diff mod_checkcerts/mod_checkcerts.lua @ 941:a6c2345bcf87

mod_checkcerts: Nag admins about certs that have, or are about to expire. Often.
author Kim Alvefur <zash@zash.se>
date Thu, 28 Mar 2013 03:38:02 +0100
parents 1983d4d51e1a
children a8203db13ca2
line wrap: on
line diff
--- a/mod_checkcerts/mod_checkcerts.lua	Wed Mar 27 13:29:38 2013 +0100
+++ b/mod_checkcerts/mod_checkcerts.lua	Thu Mar 28 03:38:02 2013 +0100
@@ -1,13 +1,23 @@
 local ssl = require"ssl";
 local load_cert = ssl.x509 and ssl.x509.load
 	or ssl.cert_from_pem; -- COMPAT mw/luasec-hg
+local st = require"util.stanza"
 
 if not load_cert then
 	module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION);
 	return
 end
 
+local last_check = 0;
+
 local function check_certs_validity()
+	local now = os.time();
+
+	if last_check > now - 21600 then
+		return
+	else
+		last_check = now;
+	end
 	-- First, let's find out what certificate this host uses.
 	local ssl_config = config.rawget(module.host, "core", "ssl");
 	if not ssl_config then
@@ -26,22 +36,29 @@
 		if not cert then return end
 		-- No error reporting, certmanager should complain already
 
-		local now = os.time();
 		local valid_at = cert.valid_at or cert.validat;
 		if not valid_at then return end -- Broken or uncommon LuaSec version?
 
 		-- This might be wrong if the certificate has NotBefore in the future.
-		-- However this is unlikely to happen in the wild.
+		-- However this is unlikely to happen with CA-issued certs in the wild.
 		if not valid_at(cert, now) then
-			module:log("warn", "The certificate %s has expired", certfile);
+			module:log("error", "The certificate %s has expired", certfile);
+			module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host)));
 		elseif not valid_at(cert, now+86400*7) then
 			module:log("warn", "The certificate %s will expire this week", certfile);
+			for _,admin in ipairs(module:get_option_array("admins", {})) do
+				module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s is about to expire!"):format(module.host)));
+			end
 		elseif not valid_at(cert, now+86400*30) then
-			module:log("info", "The certificate %s will expire later this month", certfile);
+			module:log("warn", "The certificate %s will expire later this month", certfile);
+		else
+			module:log("info", "The certificate %s is valid until %s", certfile, cert.notafter and cert:notafter() or "later");
 		end
-		-- TODO Maybe notify admins
 	end
 end
 
-module.load = check_certs_validity;
 module:hook_global("config-reloaded", check_certs_validity);
+module:add_timer(1, function()
+	check_certs_validity();
+	return math.random(14400, 86400);
+end);