# HG changeset patch # User Kim Alvefur # Date 1364438282 -3600 # Node ID a6c2345bcf87db3141871e0ac1d531230a8520d4 # Parent 80ede103d7a361ca54bb4862715a2ca953b2b87f mod_checkcerts: Nag admins about certs that have, or are about to expire. Often. diff -r 80ede103d7a3 -r a6c2345bcf87 mod_checkcerts/mod_checkcerts.lua --- a/mod_checkcerts/mod_checkcerts.lua Wed Mar 27 13:29:38 2013 +0100 +++ b/mod_checkcerts/mod_checkcerts.lua Thu Mar 28 03:38:02 2013 +0100 @@ -1,13 +1,23 @@ local ssl = require"ssl"; local load_cert = ssl.x509 and ssl.x509.load or ssl.cert_from_pem; -- COMPAT mw/luasec-hg +local st = require"util.stanza" if not load_cert then module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); return end +local last_check = 0; + local function check_certs_validity() + local now = os.time(); + + if last_check > now - 21600 then + return + else + last_check = now; + end -- First, let's find out what certificate this host uses. local ssl_config = config.rawget(module.host, "core", "ssl"); if not ssl_config then @@ -26,22 +36,29 @@ if not cert then return end -- No error reporting, certmanager should complain already - local now = os.time(); local valid_at = cert.valid_at or cert.validat; if not valid_at then return end -- Broken or uncommon LuaSec version? -- This might be wrong if the certificate has NotBefore in the future. - -- However this is unlikely to happen in the wild. + -- However this is unlikely to happen with CA-issued certs in the wild. if not valid_at(cert, now) then - module:log("warn", "The certificate %s has expired", certfile); + module:log("error", "The certificate %s has expired", certfile); + module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host))); elseif not valid_at(cert, now+86400*7) then module:log("warn", "The certificate %s will expire this week", certfile); + for _,admin in ipairs(module:get_option_array("admins", {})) do + module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s is about to expire!"):format(module.host))); + end elseif not valid_at(cert, now+86400*30) then - module:log("info", "The certificate %s will expire later this month", certfile); + module:log("warn", "The certificate %s will expire later this month", certfile); + else + module:log("info", "The certificate %s is valid until %s", certfile, cert.notafter and cert:notafter() or "later"); end - -- TODO Maybe notify admins end end -module.load = check_certs_validity; module:hook_global("config-reloaded", check_certs_validity); +module:add_timer(1, function() + check_certs_validity(); + return math.random(14400, 86400); +end);