2019-05-06
Making checking SSL certificates before installing them a bit more robust
With all the automated updates of certificates as described in Enabling Server Name Indication (SNI) on my webserver and Automating Let's Encrypt certificates further I wondered about what would happen when some things got corrupt, most likely as a result of a full disk. And a simple test showed out that the checkcert utility would happily say two empty files are a match because the sha256sum of two empty public keys is the same. Solution, do something with the errorlevel from openssl. New version of checkcert:
#!/bin/sh # check ssl private key 1 with ssl pem encoded x509 certificate 2 public key SUMPRIVPUBKEY=`openssl pkey -in $1 -pubout -outform pem || echo privkey | sha256sum` SUMCERTPUBKEY=`openssl x509 -in $2 -noout -pubkey -outform pem || echo pubkey | sha256sum` if [ "${SUMPRIVPUBKEY}" = "${SUMCERTPUBKEY}" ]; then exit 0 else exit 1 fiAnd now:koos@gosper:~$ /usr/local/bin/checkcert /dev/null /dev/null unable to load key 139636148224064:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: ANY PRIVATE KEY unable to load certificate 139678825668672:error:0906D06C:PEM routines:PEM_read_bio:no start line:../crypto/pem/pem_lib.c:686:Expecting: TRUSTED CERTIFICATE koos@gosper:~$ echo $? 1