From 192e0081ce78d4bbd10b9e65d0b69ffaa9ce9117 Mon Sep 17 00:00:00 2001
From: Kim Alvefur <zash@zash.se>
Date: Mon, 25 Apr 2022 14:36:56 +0200
Subject: mod_s2s: Recognise and report errors with CA or intermediate certs

Should be invoked for cases such as when the Let's Encrypt intermediate
certificate expired not too long ago.
---
 plugins/mod_s2s.lua | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/plugins/mod_s2s.lua b/plugins/mod_s2s.lua
index b9cd5fcd..3e86e94c 100644
--- a/plugins/mod_s2s.lua
+++ b/plugins/mod_s2s.lua
@@ -918,6 +918,14 @@ local function friendly_cert_error(session) --> string
 			elseif cert_errors:contains("self signed certificate") then
 				return "is self-signed";
 			end
+
+			local chain_errors = set.new(session.cert_chain_errors[2]);
+			for i, e in pairs(session.cert_chain_errors) do
+				if i > 2 then chain_errors:add_list(e); end
+			end
+			if chain_errors:contains("certificate has expired") then
+				return "has an expired certificate chain";
+			end
 		end
 		return "is not trusted"; -- for some other reason
 	elseif session.cert_identity_status == "invalid" then
-- 
cgit v1.2.3