1 local ssl = require"ssl"; |
1 local ssl = require"ssl"; |
2 local load_cert = ssl.x509 and ssl.x509.load |
2 local load_cert = ssl.x509 and ssl.x509.load |
3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
3 or ssl.cert_from_pem; -- COMPAT mw/luasec-hg |
|
4 local st = require"util.stanza" |
4 |
5 |
5 if not load_cert then |
6 if not load_cert then |
6 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); |
7 module:log("error", "This version of LuaSec (%s) does not support certificate checking", ssl._VERSION); |
7 return |
8 return |
8 end |
9 end |
9 |
10 |
|
11 local last_check = 0; |
|
12 |
10 local function check_certs_validity() |
13 local function check_certs_validity() |
|
14 local now = os.time(); |
|
15 |
|
16 if last_check > now - 21600 then |
|
17 return |
|
18 else |
|
19 last_check = now; |
|
20 end |
11 -- First, let's find out what certificate this host uses. |
21 -- First, let's find out what certificate this host uses. |
12 local ssl_config = config.rawget(module.host, "core", "ssl"); |
22 local ssl_config = config.rawget(module.host, "core", "ssl"); |
13 if not ssl_config then |
23 if not ssl_config then |
14 local base_host = module.host:match("%.(.*)"); |
24 local base_host = module.host:match("%.(.*)"); |
15 ssl_config = config.get(base_host, "core", "ssl"); |
25 ssl_config = config.get(base_host, "core", "ssl"); |
24 fh:close(); |
34 fh:close(); |
25 cert = cert and load_cert(cert); -- And parse |
35 cert = cert and load_cert(cert); -- And parse |
26 if not cert then return end |
36 if not cert then return end |
27 -- No error reporting, certmanager should complain already |
37 -- No error reporting, certmanager should complain already |
28 |
38 |
29 local now = os.time(); |
|
30 local valid_at = cert.valid_at or cert.validat; |
39 local valid_at = cert.valid_at or cert.validat; |
31 if not valid_at then return end -- Broken or uncommon LuaSec version? |
40 if not valid_at then return end -- Broken or uncommon LuaSec version? |
32 |
41 |
33 -- This might be wrong if the certificate has NotBefore in the future. |
42 -- This might be wrong if the certificate has NotBefore in the future. |
34 -- However this is unlikely to happen in the wild. |
43 -- However this is unlikely to happen with CA-issued certs in the wild. |
35 if not valid_at(cert, now) then |
44 if not valid_at(cert, now) then |
36 module:log("warn", "The certificate %s has expired", certfile); |
45 module:log("error", "The certificate %s has expired", certfile); |
|
46 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s has expired!"):format(module.host))); |
37 elseif not valid_at(cert, now+86400*7) then |
47 elseif not valid_at(cert, now+86400*7) then |
38 module:log("warn", "The certificate %s will expire this week", certfile); |
48 module:log("warn", "The certificate %s will expire this week", certfile); |
|
49 for _,admin in ipairs(module:get_option_array("admins", {})) do |
|
50 module:send(st.message({from=module.host,to=admin,type="chat"},("Certificate for host %s is about to expire!"):format(module.host))); |
|
51 end |
39 elseif not valid_at(cert, now+86400*30) then |
52 elseif not valid_at(cert, now+86400*30) then |
40 module:log("info", "The certificate %s will expire later this month", certfile); |
53 module:log("warn", "The certificate %s will expire later this month", certfile); |
|
54 else |
|
55 module:log("info", "The certificate %s is valid until %s", certfile, cert.notafter and cert:notafter() or "later"); |
41 end |
56 end |
42 -- TODO Maybe notify admins |
|
43 end |
57 end |
44 end |
58 end |
45 |
59 |
46 module.load = check_certs_validity; |
|
47 module:hook_global("config-reloaded", check_certs_validity); |
60 module:hook_global("config-reloaded", check_certs_validity); |
|
61 module:add_timer(1, function() |
|
62 check_certs_validity(); |
|
63 return math.random(14400, 86400); |
|
64 end); |