1
0
Fork 0
mirror of https://github.com/Luzifer/promcertcheck.git synced 2024-11-08 16:00:08 +00:00
promcertcheck/cert.go

99 lines
2.4 KiB
Go
Raw Normal View History

2015-09-04 13:36:49 +00:00
package main
import (
"crypto/x509"
"fmt"
"net/http"
"net/url"
"strings"
"time"
log "github.com/sirupsen/logrus"
2015-09-04 13:36:49 +00:00
)
type probeResult uint
const (
certificateOK probeResult = iota
certificateNotFound
certificateExpiresSoon
certificateInvalid
generalFailure
)
func (p probeResult) String() string {
switch p {
case certificateOK:
return "Certificate OK"
case certificateExpiresSoon:
return fmt.Sprintf("Certificate expires within %s", config.ExpireWarning)
case certificateInvalid:
return "Certificate invalid / intermediate certificates not present"
case certificateNotFound:
return "Did not find a certificate valid for this domain"
case generalFailure:
return "Something went wrong in the request"
}
return "" // This does not happen.
}
func checkCertificate(probeURL *url.URL) (probeResult, *x509.Certificate) {
checkLogger := log.WithFields(log.Fields{"probe_url": probeURL})
2015-09-04 13:36:49 +00:00
req, _ := http.NewRequest("HEAD", probeURL.String(), nil)
req.Header.Set("User-Agent", fmt.Sprintf("Mozilla/5.0 (compatible; PromCertcheck/%s; +https://github.com/Luzifer/promcertcheck)", version))
resp, err := http.DefaultClient.Do(req)
switch {
case err == nil:
case strings.Contains(err.Error(), redirectFoundError.Error()):
checkLogger.WithError(err).Warn("A redirect was found")
2015-09-04 13:36:49 +00:00
default:
checkLogger.WithError(err).Error("HTTP request failed")
return generalFailure, nil
2015-09-04 13:36:49 +00:00
}
resp.Body.Close()
intermediatePool := x509.NewCertPool()
var verifyCert *x509.Certificate
2016-09-29 09:40:55 +00:00
hostPort := strings.Split(probeURL.Host, ":")
host := hostPort[0]
2015-09-04 13:36:49 +00:00
for _, cert := range resp.TLS.PeerCertificates {
2016-09-29 09:40:55 +00:00
wildHost := "*" + host[strings.Index(host, "."):]
if !inSlice(cert.DNSNames, host) && !inSlice(cert.DNSNames, wildHost) {
2015-09-04 13:36:49 +00:00
intermediatePool.AddCert(cert)
continue
}
verifyCert = cert
}
if verifyCert == nil {
checkLogger.Debug("Certificate not found")
2015-09-04 13:36:49 +00:00
return certificateNotFound, nil
}
verificationResult := false
if _, err := verifyCert.Verify(x509.VerifyOptions{
Intermediates: intermediatePool,
}); err == nil {
verificationResult = true
}
if !verificationResult {
checkLogger.Debug("Certificate invalid")
2015-09-04 13:36:49 +00:00
return certificateInvalid, verifyCert
}
if verifyCert.NotAfter.Sub(time.Now()) < config.ExpireWarning {
checkLogger.Debug("Certificate expires soon")
2015-09-04 13:36:49 +00:00
return certificateExpiresSoon, verifyCert
}
checkLogger.Debug("Certificate OK")
2015-09-04 13:36:49 +00:00
return certificateOK, verifyCert
}