From 19c9ac3977e552670733e119b4cd7d5143da3789 Mon Sep 17 00:00:00 2001
From: John Denker <jsd@av8n.com>
Date: Sat, 14 Jul 2012 12:02:25 -0700
Subject: make the cert-checker more flexible and less destructive

---
 tools/qmail                 |  2 +-
 tools/qmail-tls-check_certs | 60 ++++++++++++++++++++++-----------------------
 2 files changed, 31 insertions(+), 31 deletions(-)

(limited to 'tools')

diff --git a/tools/qmail b/tools/qmail
index f2164d7..f765a8f 100755
--- a/tools/qmail
+++ b/tools/qmail
@@ -259,7 +259,7 @@ case "$verb" in
           echo "Beware: file '$file' is missing."
         fi
       done
-      /var/qmail/bin/qmail-tls-check_certs -server
+      /var/qmail/bin/qmail-tls-check_certs -stunnel
     ;;
     *)
             echo "Usage: $0 {start|stop|reload|zap|restart|status}"
diff --git a/tools/qmail-tls-check_certs b/tools/qmail-tls-check_certs
index 0d73596..a379399 100755
--- a/tools/qmail-tls-check_certs
+++ b/tools/qmail-tls-check_certs
@@ -10,17 +10,14 @@
 # valid, non-expired certs with the appropriate KeyUsage extensions
 # required to get their jobs done.
 # This script can be run on a nightly basis to check the cert status.
-# Note that when it marked as cert as "bad" (typically because it's
-# expired), it will be renamed, a syslog event generated, and probably
-# Qmail will STOP WORKING FOR NEW TLS SESSIONS.
+# Note that when a cert is "bad" (typically because it's
+# expired), we send a warning via syslog.
+# If the cert is bad, Qmail will STOP WORKING FOR NEW TLS SESSIONS.
 #
-# That may sound bad, but the alternative is that Qmail will stop working
-# for new TLS sessions *anyway* - it's just that this script will tell
-# you why...
+# The point of this script is to tell you *why* qmail is not working.
 
 LOGGER="logger -i -t qmail-tls-check_certs"
 
-dir=''
 dirlist="/etc/qmail/control /var/qmail/control"
 for trydir in $dirlist ; do
   if test -d $trydir ; then
@@ -28,49 +25,53 @@ for trydir in $dirlist ; do
     break
   fi
 done
-if test -z "$dir" ; then
-  1>&2 echo "Cannot find any control directory ($dirlist)"
-  exit 1
-fi
 
 certlist=""
 for arg in "$@" ; do
   case $arg in
-    -server) certlist="$certlist servercert.pem" ;;
-    -client) certlist="$certlist clientcert.pem" ;;
+    -stunnel) certlist=/etc/stunnel/stunnel.pem ;;
+    -starttls) 
+      if test -z "$dir" ; then
+        1>&2 echo "Sorry, can't find the control directory ($dirlist)"
+        exit1
+      fi
+      certlist="$dir/servercert.pem $dir/clientcert.pem"
+      ;;
     *) 1>&2 echo "Unrecognized verbiage: '$arg'"
        exit 1
   esac 
 done
 
 if test -z "$certlist" ; then
-  certlist="servercert.pem clientcert.pem"
+  if test -z "$dir" ; then
+    1>&2 echo "Cannot find any control directory ($dirlist)"
+    exit 1
+  fi
+  certlist="$dir/servercert.pem $dir/clientcert.pem"
 fi
 
 for cert in $certlist ; do
-    if ! test -f "$dir/$cert"; then
-        echo "Certificate missing: $dir/$cert"
+    if ! test -f "$cert"; then
+        echo "Certificate missing: $cert"
     else
         #First, check that it's a valid cert for the task
-        TEMP_PURPOSE=`openssl x509 -in $dir/$cert -noout -purpose 2>/dev/null`
+        TEMP_PURPOSE=`openssl x509 -in $cert -noout -purpose 2>/dev/null`
         if [ "$?" != "0" ]; then
-                echo "$dir/$cert is a broken cert. Disabled"
-                mv -f $dir/$cert $dir/BROKEN-${cert}
-                $LOGGER "$dir/$cert is a broken cert. Disabled"
+                echo "$cert is a broken cert."
+                $LOGGER "$cert is a broken cert."
                 continue
         fi
 
         #Now check it hasn't expired
-        TEMP_DATE=$( openssl x509 -in $dir/$cert -noout -dates 2>/dev/null | \
+        TEMP_DATE=$( openssl x509 -in $cert -noout -dates 2>/dev/null | \
                 grep -i after|cut -d= -f2 )
         EXPIRE_IN_SECS=`date +%s --date $TEMP_DATE 2>/dev/null`
         if [ "`echo $EXPIRE_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
             NOW_IN_SECS=`date +%s 2>/dev/null`
             if [ "`echo $NOW_IN_SECS|egrep '^[0-9]+$'`" != "" ]; then
                 if [ $NOW_IN_SECS -gt $EXPIRE_IN_SECS ]; then
-                    echo "$dir/$cert has EXPIRED. Disabling"
-                    mv -f $dir/$cert $dir/EXPIRED-${cert}
-                    $LOGGER "$dir/$cert has EXPIRED. Disabling"
+                    echo "$cert has EXPIRED."
+                    $LOGGER "$cert has EXPIRED."
                     continue
                 fi
             fi
@@ -79,18 +80,17 @@ for cert in $certlist ; do
         if [ "`echo $cert|grep server`" != "" ] ; then
             if [ "_$( echo $TEMP_PURPOSE | \
                     egrep -i '(any purpose|server).* yes' )" = "_" ]; then
-                echo "$dir/$cert is NOT a server cert. Disabled"
-                mv -f $dir/$cert $dir/NOT-A-SERVER-CERT-${cert}
-                $LOGGER "$dir/$cert is NOT a server cert. Disabled"
+                echo    "$cert is NOT a server cert."
+                $LOGGER "$cert is NOT a server cert."
                 continue
             fi
         fi
         if [ "`echo $cert|grep client`" != "" ] ; then
             if [ "_$( echo $TEMP_PURPOSE |
                    egrep -i '(any purpose|client).* yes' )" = "_" ]; then
-                echo "$dir/$cert is NOT a client cert. Disabled"
-                mv -f $dir/$cert $dir/NOT-A-CLIENT-CERT-${cert}
-                $LOGGER "$dir/$cert is NOT a client cert. Disabled"
+                echo "   $cert is NOT a client cert."
+                $LOGGER "$cert is NOT a client cert."
+                continue
             fi
         fi
     fi
-- 
cgit v1.2.3