Software /
code /
prosody-modules
Comparison
mod_checkcerts/mod_checkcerts.lua @ 1879:18123e0f5d58
mod_checkcerts: Improve logic for finding an ssl section with a certificate
author | Kim Alvefur <zash@zash.se> |
---|---|
date | Tue, 29 Sep 2015 14:53:16 +0200 |
parent | 1672:d9fcf9d8e787 |
child | 1880:a7c1f1b6ef05 |
comparison
equal
deleted
inserted
replaced
1878:7f96183a60ce | 1879:18123e0f5d58 |
---|---|
36 local function check_certs_validity() | 36 local function check_certs_validity() |
37 local now = os.time(); | 37 local now = os.time(); |
38 | 38 |
39 -- First, let's find out what certificate this host uses. | 39 -- First, let's find out what certificate this host uses. |
40 local ssl_config = config.rawget(module.host, "ssl"); | 40 local ssl_config = config.rawget(module.host, "ssl"); |
41 if not ssl_config then | 41 if not ssl_config or not ssl_config.certificate then |
42 local base_host = module.host:match("%.(.*)"); | 42 ssl_config = config.get(module.host:match("%.(.*)"), "ssl"); |
43 ssl_config = config.get(base_host, "ssl"); | 43 end |
44 if not ssl_config or not ssl_config.certificate then | |
45 ssl_config = config.get("*", "ssl"); | |
46 end | |
47 if not ssl_config or not ssl_config.certificate then | |
48 log("warn", "Could not find a certificate to check"); | |
49 return; | |
44 end | 50 end |
45 | 51 |
46 if ssl_config and ssl_config.certificate then | 52 local certfile = ssl_config.certificate; |
47 local certfile = ssl_config.certificate; | 53 local fh = io.open(certfile); -- Load the file. |
48 local fh = io.open(certfile); -- Load the file. | 54 cert = fh and fh:read"*a"; |
49 cert = fh and fh:read"*a"; | 55 fh = fh and fh:close(); |
50 fh = fh and fh:close(); | 56 local cert = cert and load_cert(cert); -- And parse |
51 local cert = cert and load_cert(cert); -- And parse | |
52 | 57 |
53 if not cert then | 58 if not cert then |
54 module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry"); | 59 module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry"); |
55 return | 60 return |
61 end | |
62 local expires_at = parse_x509_datetime(cert:notafter()); | |
63 local expires_in = os.difftime(expires_at, now); | |
64 local fmt = "Certificate %s expires in %s" | |
65 local nag_admin = expires_in < nag_time; | |
66 local log_warn = expires_in < nag_time * 2; | |
67 local timediff = expires_in; | |
68 if expires_in < 0 then | |
69 fmt = "Certificate %s expired %s ago"; | |
70 timediff = -timediff; | |
71 end | |
72 timediff = humantime(timediff); | |
73 module:log(log_warn and "warn" or "info", fmt, certfile, timediff); | |
74 if nag_admin then | |
75 local body = fmt:format("for host ".. module.host, timediff); | |
76 for _,admin in ipairs(module:get_option_array("admins", {})) do | |
77 module:send(st.message({ from = module.host, to = admin, type = "chat" }, body)); | |
56 end | 78 end |
57 local expires_at = parse_x509_datetime(cert:notafter()); | |
58 local expires_in = os.difftime(expires_at, now); | |
59 local fmt = "Certificate %s expires in %s" | |
60 local nag_admin = expires_in < nag_time; | |
61 local log_warn = expires_in < nag_time * 2; | |
62 local timediff = expires_in; | |
63 if expires_in < 0 then | |
64 fmt = "Certificate %s expired %s ago"; | |
65 timediff = -timediff; | |
66 end | |
67 timediff = humantime(timediff); | |
68 module:log(log_warn and "warn" or "info", fmt, certfile, timediff); | |
69 if nag_admin then | |
70 local body = fmt:format("for host ".. module.host, timediff); | |
71 for _,admin in ipairs(module:get_option_array("admins", {})) do | |
72 module:send(st.message({ from = module.host, to = admin, type = "chat" }, body)); | |
73 end | |
74 end | |
75 return math.max(86400, expires_in / 3); | |
76 end | 79 end |
80 return math.max(86400, expires_in / 3); | |
77 end | 81 end |
78 | 82 |
79 module:add_timer(1, check_certs_validity); | 83 module:add_timer(1, check_certs_validity); |