Detect expired server certificates

Summary: We have a check for whenever the server cert is expiring within 1 day, however this turns out it doesn't count certificates that have already expired. So adding a check for those that have already expired, and regenerating them if so. We can safely handle parse failures by assuming the cert has expired. Reviewed By: passy Differential Revision: D8858740 fbshipit-source-id: 6e06f9b267bcaec497b7eedd3d6c1974c788aea2
2018-07-16 07:11:04 -07:00
parent 73c830fc1b
commit e844e4bd34
1 changed files with 30 additions and 0 deletions
--- a/src/utils/CertificateProvider.js
+++ b/src/utils/CertificateProvider.js
@@ -351,6 +351,11 @@ export default class CertificateProvider {
    if (!fs.existsSync(filename)) {
      return Promise.reject();
    }
    // openssl checkend is a nice feature but it only checks for certificates
    // expiring in the future, not those that have already expired.
    // So we need a separate check for certificates that have already expired
    // but since this involves parsing date outputs from openssl, which is less
    // reliable, keeping both checks for safety.
    return openssl('x509', {
      checkend: minCertExpiryWindowSeconds,
      in: filename,
@@ -359,6 +364,31 @@ export default class CertificateProvider {
      .catch(e => {
        console.warn(`Certificate will expire soon: ${filename}`, logTag);
        throw e;
      })
      .then(_ =>
        openssl('x509', {
          enddate: true,
          in: filename,
          noout: true,
        }),
      )
      .then(endDateOutput => {
        const dateString = endDateOutput
          .trim()
          .split('=')[1]
          .trim();
        const expiryDate = Date.parse(dateString);
        if (isNaN(expiryDate)) {
          console.error(
            'Unable to parse certificate expiry date: ' + endDateOutput,
          );
          throw new Error(
            'Cannot parse certificate expiry date. Assuming it has expired.',
          );
        }
        if (expiryDate <= Date.now() + minCertExpiryWindowSeconds * 1000) {
          throw new Error('Certificate has expired or will expire soon.');
        }
      });
  }