prosody-modules
a6c2345bcf87
mod_checkcerts/mod_checkcerts.lua
Software / code / prosody-modules
Comparison
mod_checkcerts/mod_checkcerts.lua @ 941:a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
| author | Kim Alvefur <zash@zash.se> |
|---|---|
| date | Thu, 28 Mar 2013 03:38:02 +0100 |
| parent | 855:1983d4d51e1a |
| child | 943:a8203db13ca2 |
comparison
equal
deleted
inserted
replaced
| 940:80ede103d7a3 | 941:a6c2345bcf87 |
|---|---|
| 1 local ssl = require"ssl"; | 1 local ssl = require"ssl"; |
| 2 local load_cert = ssl.x509 and ssl.x509.load | 2 local load_cert = ssl.x509 and ssl.x509.load |
| 3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg | 3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
| 4 local st = require"util.stanza" | |
| 4 | 5 |
| 5 if not load_cert then | 6 if not load_cert then |
| 6 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); | 7 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); |
| 7 return | 8 return |
| 8 end | 9 end |
| 9 | 10 |
| 11 local last_check = 0; | |
| 12 | |
| 10 local function check_certs_validity() | 13 local function check_certs_validity() |
| 14 local now = os.time(); | |
| 15 | |
| 16 if last_check > now - 21600 then | |
| 17 return | |
| 18 else | |
| 19 last_check = now; | |
| 20 end | |
| 11 -- First, let's find out what certificate this host uses. | 21 -- First, let's find out what certificate this host uses. |
| 12 local ssl_config = config.rawget(module.host, "core", "ssl"); | 22 local ssl_config = config.rawget(module.host, "core", "ssl"); |
| 13 if not ssl_config then | 23 if not ssl_config then |
| 14 local base_host = module.host:match("%.(.*)"); | 24 local base_host = module.host:match("%.(.*)"); |
| 15 ssl_config = config.get(base_host, "core", "ssl"); | 25 ssl_config = config.get(base_host, "core", "ssl"); |
| 24 fh:close(); | 34 fh:close(); |
| 25 cert = cert and load_cert(cert); -- And parse | 35 cert = cert and load_cert(cert); -- And parse |
| 26 if not cert then return end | 36 if not cert then return end |
| 27 -- No error reporting, certmanager should complain already | 37 -- No error reporting, certmanager should complain already |
| 28 | 38 |
| 29 local now = os.time(); | |
| 30 local valid_at = cert.valid_at or cert.validat; | 39 local valid_at = cert.valid_at or cert.validat; |
| 31 if not valid_at then return end -- Broken or uncommon LuaSec version? | 40 if not valid_at then return end -- Broken or uncommon LuaSec version? |
| 32 | 41 |
| 33 -- This might be wrong if the certificate has NotBefore in the future. | 42 -- This might be wrong if the certificate has NotBefore in the future. |
| 34 -- However this is unlikely to happen in the wild. | 43 -- However this is unlikely to happen with CA-issued certs in the wild. |
| 35 if not valid_at(cert, now) then | 44 if not valid_at(cert, now) then |
| 36 module:log("warn", "The certificate %s has expired", certfile); | 45 module:log("error", "The certificate %s has expired", certfile); |
| 46 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host))); | |
| 37 elseif not valid_at(cert, now+86400*7) then | 47 elseif not valid_at(cert, now+86400*7) then |
| 38 module:log("warn", "The certificate %s will expire this week", certfile); | 48 module:log("warn", "The certificate %s will expire this week", certfile); |
| 49 for _,admin in ipairs(module:get_option_array("admins", {})) do | |
| 50 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s is about to expire!"):format(module.host))); | |
| 51 end | |
| 39 elseif not valid_at(cert, now+86400*30) then | 52 elseif not valid_at(cert, now+86400*30) then |
| 40 module:log("info", "The certificate %s will expire later this month", certfile); | 53 module:log("warn", "The certificate %s will expire later this month", certfile); |
| 54 else | |
| 55 module:log("info", "The certificate %s is valid until %s", certfile, cert.notafter and cert:notafter() or "later"); | |
| 41 end | 56 end |
| 42 -- TODO Maybe notify admins | |
| 43 end | 57 end |
| 44 end | 58 end |
| 45 | 59 |
| 46 module.load = check_certs_validity; | |
| 47 module:hook_global("config-reloaded", check_certs_validity); | 60 module:hook_global("config-reloaded", check_certs_validity); |
| 61 module:add_timer(1, function() | |
| 62 check_certs_validity(); | |
| 63 return math.random(14400, 86400); | |
| 64 end); |
