# HG changeset patch # User Kim Alvefur # Date 1351468011 -3600 # Node ID 1983d4d51e1a3b3fae5c845c0a1faa240ead9d36 # Parent 1c64ab8ae37436d1a23ec1274603d4a4c9154e12 mod_checkcerts: Improve, add comments, add forward compatibility. diff -r 1c64ab8ae374 -r 1983d4d51e1a mod_checkcerts/mod_checkcerts.lua --- a/mod_checkcerts/mod_checkcerts.lua Sat Oct 27 20:02:10 2012 +0200 +++ b/mod_checkcerts/mod_checkcerts.lua Mon Oct 29 00:46:51 2012 +0100 @@ -1,32 +1,45 @@ local ssl = require"ssl"; -if not ssl.cert_from_pem then - module:log("error", "This version of LuaSec (%s) doesn't support certificate checking", ssl._VERSION); +local load_cert = ssl.x509 and ssl.x509.load + or ssl.cert_from_pem; -- COMPAT mw/luasec-hg + +if not load_cert then + module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); return end local function check_certs_validity() + -- First, let's find out what certificate this host uses. local ssl_config = config.rawget(module.host, "core", "ssl"); if not ssl_config then local base_host = module.host:match("%.(.*)"); ssl_config = config.get(base_host, "core", "ssl"); end - if ssl.cert_from_pem and ssl_config.certificate then + if ssl_config.certificate then local certfile = ssl_config.certificate; local cert; - local fh, err = io.open(certfile); + + local fh = io.open(certfile); -- Load the file. cert = fh and fh:read"*a"; - cert = cert and ssl.cert_from_pem(cert); + fh:close(); + cert = cert and load_cert(cert); -- And parse if not cert then return end - fh:close(); + -- No error reporting, certmanager should complain already - if not cert:valid_at(os.time()) then + local now = os.time(); + local valid_at = cert.valid_at or cert.validat; + if not valid_at then return end -- Broken or uncommon LuaSec version? + + -- This might be wrong if the certificate has NotBefore in the future. + -- However this is unlikely to happen in the wild. + if not valid_at(cert, now) then module:log("warn", "The certificate %s has expired", certfile); - elseif not cert:valid_at(os.time()+86400*7) then + elseif not valid_at(cert, now+86400*7) then module:log("warn", "The certificate %s will expire this week", certfile); - elseif not cert:valid_at(os.time()+86400*30) then + elseif not valid_at(cert, now+86400*30) then module:log("info", "The certificate %s will expire later this month", certfile); end + -- TODO Maybe notify admins end end