author | Kim Alvefur <zash@zash.se> |
Mon, 29 Oct 2012 00:46:51 +0100 | |
changeset 855 | 1983d4d51e1a |
parent 667 | ea9941812721 |
child 941 | a6c2345bcf87 |
permissions | -rw-r--r-- |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
1 |
local ssl = require"ssl"; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
2 |
local load_cert = ssl.x509 and ssl.x509.load |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
3 |
or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
4 |
|
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
5 |
if not load_cert then |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
6 |
module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
7 |
return |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
8 |
end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
9 |
|
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
10 |
local function check_certs_validity() |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
11 |
-- First, let's find out what certificate this host uses. |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
12 |
local ssl_config = config.rawget(module.host, "core", "ssl"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
13 |
if not ssl_config then |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
14 |
local base_host = module.host:match("%.(.*)"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
15 |
ssl_config = config.get(base_host, "core", "ssl"); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
16 |
end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
17 |
|
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
18 |
if ssl_config.certificate then |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
19 |
local certfile = ssl_config.certificate; |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
20 |
local cert; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
21 |
|
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
22 |
local fh = io.open(certfile); -- Load the file. |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
23 |
cert = fh and fh:read"*a"; |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
24 |
fh:close(); |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
25 |
cert = cert and load_cert(cert); -- And parse |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
26 |
if not cert then return end |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
27 |
-- No error reporting, certmanager should complain already |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
28 |
|
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
29 |
local now = os.time(); |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
30 |
local valid_at = cert.valid_at or cert.validat; |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
31 |
if not valid_at then return end -- Broken or uncommon LuaSec version? |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
32 |
|
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
33 |
-- This might be wrong if the certificate has NotBefore in the future. |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
34 |
-- However this is unlikely to happen in the wild. |
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
35 |
if not valid_at(cert, now) then |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
36 |
module:log("warn", "The certificate %s has expired", certfile); |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
37 |
elseif not valid_at(cert, now+86400*7) then |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
38 |
module:log("warn", "The certificate %s will expire this week", certfile); |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
39 |
elseif not valid_at(cert, now+86400*30) then |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
40 |
module:log("info", "The certificate %s will expire later this month", certfile); |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
41 |
end |
855
1983d4d51e1a
mod_checkcerts: Improve, add comments, add forward compatibility.
Kim Alvefur <zash@zash.se>
parents:
667
diff
changeset
|
42 |
-- TODO Maybe notify admins |
667
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
43 |
end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
44 |
end |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
45 |
|
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
46 |
module.load = check_certs_validity; |
ea9941812721
mod_checkcerts: New module that logs a warning when your cert is about to expire.
Kim Alvefur <zash@zash.se>
parents:
diff
changeset
|
47 |
module:hook_global("config-reloaded", check_certs_validity); |