changeset 1879:18123e0f5d58

mod_checkcerts: Improve logic for finding an ssl section with a certificate
author Kim Alvefur <zash@zash.se>
date Tue, 29 Sep 2015 14:53:16 +0200 (2015-09-29)
parents 7f96183a60ce
children a7c1f1b6ef05
files mod_checkcerts/mod_checkcerts.lua
diffstat 1 files changed, 35 insertions(+), 31 deletions(-) [+]
line wrap: on
line diff
--- a/mod_checkcerts/mod_checkcerts.lua	Sun Sep 27 21:41:35 2015 +0200
+++ b/mod_checkcerts/mod_checkcerts.lua	Tue Sep 29 14:53:16 2015 +0200
@@ -38,42 +38,46 @@
 
 	-- First, let's find out what certificate this host uses.
 	local ssl_config = config.rawget(module.host, "ssl");
-	if not ssl_config then
-		local base_host = module.host:match("%.(.*)");
-		ssl_config = config.get(base_host, "ssl");
+	if not ssl_config or not ssl_config.certificate then
+		ssl_config = config.get(module.host:match("%.(.*)"), "ssl");
+	end
+	if not ssl_config or not ssl_config.certificate then
+		ssl_config = config.get("*", "ssl");
+	end
+	if not ssl_config or not ssl_config.certificate then
+		log("warn", "Could not find a certificate to check");
+		return;
 	end
 
-	if ssl_config and ssl_config.certificate then
-		local certfile = ssl_config.certificate;
-		local fh = io.open(certfile); -- Load the file.
-		cert = fh and fh:read"*a";
-		fh = fh and fh:close();
-		local cert = cert and load_cert(cert); -- And parse
+	local certfile = ssl_config.certificate;
+	local fh = io.open(certfile); -- Load the file.
+	cert = fh and fh:read"*a";
+	fh = fh and fh:close();
+	local cert = cert and load_cert(cert); -- And parse
 
-		if not cert then
-			module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry");
-			return
+	if not cert then
+		module:log("warn", "No certificate configured for this host, please fix this and reload this module to check expiry");
+		return
+	end
+	local expires_at = parse_x509_datetime(cert:notafter());
+	local expires_in = os.difftime(expires_at, now);
+	local fmt =  "Certificate %s expires in %s"
+	local nag_admin = expires_in < nag_time;
+	local log_warn = expires_in < nag_time * 2;
+	local timediff = expires_in;
+	if expires_in < 0 then
+		fmt =  "Certificate %s expired %s ago";
+		timediff = -timediff;
+	end
+	timediff = humantime(timediff);
+	module:log(log_warn and "warn" or "info", fmt, certfile, timediff);
+	if nag_admin then
+		local body = fmt:format("for host ".. module.host, timediff);
+		for _,admin in ipairs(module:get_option_array("admins", {})) do
+			module:send(st.message({ from = module.host, to = admin, type = "chat" }, body));
 		end
-		local expires_at = parse_x509_datetime(cert:notafter());
-		local expires_in = os.difftime(expires_at, now);
-		local fmt =  "Certificate %s expires in %s"
-		local nag_admin = expires_in < nag_time;
-		local log_warn = expires_in < nag_time * 2;
-		local timediff = expires_in;
-		if expires_in < 0 then
-			fmt =  "Certificate %s expired %s ago";
-			timediff = -timediff;
-		end
-		timediff = humantime(timediff);
-		module:log(log_warn and "warn" or "info", fmt, certfile, timediff);
-		if nag_admin then
-			local body = fmt:format("for host ".. module.host, timediff);
-			for _,admin in ipairs(module:get_option_array("admins", {})) do
-				module:send(st.message({ from = module.host, to = admin, type = "chat" }, body));
-			end
-		end
-		return math.max(86400, expires_in / 3);
 	end
+	return math.max(86400, expires_in / 3);
 end
 
 module:add_timer(1, check_certs_validity);