q -j $j "${VIRTUAL_ENV}"

usr/local/sbin/certbot-venv

@@ -0,0 +1,14 @@
+#!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
+# (c) 2024, Konstantin Demin
+
+set -ef
+
+v=/usr/local/certbot
+
+[ -d "$v" ] || "${PYTHON3:-python3}" -m venv "$v"
+
+export VIRTUAL_ENV="$v"
+export PATH="$v/bin:${PATH}"
+
+exec "$@"

usr/local/sbin/openssl-ocsp

@@ -0,0 +1,73 @@
+#!/bin/sh
+# SPDX-License-Identifier: Apache-2.0
+# (c) 2024, Konstantin Demin
+
+set -ef
+
+usage() {
+	cat >&2 <<-EOF
+	# usage: ${0##*/} <in:issuer.pem> <in:cert.pem> <out:ocsp.der>
+	EOF
+	exit "${1:-0}"
+}
+[ $# != 0 ] || usage
+
+arg_ok=
+while : ; do
+	[ -n "$1" ] || break
+	[ -s "$1" ] || break
+	[ -n "$2" ] || break
+	[ -s "$2" ] || break
+	[ -n "$3" ] || break
+	arg_ok=1
+break ; done
+[ -n "${arg_ok}" ] || usage 1
+unset arg_ok
+
+chain="$1"
+cert="$2"
+ocsp="$3"
+
+ocsp_uri=$(openssl x509 -in "${cert}" -noout -ocsp_uri | head -n 1)
+[ -n "${ocsp_uri}" ] || exit 0
+
+umask 0077
+t=$(mktemp) ; : "${t:?}"
+umask 0022
+
+ossl_ocsp_fetch() {
+	openssl ocsp \
+	  -timeout 5 -nonce \
+	  -issuer "$1" -cert "$2" -url "$3" -respout "$4"
+}
+
+ossl_ocsp_read() {
+	openssl ocsp \
+	  -issuer "$1" -cert "$2" -respin "$3" -resp_text
+}
+
+for i in $(seq 1 3) ; do
+	if ossl_ocsp_fetch "${chain}" "${cert}" "${ocsp_uri}" "$t" ; then
+		break
+	fi
+	: > "$t"
+	sleep 5
+done ; unset i
+
+if ! [ -s "$t" ] ; then
+	env printf '%s: unable to fetch OCSP response for %q via %q\n' "${0##*/}" "${cert}" "${ocsp_uri}" >&2
+fi
+
+resp_ok=
+while : ; do
+	[ -s "$t" ] || break
+	ossl_ocsp_read "${chain}" "${cert}" "$t" >/dev/null || break
+	touch "${ocsp}" || break
+	tee "${ocsp}" < "$t" >/dev/null || break
+	chmod 0644 "${ocsp}" || :
+	resp_ok=1
+break ; done
+
+rm -rf "$t"
+[ -n "${resp_ok}" ] || exit 1
+exit 0