mod_s2s: Recognise and report errors with CA or intermediate certs
Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.
--- a/plugins/mod_s2s.lua Sun Apr 24 16:17:32 2022 +0200
+++ b/plugins/mod_s2s.lua Mon Apr 25 14:36:56 2022 +0200
@@ -918,6 +918,14 @@
elseif cert_errors:contains("self signed certificate") then
return "is self-signed";
end
+
+ local chain_errors = set.new(session.cert_chain_errors[2]);
+ for i, e in pairs(session.cert_chain_errors) do
+ if i > 2 then chain_errors:add_list(e); end
+ end
+ if chain_errors:contains("certificate has expired") then
+ return "has an expired certificate chain";
+ end
end
return "is not trusted"; -- for some other reason
elseif session.cert_identity_status == "invalid" then