X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/3e091ef3d515a094fd4493faacbc5c3ba266c2ad..4bef1d8c2a8513756683114959bd1c9e5de9b6f9:/cookbooks/letsencrypt/files/default/bin/check-certificate diff --git a/cookbooks/letsencrypt/files/default/bin/check-certificate b/cookbooks/letsencrypt/files/default/bin/check-certificate index 46ca8e848..73bd8a658 100755 --- a/cookbooks/letsencrypt/files/default/bin/check-certificate +++ b/cookbooks/letsencrypt/files/default/bin/check-certificate @@ -1,36 +1,54 @@ #!/usr/bin/ruby -require "net/http" +require "socket" +require "openssl" -domain = ARGV.first +host = ARGV.shift +address = ARGV.shift +domains = ARGV + +context = OpenSSL::SSL::SSLContext.new +context.verify_mode = OpenSSL::SSL::VERIFY_NONE begin - connection = Net::HTTP.start(domain, :use_ssl => true) - certificate = connection.peer_cert + socket = TCPSocket.new(address, 443) + + ssl = OpenSSL::SSL::SSLSocket.new(socket, context) + ssl.sync_close = true + ssl.hostname = domains.first + ssl.connect +rescue StandardError => e + puts "Error connecting to #{host}: #{e.message}" +end + +if ssl + certificate = ssl.peer_cert if Time.now < certificate.not_before - puts "Certificate #{domain} not valid until #{certificate.not_before}" - elsif certificate.not_after - Time.now < 14 * 86400 - puts "Certificate #{domain} expires at #{certificate.not_after}" - else - subject_alt_name = certificate.extensions.find { |e| e.oid == "subjectAltName" } + puts "Certificate #{domains.first} on #{host} not valid until #{certificate.not_before}" + elsif certificate.not_after - Time.now < 21 * 86400 + puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}" + end - if subject_alt_name.nil? - puts "Certificate #{domain} has no subject_alt_name" - else - alt_names = subject_alt_name.value.split(/\s*,\s*/).sort + subject_alt_name = certificate.extensions.find { |ext| ext.oid == "subjectAltName" } - ARGV.sort.each do |expected| - puts "Certificate #{domain} is missing subject_alt_name #{expected}" unless alt_names.shift == "DNS:#{expected}" - end + if subject_alt_name.nil? + puts "Certificate #{domains.first} on #{host} has no subjectAltName" + else + alt_names = subject_alt_name.value.split(/\s*,\s*/).map { |n| n.sub(/^DNS:/, "") } - alt_names.each do |name| - puts "Certificate #{domain} has unexpected altName #{name}" + domains.each do |domain| + if alt_names.include?(domain) + alt_names.delete(domain) + else + puts "Certificate #{domains.first} on #{host} is missing subjectAltName #{domain}" end end + + alt_names.each do |name| + puts "Certificate #{domains.first} on #{host} has unexpected subjectAltName #{name}" + end end - connection.finish -rescue OpenSSL::SSL::SSLError => error - puts "Error connecting to #{domain}: #{error.message}" + ssl.close end