From 19c9ac3977e552670733e119b4cd7d5143da3789 Mon Sep 17 00:00:00 2001 From: John Denker Date: Sat, 14 Jul 2012 12:02:25 -0700 Subject: make the cert-checker more flexible and less destructive --- tools/qmail | 2 +- tools/qmail-tls-check_certs | 60 ++++++++++++++++++++++----------------------- 2 files changed, 31 insertions(+), 31 deletions(-) diff --git a/tools/qmail b/tools/qmail index f2164d7..f765a8f 100755 --- a/tools/qmail +++ b/tools/qmail @@ -259,7 +259,7 @@ case "$verb" in echo "Beware: file '$file' is missing." fi done - /var/qmail/bin/qmail-tls-check_certs -server + /var/qmail/bin/qmail-tls-check_certs -stunnel ;; *) echo "Usage: $0 {start|stop|reload|zap|restart|status}" diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs index 0d73596..a379399 100755 --- a/tools/qmail-tls-check_certs +++ b/tools/qmail-tls-check_certs @@ -10,17 +10,14 @@ # valid, non-expired certs with the appropriate KeyUsage extensions # required to get their jobs done. # This script can be run on a nightly basis to check the cert status. -# Note that when it marked as cert as "bad" (typically because it's -# expired), it will be renamed, a syslog event generated, and probably -# Qmail will STOP WORKING FOR NEW TLS SESSIONS. +# Note that when a cert is "bad" (typically because it's +# expired), we send a warning via syslog. +# If the cert is bad, Qmail will STOP WORKING FOR NEW TLS SESSIONS. # -# That may sound bad, but the alternative is that Qmail will stop working -# for new TLS sessions *anyway* - it's just that this script will tell -# you why... +# The point of this script is to tell you *why* qmail is not working. LOGGER="logger -i -t qmail-tls-check_certs" -dir='' dirlist="/etc/qmail/control /var/qmail/control" for trydir in $dirlist ; do if test -d $trydir ; then @@ -28,49 +25,53 @@ for trydir in $dirlist ; do break fi done -if test -z "$dir" ; then - 1>&2 echo "Cannot find any control directory ($dirlist)" - exit 1 -fi certlist="" for arg in "$@" ; do case $arg in - -server) certlist="$certlist servercert.pem" ;; - -client) certlist="$certlist clientcert.pem" ;; + -stunnel) certlist=/etc/stunnel/stunnel.pem ;; + -starttls) + if test -z "$dir" ; then + 1>&2 echo "Sorry, can't find the control directory ($dirlist)" + exit1 + fi + certlist="$dir/servercert.pem $dir/clientcert.pem" + ;; *) 1>&2 echo "Unrecognized verbiage: '$arg'" exit 1 esac done if test -z "$certlist" ; then - certlist="servercert.pem clientcert.pem" + if test -z "$dir" ; then + 1>&2 echo "Cannot find any control directory ($dirlist)" + exit 1 + fi + certlist="$dir/servercert.pem $dir/clientcert.pem" fi for cert in $certlist ; do - if ! test -f "$dir/$cert"; then - echo "Certificate missing: $dir/$cert" + if ! test -f "$cert"; then + echo "Certificate missing: $cert" else #First, check that it's a valid cert for the task - TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null` + TEMP_PURPOSE=`openssl x509 -in $cert -noout -purpose 2>/dev/null` if [ "$?" != "0" ]; then - echo "$dir/$cert is a broken cert. Disabled" - mv -f $dir/$cert $dir/BROKEN-${cert} - $LOGGER "$dir/$cert is a broken cert. Disabled" + echo "$cert is a broken cert." + $LOGGER "$cert is a broken cert." continue fi #Now check it hasn't expired - TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \ + TEMP_DATE=$( openssl x509 -in $cert -noout -dates 2>/dev/null | \ grep -i after|cut -d= -f2 ) EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null` if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then NOW_IN_SECS=`date +%s 2>/dev/null` if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then - echo "$dir/$cert has EXPIRED. Disabling" - mv -f $dir/$cert $dir/EXPIRED-${cert} - $LOGGER "$dir/$cert has EXPIRED. Disabling" + echo "$cert has EXPIRED." + $LOGGER "$cert has EXPIRED." continue fi fi @@ -79,18 +80,17 @@ for cert in $certlist ; do if [ "`echo $cert|grep server`" != "" ] ; then if [ "_$( echo $TEMP_PURPOSE | \ egrep -i '(any purpose|server).* yes' )" = "_" ]; then - echo "$dir/$cert is NOT a server cert. Disabled" - mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert} - $LOGGER "$dir/$cert is NOT a server cert. Disabled" + echo "$cert is NOT a server cert." + $LOGGER "$cert is NOT a server cert." continue fi fi if [ "`echo $cert|grep client`" != "" ] ; then if [ "_$( echo $TEMP_PURPOSE | egrep -i '(any purpose|client).* yes' )" = "_" ]; then - echo "$dir/$cert is NOT a client cert. Disabled" - mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert} - $LOGGER "$dir/$cert is NOT a client cert. Disabled" + echo " $cert is NOT a client cert." + $LOGGER "$cert is NOT a client cert." + continue fi fi fi -- cgit v1.2.3