Mercurial > prosody-modules

comparison mod_checkcerts/mod_checkcerts.lua @ 1879:18123e0f5d58

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
mod_checkcerts: Improve logic for finding an ssl section with a certificate
author Kim Alvefur <zash@zash.se>
date Tue, 29 Sep 2015 14:53:16 +0200
parents d9fcf9d8e787
children a7c1f1b6ef05
comparison
equal deleted inserted replaced
1878:7f96183a60ce 1879:18123e0f5d58
36 local function check_certs_validity() 36 local function check_certs_validity()
37 local now = os.time(); 37 local now = os.time();
38 38
39 -- First, let's find out what certificate this host uses. 39 -- First, let's find out what certificate this host uses.
40 local ssl_config = config.rawget(module.host, "ssl"); 40 local ssl_config = config.rawget(module.host, "ssl");
41 if not ssl_config then 41 if not ssl_config or not ssl_config.certificate then
42 local base_host = module.host:match("%.(.*)"); 42 ssl_config = config.get(module.host:match("%.(.*)"), "ssl");
43 ssl_config = config.get(base_host, "ssl"); 43 end
44 if not ssl_config or not ssl_config.certificate then
45 ssl_config = config.get("*", "ssl");
46 end
47 if not ssl_config or not ssl_config.certificate then
48 log("warn", "Could not find a certificate to check");
49 return;
44 end 50 end
45 51
46 if ssl_config and ssl_config.certificate then 52 local certfile = ssl_config.certificate;
47 local certfile = ssl_config.certificate; 53 local fh = io.open(certfile); -- Load the file.
48 local fh = io.open(certfile); -- Load the file. 54 cert = fh and fh:read"*a";
49 cert = fh and fh:read"*a"; 55 fh = fh and fh:close();
50 fh = fh and fh:close(); 56 local cert = cert and load_cert(cert); -- And parse
51 local cert = cert and load_cert(cert); -- And parse
52 57
53 if not cert then 58 if not cert then
54 module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry"); 59 module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry");
55 return 60 return
61 end
62 local expires_at = parse_x509_datetime(cert:notafter());
63 local expires_in = os.difftime(expires_at, now);
64 local fmt = "Certificate %s expires in %s"
65 local nag_admin = expires_in < nag_time;
66 local log_warn = expires_in < nag_time * 2;
67 local timediff = expires_in;
68 if expires_in < 0 then
69 fmt = "Certificate %s expired %s ago";
70 timediff = -timediff;
71 end
72 timediff = humantime(timediff);
73 module:log(log_warn and "warn" or "info", fmt, certfile, timediff);
74 if nag_admin then
75 local body = fmt:format("for host ".. module.host, timediff);
76 for _,admin in ipairs(module:get_option_array("admins", {})) do
77 module:send(st.message({ from = module.host, to = admin, type = "chat" }, body));
56 end 78 end
57 local expires_at = parse_x509_datetime(cert:notafter());
58 local expires_in = os.difftime(expires_at, now);
59 local fmt = "Certificate %s expires in %s"
60 local nag_admin = expires_in < nag_time;
61 local log_warn = expires_in < nag_time * 2;
62 local timediff = expires_in;
63 if expires_in < 0 then
64 fmt = "Certificate %s expired %s ago";
65 timediff = -timediff;
66 end
67 timediff = humantime(timediff);
68 module:log(log_warn and "warn" or "info", fmt, certfile, timediff);
69 if nag_admin then
70 local body = fmt:format("for host ".. module.host, timediff);
71 for _,admin in ipairs(module:get_option_array("admins", {})) do
72 module:send(st.message({ from = module.host, to = admin, type = "chat" }, body));
73 end
74 end
75 return math.max(86400, expires_in / 3);
76 end 79 end
80 return math.max(86400, expires_in / 3);
77 end 81 end
78 82
79 module:add_timer(1, check_certs_validity); 83 module:add_timer(1, check_certs_validity);