view mod_checkcerts/mod_checkcerts.lua @ 855:1983d4d51e1a

mod_checkcerts: Improve, add comments, add forward compatibility.
author Kim Alvefur <>
date Mon, 29 Oct 2012 00:46:51 +0100
parents ea9941812721
children a6c2345bcf87
line wrap: on
line source

local ssl = require"ssl";
local load_cert = ssl.x509 and ssl.x509.load
	or ssl.cert_from_pem; -- COMPAT mw/luasec-hg

if not load_cert then
	module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION);

local function check_certs_validity()
	-- First, let's find out what certificate this host uses.
	local ssl_config = config.rawget(, "core", "ssl");
	if not ssl_config then
		local base_host ="%.(.*)");
		ssl_config = config.get(base_host, "core", "ssl");

	if ssl_config.certificate then
		local certfile = ssl_config.certificate;
		local cert;

		local fh =; -- Load the file.
		cert = fh and fh:read"*a";
		cert = cert and load_cert(cert); -- And parse
		if not cert then return end
		-- No error reporting, certmanager should complain already

		local now = os.time();
		local valid_at = cert.valid_at or cert.validat;
		if not valid_at then return end -- Broken or uncommon LuaSec version?

		-- This might be wrong if the certificate has NotBefore in the future.
		-- However this is unlikely to happen in the wild.
		if not valid_at(cert, now) then
			module:log("warn", "The certificate %s has expired", certfile);
		elseif not valid_at(cert, now+86400*7) then
			module:log("warn", "The certificate %s will expire this week", certfile);
		elseif not valid_at(cert, now+86400*30) then
			module:log("info", "The certificate %s will expire later this month", certfile);
		-- TODO Maybe notify admins

module.load = check_certs_validity;
module:hook_global("config-reloaded", check_certs_validity);