1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-22 02:17:26 +00:00

warn if a SSL cert is expiring in 30 days

This commit is contained in:
Joshua Tauberer 2014-09-21 12:51:27 +00:00
parent b8ea7282b0
commit 05510f25a5

View File

@ -9,6 +9,7 @@ __ALL__ = ['check_certificate']
import os, os.path, re, subprocess, datetime import os, os.path, re, subprocess, datetime
import dns.reversename, dns.resolver import dns.reversename, dns.resolver
import dateutil.parser, dateutil.tz
from dns_update import get_dns_zones, build_tlsa_record from dns_update import get_dns_zones, build_tlsa_record
from web_update import get_web_domains, get_domain_ssl_files from web_update import get_web_domains, get_domain_ssl_files
@ -374,6 +375,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
]) ])
cert_dump = cert_dump.split("\n") cert_dump = cert_dump.split("\n")
certificate_names = set() certificate_names = set()
cert_expiration_date = None
while len(cert_dump) > 0: while len(cert_dump) > 0:
line = cert_dump.pop(0) line = cert_dump.pop(0)
@ -395,6 +397,10 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
if m: if m:
certificate_names.add(m.group(1)) certificate_names.add(m.group(1))
m = re.match(" Not After : (.*)", line)
if m:
cert_expiration_date = dateutil.parser.parse(m.group(1))
wildcard_domain = re.sub("^[^\.]+", "*", domain) wildcard_domain = re.sub("^[^\.]+", "*", domain)
if domain is not None and domain not in certificate_names and wildcard_domain not in certificate_names: if domain is not None and domain not in certificate_names and wildcard_domain not in certificate_names:
return "This certificate is for the wrong domain names. It is for %s." % \ return "This certificate is for the wrong domain names. It is for %s." % \
@ -445,11 +451,21 @@ def check_certificate(domain, ssl_certificate, ssl_private_key):
if "self signed" in verifyoutput: if "self signed" in verifyoutput:
# Certificate is self-signed. # Certificate is self-signed.
return "SELF-SIGNED" return "SELF-SIGNED"
elif retcode == 0: elif retcode != 0:
# Certificate is OK. # There is some unknown problem. Return the `openssl verify` raw output.
return "OK"
else:
return verifyoutput.strip() return verifyoutput.strip()
else:
# `openssl verify` returned a zero exit status so the cert is currently
# good.
# But is it expiring soon?
now = datetime.datetime.now(dateutil.tz.tzlocal())
ndays = (cert_expiration_date-now).days
if ndays <= 31:
return "This certificate expires in %d days on %s." % (ndays, cert_expiration_date.strftime("%x"))
# Return the special OK code.
return "OK"
_apt_updates = None _apt_updates = None
def list_apt_updates(apt_update=True): def list_apt_updates(apt_update=True):