evolix/evocheck
evolix/evocheck
21
2
Fork 2
Code Issues 48 Pull requests 5 Releases 37 Wiki Activity

IS_NGINX_LETSENCRYPT_UPTODATE: new check

Browse source 
verify that the letsencrypt snippet is compatible with the current 
version of Nginx
This commit is contained in:
Jérémy Lecour 2020-04-16 12:17:45 +02:00 committed by Jérémy Lecour
parent 985a57412f
commit dad08d7c3d
2 changed files with 20 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
CHANGELOG
View file

@ -5,6 +5,8 @@ and this project **does not adhere to [Semantic Versioning](http://semver.org/sp
### Added ### Added
* IS_NGINX_LETSENCRYPT_UPTODATE: verify that the letsencrypt snippet is compatible with the current version of Nginx
### Changed ### Changed
### Deprecated ### Deprecated

21
evocheck.sh
View file

@ -1241,7 +1241,7 @@ check_apt_valid_until() {
fi fi
} }
check_chrooted_binary_not_uptodate() { check_chrooted_binary_uptodate() {
# list of processes to check # list of processes to check
process_list="sshd" process_list="sshd"
for process_name in ${process_list}; do for process_name in ${process_list}; do
@ -1256,13 +1256,27 @@ check_chrooted_binary_not_uptodate() {
original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ') original_md5=$(md5sum "${original_bin}" | cut -f 1 -d ' ')
# compare md5 checksums # compare md5 checksums
if [ "$original_md5" != "$chrooted_md5" ]; then if [ "$original_md5" != "$chrooted_md5" ]; then
failed "IS_CHROOTED_BINARY_NOT_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}." failed "IS_CHROOTED_BINARY_UPTODATE" "${process_bin} (${pid}) is different than ${original_bin}."
test "${VERBOSE}" = 1 || break test "${VERBOSE}" = 1 || break
fi fi
fi fi
done done
done done
} }
check_nginx_letsencrypt_uptodate() {
snippets=$(find /etc/nginx -type f -name "letsencrypt.conf")
while read -r snippet; do
if is_debian_jessie; then
if ! grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 8."
fi
else
if grep -qE "^\s*alias\s+/.+/\.well-known/acme-challenge" "${snippet}"; then
failed "IS_NGINX_LETSENCRYPT_UPTODATE" "Nginx snippet ${snippet} is not compatible with Nginx on Debian 9+."
fi
fi
done <<< "$snippets"
}
main() { main() {
# Default return code : 0 = no error # Default return code : 0 = no error
@ -1388,7 +1402,8 @@ main() {
test "${IS_OSPROBER:=1}" = 1 && check_osprober test "${IS_OSPROBER:=1}" = 1 && check_osprober
test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports test "${IS_JESSIE_BACKPORTS:=1}" = 1 && check_jessie_backports
test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until test "${IS_APT_VALID_UNTIL:=1}" = 1 && check_apt_valid_until
test "${IS_CHROOTED_BINARY_NOT_UPTODATE:=1}" = 1 && check_chrooted_binary_not_uptodate test "${IS_CHROOTED_BINARY_UPTODATE:=1}" = 1 && check_chrooted_binary_uptodate
test "${IS_NGINX_LETSENCRYPT_UPTODATE:=1}" = 1 && check_nginx_letsencrypt_uptodate
fi fi
#----------------------------------------------------------- #-----------------------------------------------------------