From 03f9358de46cbea1b5eb267b56cebdfd09699f81 Mon Sep 17 00:00:00 2001 From: Joshua Tauberer Date: Wed, 3 Sep 2014 17:31:11 +0000 Subject: [PATCH] when checking SSL certs are OK, check for wildcard certificates fixes #175 (hopefully) --- management/status_checks.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/management/status_checks.py b/management/status_checks.py index 27549686..26b1cf3a 100755 --- a/management/status_checks.py +++ b/management/status_checks.py @@ -360,7 +360,8 @@ def check_certificate(domain, ssl_certificate, ssl_private_key): # First check that the certificate is for the right domain. The domain # must be found in the Subject Common Name (CN) or be one of the - # Subject Alternative Names. + # Subject Alternative Names. A wildcard might also appear as the CN + # or in the SAN list, so check for that tool. cert_dump = shell('check_output', [ "openssl", "x509", "-in", ssl_certificate, @@ -389,7 +390,8 @@ def check_certificate(domain, ssl_certificate, ssl_private_key): if m: certificate_names.add(m.group(1)) - if domain is not None and domain not in certificate_names: + wildcard_domain = re.sub("^[^\.]+", "*", domain) + if domain is not None and domain not in certificate_names and wildcard_domain not in certificate_names: return "This certificate is for the wrong domain names. It is for %s." % \ ", ".join(sorted(certificate_names))