From 32f24c84a190cd881bab552ea149da07b13371e6 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 28 Feb 2016 18:22:23 +0100 Subject: prosodyctl: check certs: Use certmanager to get the final ssl config in order to support the new certificate(s) config option --- prosodyctl | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 95e091de..2972aa53 100755 --- a/prosodyctl +++ b/prosodyctl @@ -1197,6 +1197,7 @@ function commands.check(arg) local cert_ok; print"Checking certificates..." local x509_verify_identity = require"util.x509".verify_identity; + local create_context = require "core.certmanager".create_context; local ssl = dependencies.softreq"ssl"; -- local datetime_parse = require"util.datetime".parse_x509; local load_cert = ssl and ssl.loadcertificate; @@ -1211,13 +1212,12 @@ function commands.check(arg) for host in enabled_hosts() do print("Checking certificate for "..host); -- First, let's find out what certificate this host uses. - local ssl_config = config.rawget(host, "ssl"); - if not ssl_config then - local base_host = host:match("%.(.*)"); - ssl_config = config.get(base_host, "ssl"); - end - if not ssl_config then - print(" No 'ssl' option defined for "..host) + local host_ssl_config = config.rawget(host, "ssl") + or config.rawget(host:match("%.(.*)"), "ssl"); + local global_ssl_config = config.rawget("*", "ssl"); + local ok, err, ssl_config = create_context(host, "server", host_ssl_config, global_ssl_config); + if not ok then + print(" Error: "..err); cert_ok = false elseif not ssl_config.certificate then print(" No 'certificate' set in ssl option for "..host) -- cgit v1.2.3 From 0c30b8a27388823a4ac4d95ae32e118b99db81a3 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 28 Feb 2016 18:23:24 +0100 Subject: prosodyctl: check certs: Update messages to account for 'ssl' option maybe not existing --- prosodyctl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 2972aa53..4ae1136c 100755 --- a/prosodyctl +++ b/prosodyctl @@ -1220,10 +1220,10 @@ function commands.check(arg) print(" Error: "..err); cert_ok = false elseif not ssl_config.certificate then - print(" No 'certificate' set in ssl option for "..host) + print(" No 'certificate' found for "..host) cert_ok = false elseif not ssl_config.key then - print(" No 'key' set in ssl option for "..host) + print(" No 'key' found for for "..host) cert_ok = false else local key, err = io.open(ssl_config.key); -- Permissions check only -- cgit v1.2.3 From 4ae28434fa7f40619b6f4426f89f8e14ee900ca5 Mon Sep 17 00:00:00 2001 From: Kim Alvefur Date: Sun, 28 Feb 2016 18:24:12 +0100 Subject: prosodyctl: check certs: Warn about certificate expiry in the near future --- prosodyctl | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'prosodyctl') diff --git a/prosodyctl b/prosodyctl index 4ae1136c..de397ccf 100755 --- a/prosodyctl +++ b/prosodyctl @@ -1243,6 +1243,13 @@ function commands.check(arg) if not cert:validat(os.time()) then print(" Certificate has expired.") cert_ok = false + elseif not cert:validat(os.time() + 86400) then + print(" Certificate expires within one day.") + cert_ok = false + elseif not cert:validat(os.time() + 86400*7) then + print(" Certificate expires within one week.") + elseif not cert:validat(os.time() + 86400*13) then + print(" Certificate expires within one month.") end if config.get(host, "component_module") == nil and not x509_verify_identity(host, "_xmpp-client", cert) then -- cgit v1.2.3