Don't check the certificate when the connection failed
authorTom Hughes <tom@compton.nu>
Fri, 26 Jan 2018 15:30:13 +0000 (15:30 +0000)
committerTom Hughes <tom@compton.nu>
Fri, 26 Jan 2018 15:30:13 +0000 (15:30 +0000)
cookbooks/letsencrypt/files/default/bin/check-certificate

index 35fbbed..f3599a3 100755 (executable)
@@ -21,13 +21,15 @@ rescue StandardError => error
   puts "Error connecting to #{host}: #{error.message}"
 end
 
-certificate = ssl.peer_cert
+if ssl
+  certificate = ssl.peer_cert
+
+  if Time.now < certificate.not_before
+    puts "Certificate #{domains.first} on #{host} not valid until #{certificate.not_before}"
+  elsif certificate.not_after - Time.now < 21 * 86400
+    puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}"
+  end
 
-if Time.now < certificate.not_before
-  puts "Certificate #{domains.first} on #{host} not valid until #{certificate.not_before}"
-elsif certificate.not_after - Time.now < 21 * 86400
-  puts "Certificate #{domains.first} on #{host} expires at #{certificate.not_after}"
-else
   subject_alt_name = certificate.extensions.find { |e| e.oid == "subjectAltName" }
 
   if subject_alt_name.nil?
@@ -47,6 +49,6 @@ else
       puts "Certificate #{domains.first} on #{host} has unexpected subjectAltName #{name}"
     end
   end
-end
 
-ssl.close
+  ssl.close
+end