sane-ssl-dump: new script to help debug ssl stuff

pkgs/sane-scripts/default.nix

@@ -38,6 +38,7 @@ resholve.mkDerivation {
         ncurses
         oath-toolkit
         openssh
+        openssl
         rmlint
         rsync
         ssh-to-age
@@ -53,6 +54,7 @@ resholve.mkDerivation {
         "/tmp/rmlint.sh" = true;
         # intentionally escapes (into user code)
         "$external_cmd" = true;
+        "$maybe_sudo" = true;
       };
       fake = {
         external = [

pkgs/sane-scripts/src/sane-ssl-dump

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+# dump info about the provided SSL certificate
+cert="$1"
+maybe_sudo=
+
+if ! (test -e "$cert")
+then
+        cert="/var/lib/acme/${cert}/full.pem"
+        maybe_sudo=sudo
+fi
+
+# $maybe_sudo openssl x509 -in "$file" -text
+$maybe_sudo openssl crl2pkcs7 -nocrl -certfile "$cert" | openssl pkcs7 -print_certs -text -noout
+