summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Denker <jsd@av8n.com>2012-07-14 12:02:25 -0700
committerJohn Denker <jsd@av8n.com>2012-07-14 12:02:25 -0700
commit19c9ac3977e552670733e119b4cd7d5143da3789 (patch)
treea4981e51948002da9d1710637d310143622b78bd
parentccadc08df59949ba12cfb7a71045ca62483fd492 (diff)
make the cert-checker more flexible and less destructive
-rwxr-xr-xtools/qmail2
-rwxr-xr-xtools/qmail-tls-check_certs60
2 files changed, 31 insertions, 31 deletions
diff --git a/tools/qmail b/tools/qmail
index f2164d7..f765a8f 100755
--- a/tools/qmail
+++ b/tools/qmail
@@ -259,7 +259,7 @@ case "$verb" in
echo "Beware: file '$file' is missing."
fi
done
- /var/qmail/bin/qmail-tls-check_certs -server
+ /var/qmail/bin/qmail-tls-check_certs -stunnel
;;
*)
echo "Usage: $0 {start|stop|reload|zap|restart|status}"
diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs
index 0d73596..a379399 100755
--- a/tools/qmail-tls-check_certs
+++ b/tools/qmail-tls-check_certs
@@ -10,17 +10,14 @@
# valid, non-expired certs with the appropriate KeyUsage extensions
# required to get their jobs done.
# This script can be run on a nightly basis to check the cert status.
-# Note that when it marked as cert as "bad" (typically because it's
-# expired), it will be renamed, a syslog event generated, and probably
-# Qmail will STOP WORKING FOR NEW TLS SESSIONS.
+# Note that when a cert is "bad" (typically because it's
+# expired), we send a warning via syslog.
+# If the cert is bad, Qmail will STOP WORKING FOR NEW TLS SESSIONS.
#
-# That may sound bad, but the alternative is that Qmail will stop working
-# for new TLS sessions *anyway* - it's just that this script will tell
-# you why...
+# The point of this script is to tell you *why* qmail is not working.
LOGGER="logger -i -t qmail-tls-check_certs"
-dir=''
dirlist="/etc/qmail/control /var/qmail/control"
for trydir in $dirlist ; do
if test -d $trydir ; then
@@ -28,49 +25,53 @@ for trydir in $dirlist ; do
break
fi
done
-if test -z "$dir" ; then
- 1>&2 echo "Cannot find any control directory ($dirlist)"
- exit 1
-fi
certlist=""
for arg in "$@" ; do
case $arg in
- -server) certlist="$certlist servercert.pem" ;;
- -client) certlist="$certlist clientcert.pem" ;;
+ -stunnel) certlist=/etc/stunnel/stunnel.pem ;;
+ -starttls)
+ if test -z "$dir" ; then
+ 1>&2 echo "Sorry, can't find the control directory ($dirlist)"
+ exit1
+ fi
+ certlist="$dir/servercert.pem $dir/clientcert.pem"
+ ;;
*) 1>&2 echo "Unrecognized verbiage: '$arg'"
exit 1
esac
done
if test -z "$certlist" ; then
- certlist="servercert.pem clientcert.pem"
+ if test -z "$dir" ; then
+ 1>&2 echo "Cannot find any control directory ($dirlist)"
+ exit 1
+ fi
+ certlist="$dir/servercert.pem $dir/clientcert.pem"
fi
for cert in $certlist ; do
- if ! test -f "$dir/$cert"; then
- echo "Certificate missing: $dir/$cert"
+ if ! test -f "$cert"; then
+ echo "Certificate missing: $cert"
else
#First, check that it's a valid cert for the task
- TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null`
+ TEMP_PURPOSE=`openssl x509 -in $cert -noout -purpose 2>/dev/null`
if [ "$?" != "0" ]; then
- echo "$dir/$cert is a broken cert. Disabled"
- mv -f $dir/$cert $dir/BROKEN-${cert}
- $LOGGER "$dir/$cert is a broken cert. Disabled"
+ echo "$cert is a broken cert."
+ $LOGGER "$cert is a broken cert."
continue
fi
#Now check it hasn't expired
- TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \
+ TEMP_DATE=$( openssl x509 -in $cert -noout -dates 2>/dev/null | \
grep -i after|cut -d= -f2 )
EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`
if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
NOW_IN_SECS=`date +%s 2>/dev/null`
if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then
- echo "$dir/$cert has EXPIRED. Disabling"
- mv -f $dir/$cert $dir/EXPIRED-${cert}
- $LOGGER "$dir/$cert has EXPIRED. Disabling"
+ echo "$cert has EXPIRED."
+ $LOGGER "$cert has EXPIRED."
continue
fi
fi
@@ -79,18 +80,17 @@ for cert in $certlist ; do
if [ "`echo $cert|grep server`" != "" ] ; then
if [ "_$( echo $TEMP_PURPOSE | \
egrep -i '(any purpose|server).* yes' )" = "_" ]; then
- echo "$dir/$cert is NOT a server cert. Disabled"
- mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert}
- $LOGGER "$dir/$cert is NOT a server cert. Disabled"
+ echo "$cert is NOT a server cert."
+ $LOGGER "$cert is NOT a server cert."
continue
fi
fi
if [ "`echo $cert|grep client`" != "" ] ; then
if [ "_$( echo $TEMP_PURPOSE |
egrep -i '(any purpose|client).* yes' )" = "_" ]; then
- echo "$dir/$cert is NOT a client cert. Disabled"
- mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert}
- $LOGGER "$dir/$cert is NOT a client cert. Disabled"
+ echo " $cert is NOT a client cert."
+ $LOGGER "$cert is NOT a client cert."
+ continue
fi
fi
fi