--- /dev/null
+#!/usr/bin/ruby
+
+require "net/http"
+
+domain = ARGV.first
+
+begin
+ connection = Net::HTTP.start(domain, :use_ssl => true)
+ certificate = connection.peer_cert
+
+ if Time.now < certificate.not_before
+ puts "Certificate #{domain} not valid until #{certificate.not_before}"
+ elsif certificate.not_after - Time.now < 14 * 86400
+ puts "Certificate #{domain} expires at #{certificate.not_after}"
+ else
+ subject_alt_name = certificate.extensions.find { |e| e.oid == "subjectAltName" }
+
+ if subject_alt_name.nil?
+ puts "Certificate #{domain} has no subject_alt_name"
+ else
+ alt_names = subject_alt_name.value.split(/\s*,\s*/).sort
+
+ ARGV.sort.each do |expected|
+ puts "Certificate #{domain} is missing subject_alt_name #{expected}" unless alt_names.shift == "DNS:#{expected}"
+ end
+
+ alt_names.each do |name|
+ puts "Certificate #{domain} has unexpected altName #{name}"
+ end
+ end
+ end
+
+ connection.finish
+rescue OpenSSL::SSL::SSLError => error
+ puts "Error connecting to #{domain}: #{error.message}"
+end
end
end
+template "/srv/acme.openstreetmap.org/bin/check-certificates" do
+ source "check-certificates.erb"
+ owner "root"
+ group "root"
+ mode 0o755
+ variables :certificates => certificates
+end
+
template "/etc/cron.d/letsencrypt" do
source "cron.erb"
owner "root"
MAILTO=admins@openstreetmap.org
-0 */12 * * * letsencrypt /srv/acme.openstreetmap.org/bin/renew
+00 */12 * * * letsencrypt /srv/acme.openstreetmap.org/bin/renew
+30 */12 * * * letsencrypt /srv/acme.openstreetmap.org/bin/check-certificates
projects / chef.git / commitdiff