comparison mod_checkcerts/mod_checkcerts.lua @ 941:a6c2345bcf87

mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
author Kim Alvefur <zash@zash.se>
date Thu, 28 Mar 2013 03:38:02 +0100
parents 1983d4d51e1a
children a8203db13ca2
comparison
equal deleted inserted replaced
940:80ede103d7a3 941:a6c2345bcf87
1 local ssl = require"ssl"; 1 local ssl = require"ssl";
2 local load_cert = ssl.x509 and ssl.x509.load 2 local load_cert = ssl.x509 and ssl.x509.load
3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg 3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg
4 local st = require"util.stanza"
4 5
5 if not load_cert then 6 if not load_cert then
6 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); 7 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION);
7 return 8 return
8 end 9 end
9 10
11 local last_check = 0;
12
10 local function check_certs_validity() 13 local function check_certs_validity()
14 local now = os.time();
15
16 if last_check > now - 21600 then
17 return
18 else
19 last_check = now;
20 end
11 -- First, let's find out what certificate this host uses. 21 -- First, let's find out what certificate this host uses.
12 local ssl_config = config.rawget(module.host, "core", "ssl"); 22 local ssl_config = config.rawget(module.host, "core", "ssl");
13 if not ssl_config then 23 if not ssl_config then
14 local base_host = module.host:match("%.(.*)"); 24 local base_host = module.host:match("%.(.*)");
15 ssl_config = config.get(base_host, "core", "ssl"); 25 ssl_config = config.get(base_host, "core", "ssl");
24 fh:close(); 34 fh:close();
25 cert = cert and load_cert(cert); -- And parse 35 cert = cert and load_cert(cert); -- And parse
26 if not cert then return end 36 if not cert then return end
27 -- No error reporting, certmanager should complain already 37 -- No error reporting, certmanager should complain already
28 38
29 local now = os.time();
30 local valid_at = cert.valid_at or cert.validat; 39 local valid_at = cert.valid_at or cert.validat;
31 if not valid_at then return end -- Broken or uncommon LuaSec version? 40 if not valid_at then return end -- Broken or uncommon LuaSec version?
32 41
33 -- This might be wrong if the certificate has NotBefore in the future. 42 -- This might be wrong if the certificate has NotBefore in the future.
34 -- However this is unlikely to happen in the wild. 43 -- However this is unlikely to happen with CA-issued certs in the wild.
35 if not valid_at(cert, now) then 44 if not valid_at(cert, now) then
36 module:log("warn", "The certificate %s has expired", certfile); 45 module:log("error", "The certificate %s has expired", certfile);
46 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host)));
37 elseif not valid_at(cert, now+86400*7) then 47 elseif not valid_at(cert, now+86400*7) then
38 module:log("warn", "The certificate %s will expire this week", certfile); 48 module:log("warn", "The certificate %s will expire this week", certfile);
49 for _,admin in ipairs(module:get_option_array("admins", {})) do
50 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s is about to expire!"):format(module.host)));
51 end
39 elseif not valid_at(cert, now+86400*30) then 52 elseif not valid_at(cert, now+86400*30) then
40 module:log("info", "The certificate %s will expire later this month", certfile); 53 module:log("warn", "The certificate %s will expire later this month", certfile);
54 else
55 module:log("info", "The certificate %s is valid until %s", certfile, cert.notafter and cert:notafter() or "later");
41 end 56 end
42 -- TODO Maybe notify admins
43 end 57 end
44 end 58 end
45 59
46 module.load = check_certs_validity;
47 module:hook_global("config-reloaded", check_certs_validity); 60 module:hook_global("config-reloaded", check_certs_validity);
61 module:add_timer(1, function()
62 check_certs_validity();
63 return math.random(14400, 86400);
64 end);