prosody-modules: mod_checkcerts/mod_checkcerts.lua@1983d4d51e1a (annotated)

667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	1	local ssl = require"ssl";
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	2	local load_cert = ssl.x509 and ssl.x509.load
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	3	or ssl.cert_from_pem; -- COMPAT mw/luasec-hg
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	4
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	5	if not load_cert then
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	6	module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION);
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	7	return
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	8	end
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	9
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	10	local function check_certs_validity()
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	11	-- First, let's find out what certificate this host uses.
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	12	local ssl_config = config.rawget(module.host, "core", "ssl");
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	13	if not ssl_config then
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	14	local base_host = module.host:match("%.(.*)");
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	15	ssl_config = config.get(base_host, "core", "ssl");
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	16	end
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	17
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	18	if ssl_config.certificate then
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	19	local certfile = ssl_config.certificate;
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	20	local cert;
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	21
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	22	local fh = io.open(certfile); -- Load the file.
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	23	cert = fh and fh:read"*a";
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	24	fh:close();
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	25	cert = cert and load_cert(cert); -- And parse
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	26	if not cert then return end
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	27	-- No error reporting, certmanager should complain already
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	28
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	29	local now = os.time();
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	30	local valid_at = cert.valid_at or cert.validat;
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	31	if not valid_at then return end -- Broken or uncommon LuaSec version?
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	32
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	33	-- This might be wrong if the certificate has NotBefore in the future.
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	34	-- However this is unlikely to happen in the wild.
1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	35	if not valid_at(cert, now) then
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	36	module:log("warn", "The certificate %s has expired", certfile);
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	37	elseif not valid_at(cert, now+86400*7) then
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	38	module:log("warn", "The certificate %s will expire this week", certfile);
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	39	elseif not valid_at(cert, now+86400*30) then
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	40	module:log("info", "The certificate %s will expire later this month", certfile);
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	41	end
855 1983d4d51e1a mod_checkcerts: Improve, add comments, add forward compatibility. Kim Alvefur <zash@zash.se> parents: 667 diff changeset	42	-- TODO Maybe notify admins
667 ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	43	end
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	44	end
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	45
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	46	module.load = check_certs_validity;
ea9941812721 mod_checkcerts: New module that logs a warning when your cert is about to expire. Kim Alvefur <zash@zash.se> parents: diff changeset	47	module:hook_global("config-reloaded", check_certs_validity);

author	Kim Alvefur <zash@zash.se>
	Mon, 29 Oct 2012 00:46:51 +0100
changeset 855	1983d4d51e1a
parent 667	ea9941812721
child 941	a6c2345bcf87
permissions	-rw-r--r--