Commit 57abae39 authored by Joshua Tauberer's avatar Joshua Tauberer

if the main ssl cert is expiring soon, the end of setup would display the...

if the main ssl cert is expiring soon, the end of setup would display the control panel instructions as if the cert were self-signed
parent 13093f17
...@@ -593,7 +593,7 @@ def check_ssl_cert(domain, rounded_time, env, output): ...@@ -593,7 +593,7 @@ def check_ssl_cert(domain, rounded_time, env, output):
output.print_line(cert_status_details) output.print_line(cert_status_details)
output.print_line("") output.print_line("")
def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=False): def check_certificate(domain, ssl_certificate, ssl_private_key, warn_if_expiring_soon=True, rounded_time=False):
# Use openssl verify to check the status of a certificate. # Use openssl verify to check the status of a certificate.
# First check that the certificate is for the right domain. The domain # First check that the certificate is for the right domain. The domain
...@@ -636,6 +636,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal ...@@ -636,6 +636,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
if m: if m:
certificate_names.add(m.group(1)) certificate_names.add(m.group(1))
# Grab the expiration date for testing later.
m = re.match(" Not After : (.*)", line) m = re.match(" Not After : (.*)", line)
if m: if m:
cert_expiration_date = dateutil.parser.parse(m.group(1)) cert_expiration_date = dateutil.parser.parse(m.group(1))
...@@ -690,12 +691,14 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal ...@@ -690,12 +691,14 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
if "self signed" in verifyoutput: if "self signed" in verifyoutput:
# Certificate is self-signed. # Certificate is self-signed.
return ("SELF-SIGNED", None) return ("SELF-SIGNED", None)
elif retcode != 0: elif retcode != 0:
if "unable to get local issuer certificate" in verifyoutput: if "unable to get local issuer certificate" in verifyoutput:
return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None) return ("The certificate is missing an intermediate chain or the intermediate chain is incorrect or incomplete. (%s)" % verifyoutput, None)
# There is some unknown problem. Return the `openssl verify` raw output. # There is some unknown problem. Return the `openssl verify` raw output.
return ("There is a problem with the SSL certificate.", verifyoutput.strip()) return ("There is a problem with the SSL certificate.", verifyoutput.strip())
else: else:
# `openssl verify` returned a zero exit status so the cert is currently # `openssl verify` returned a zero exit status so the cert is currently
# good. # good.
...@@ -712,7 +715,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal ...@@ -712,7 +715,7 @@ def check_certificate(domain, ssl_certificate, ssl_private_key, rounded_time=Fal
else: else:
expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x") expiry_info = "The certificate expires on %s." % cert_expiration_date.strftime("%x")
if ndays <= 31: if ndays <= 31 and warn_if_expiring_soon:
return ("The certificate is expiring soon: " + expiry_info, None) return ("The certificate is expiring soon: " + expiry_info, None)
# Return the special OK code. # Return the special OK code.
...@@ -928,7 +931,7 @@ if __name__ == "__main__": ...@@ -928,7 +931,7 @@ if __name__ == "__main__":
ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, env) ssl_key, ssl_certificate, ssl_via = get_domain_ssl_files(domain, env)
if not os.path.exists(ssl_certificate): if not os.path.exists(ssl_certificate):
sys.exit(1) sys.exit(1)
cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key) cert_status, cert_status_details = check_certificate(domain, ssl_certificate, ssl_key, warn_if_expiring_soon=False)
if cert_status != "OK": if cert_status != "OK":
sys.exit(1) sys.exit(1)
sys.exit(0) sys.exit(0)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment