# HG changeset patch # User Kim Alvefur # Date 1443531196 -7200 # Node ID 18123e0f5d589716363e66c5198cbc0bb7818f47 # Parent 7f96183a60ce2193222bb61903cfe52aa93acfa5 mod_checkcerts: Improve logic for finding an ssl section with a certificate diff -r 7f96183a60ce -r 18123e0f5d58 mod_checkcerts/mod_checkcerts.lua --- a/mod_checkcerts/mod_checkcerts.lua Sun Sep 27 21:41:35 2015 +0200 +++ b/mod_checkcerts/mod_checkcerts.lua Tue Sep 29 14:53:16 2015 +0200 @@ -38,42 +38,46 @@ -- First, let's find out what certificate this host uses. local ssl_config = config.rawget(module.host, "ssl"); - if not ssl_config then - local base_host = module.host:match("%.(.*)"); - ssl_config = config.get(base_host, "ssl"); + if not ssl_config or not ssl_config.certificate then + ssl_config = config.get(module.host:match("%.(.*)"), "ssl"); + end + if not ssl_config or not ssl_config.certificate then + ssl_config = config.get("*", "ssl"); + end + if not ssl_config or not ssl_config.certificate then + log("warn", "Could not find a certificate to check"); + return; end - if ssl_config and ssl_config.certificate then - local certfile = ssl_config.certificate; - local fh = io.open(certfile); -- Load the file. - cert = fh and fh:read"*a"; - fh = fh and fh:close(); - local cert = cert and load_cert(cert); -- And parse + local certfile = ssl_config.certificate; + local fh = io.open(certfile); -- Load the file. + cert = fh and fh:read"*a"; + fh = fh and fh:close(); + local cert = cert and load_cert(cert); -- And parse - if not cert then - module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry"); - return + if not cert then + module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry"); + return + end + local expires_at = parse_x509_datetime(cert:notafter()); + local expires_in = os.difftime(expires_at, now); + local fmt = "Certificate %s expires in %s" + local nag_admin = expires_in < nag_time; + local log_warn = expires_in < nag_time * 2; + local timediff = expires_in; + if expires_in < 0 then + fmt = "Certificate %s expired %s ago"; + timediff = -timediff; + end + timediff = humantime(timediff); + module:log(log_warn and "warn" or "info", fmt, certfile, timediff); + if nag_admin then + local body = fmt:format("for host ".. module.host, timediff); + for _,admin in ipairs(module:get_option_array("admins", {})) do + module:send(st.message({ from = module.host, to = admin, type = "chat" }, body)); end - local expires_at = parse_x509_datetime(cert:notafter()); - local expires_in = os.difftime(expires_at, now); - local fmt = "Certificate %s expires in %s" - local nag_admin = expires_in < nag_time; - local log_warn = expires_in < nag_time * 2; - local timediff = expires_in; - if expires_in < 0 then - fmt = "Certificate %s expired %s ago"; - timediff = -timediff; - end - timediff = humantime(timediff); - module:log(log_warn and "warn" or "info", fmt, certfile, timediff); - if nag_admin then - local body = fmt:format("for host ".. module.host, timediff); - for _,admin in ipairs(module:get_option_array("admins", {})) do - module:send(st.message({ from = module.host, to = admin, type = "chat" }, body)); - end - end - return math.max(86400, expires_in / 3); end + return math.max(86400, expires_in / 3); end module:add_timer(1, check_certs_validity);