Mercurial > prosody-modules
annotate mod_checkcerts/mod_checkcerts.lua @ 1011:9466efd10af9
mod_isolate_host: Prevent communication between hosts, even internal ones
author | Matthew Wild <mwild1@gmail.com> |
---|---|
date | Tue, 14 May 2013 16:25:59 +0100 |
parents | a8203db13ca2 |
children | cbbeac61f1ab |
rev | line source |
---|---|
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 local ssl = require"ssl"; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
2 local load_cert = ssl.x509 and ssl.x509.load |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
4 local st = require"util.stanza" |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
5 |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
6 if not load_cert then |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
7 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 return |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
11 local last_check = 0; |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
12 |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 local function check_certs_validity() |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
14 local now = os.time(); |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
15 |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
16 if last_check > now - 21600 then |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
17 return |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
18 else |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
19 last_check = now; |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
20 end |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
21 -- First, let's find out what certificate this host uses. |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
22 local ssl_config = config.rawget(module.host, "core", "ssl"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 if not ssl_config then |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
24 local base_host = module.host:match("%.(.*)"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
25 ssl_config = config.get(base_host, "core", "ssl"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
27 |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
28 if ssl_config.certificate then |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
29 local certfile = ssl_config.certificate; |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
30 local cert; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
31 |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
32 local fh = io.open(certfile); -- Load the file. |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
33 cert = fh and fh:read"*a"; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
34 fh:close(); |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
35 cert = cert and load_cert(cert); -- And parse |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 if not cert then return end |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
37 -- No error reporting, certmanager should complain already |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
39 local valid_at = cert.valid_at or cert.validat; |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
40 if not valid_at then return end -- Broken or uncommon LuaSec version? |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
41 |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
42 -- This might be wrong if the certificate has NotBefore in the future. |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
43 -- However this is unlikely to happen with CA-issued certs in the wild. |
943
a8203db13ca2
mod_checkcerts: Modify wording a bit.
Kim Alvefur <zash@zash.se>
parents:
941
diff
changeset
|
44 local notafter = cert.notafter and cert:notafter(); |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
45 if not valid_at(cert, now) then |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
46 module:log("error", "The certificate %s has expired", certfile); |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
47 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host))); |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
48 elseif not valid_at(cert, now+86400*7) then |
943
a8203db13ca2
mod_checkcerts: Modify wording a bit.
Kim Alvefur <zash@zash.se>
parents:
941
diff
changeset
|
49 module:log("warn", "The certificate %s will expire %s", certfile, notafter or "this week"); |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
50 for _,admin in ipairs(module:get_option_array("admins", {})) do |
943
a8203db13ca2
mod_checkcerts: Modify wording a bit.
Kim Alvefur <zash@zash.se>
parents:
941
diff
changeset
|
51 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s will expire %s!"):format(module.host, notafter or "this week"))); |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
52 end |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
53 elseif not valid_at(cert, now+86400*30) then |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
54 module:log("warn", "The certificate %s will expire later this month", certfile); |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
55 else |
943
a8203db13ca2
mod_checkcerts: Modify wording a bit.
Kim Alvefur <zash@zash.se>
parents:
941
diff
changeset
|
56 module:log("info", "The certificate %s is valid until %s", certfile, notafter or "later"); |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
57 end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
58 end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
59 end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
60 |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
61 module:hook_global("config-reloaded", check_certs_validity); |
941
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
62 module:add_timer(1, function() |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
63 check_certs_validity(); |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
64 return math.random(14400, 86400); |
a6c2345bcf87
mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
Kim Alvefur <zash@zash.se>
parents:
855
diff
changeset
|
65 end); |