def test_wildcard(makecert, utcnow):
from check_tls_certs import Domain
from check_tls_certs import check
cert = makecert(cn='*.example.com')
d = Domain('www.example.com')
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
errs = [m for m in msgs if "doesn't match the certificate domain" in m[1]]
assert errs == []
assert (earliest_expiration - utcnow).days > 360
d = Domain('foo.bar.example.com')
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
(err,) = [m for m in msgs if "doesn't match the certificate domain" in m[1]]
assert "foo.bar.example.com doesn't match the certificate domain *.example.com" in err[1]
assert (earliest_expiration - utcnow).days > 360
def test_expiration_far_in_future(makecert, utcnow):
from check_tls_certs import Domain
from check_tls_certs import check
d = Domain('example.com')
cert = makecert()
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
(msg, ) = [m for m in msgs if m[1].startswith('Valid until')]
assert '(364 days,' in msg[1]
assert (earliest_expiration - utcnow).days == 364
def test_check_self_signed(makecert, utcnow):
from check_tls_certs import Domain
from check_tls_certs import check
d = Domain('example.com')
cert = makecert()
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
(errmsg, ) = [m for m in msgs if m[0] == 'error']
assert 'Validation error' in errmsg[1]
assert 'self signed certificate' in errmsg[1]
def test_expiration_within_warning_range(makecert, utcnow):
from check_tls_certs import Domain
from check_tls_certs import check
from check_tls_certs import default_expiry_warn
d = Domain('example.com')
cert = makecert(days=default_expiry_warn)
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
(msg, ) = [m for m in msgs if 'certificate expires on' in m[1]]
assert '(%s days,' % (default_expiry_warn - 1) in msg[1]
assert (earliest_expiration - utcnow).days == (default_expiry_warn - 1)
def test_expiration_expired(makecert, utcnow):
from check_tls_certs import Domain
from check_tls_certs import check
import datetime
d = Domain('example.com')
cert = makecert(days=1)
utcnow = utcnow + datetime.timedelta(days=1)
(msgs, earliest_expiration) = check([(d, [cert])], utcnow)
(msg, ) = [m for m in msgs if 'certificate has expired on' in m[1]]
assert msg[1].startswith('The certificate has expired on')
assert (earliest_expiration - utcnow).days < 0