1
0
mirror of https://github.com/mail-in-a-box/mailinabox.git synced 2024-11-22 02:17:26 +00:00

if the main ssl cert is expiring soon, the end of setup would display the control panel instructions as if the cert were self-signed

This commit is contained in:
Joshua Tauberer 2015-05-14 19:16:31 +00:00
parent 13093f1732
commit 57abae3999

View File

@ -593,7 +593,7 @@ def check_ssl_cert(domain, rounded_time, env, output):
output.print_line(cert_status_details) output.print_line(cert_status_details)
output.print_line("") output.print_line("")
def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=False): def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring_soon=True, rounded_time=False):
# Use openssl verify to check the status of a certificate. # Use openssl verify to check the status of a certificate.
# First check that the certificate is for the right domain. The domain # First check that the certificate is for the right domain. The domain
@ -636,6 +636,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
if m: if m:
certificate_names.add(m.group(1)) certificate_names.add(m.group(1))
# Grab the expiration date for testing later.
m = re.match(" Not After : (.*)", line) m = re.match(" Not After : (.*)", line)
if m: if m:
cert_expiration_date = dateutil.parser.parse(m.group(1)) cert_expiration_date = dateutil.parser.parse(m.group(1))
@ -690,12 +691,14 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
if "self signed" in verifyoutput: if "self signed" in verifyoutput:
# Certificate is self-signed. # Certificate is self-signed.
return ("SELF-SIGNED", None) return ("SELF-SIGNED", None)
elif retcode != 0: elif retcode != 0:
if "unable to get local issuer certificate" in verifyoutput: if "unable to get local issuer certificate" in verifyoutput:
return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None) return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None)
# There is some unknown problem. Return the `openssl verify` raw output. # There is some unknown problem. Return the `openssl verify` raw output.
return ("There is a problem with the SSL certificate.", verifyoutput.strip()) return ("There is a problem with the SSL certificate.", verifyoutput.strip())
else: else:
# `openssl verify` returned a zero exit status so the cert is currently # `openssl verify` returned a zero exit status so the cert is currently
# good. # good.
@ -712,7 +715,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
else: else:
expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x") expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x")
if ndays <= 31: if ndays <= 31 and warn_if_expiring_soon:
return ("The certificate is expiring soon: " + expiry_info, None) return ("The certificate is expiring soon: " + expiry_info, None)
# Return the special OK code. # Return the special OK code.
@ -928,7 +931,7 @@ if __name__ == "__main__":
ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, env) ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, env)
if not os.path.exists(ssl_certificate): if not os.path.exists(ssl_certificate):
sys.exit(1) sys.exit(1)
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key) cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False)
if cert_status != "OK": if cert_status != "OK":
sys.exit(1) sys.exit(1)
sys.exit(0) sys.exit(0)