aboutsummaryrefslogtreecommitdiffstats
path: root/check-certificates
diff options
context:
space:
mode:
authorGravatar Christian Hesse <mail@eworm.de>2023-01-26 21:20:10 +0100
committerGravatar Christian Hesse <mail@eworm.de>2023-01-26 21:35:35 +0100
commitf62328ee8db1aee7efa199081f9d52bba0e61eb2 (patch)
tree5a54dedca78c2b7c213fd09e2415c3817f58c215 /check-certificates
parentb0d3e3d5f4775883554823ec26df36b00e4a5544 (diff)
check-certificates: handle decryption failures and warn
If a download succeeds at least one of the given passphrases is expected to decrypt a key in the file.
Diffstat (limited to 'check-certificates')
-rw-r--r--check-certificates11
1 files changed, 10 insertions, 1 deletions
diff --git a/check-certificates b/check-certificates
index 2bf2443..8a06f8b 100644
--- a/check-certificates
+++ b/check-certificates
@@ -49,11 +49,20 @@ $WaitFullyConnected;
/tool/fetch check-certificate=yes-without-crl \
($CertRenewUrl . $CertFileName) dst-path=$CertFileName as-value;
$WaitForFile $CertFileName;
+
+ :local DecryptionFailed true;
:foreach PassPhrase in=$CertRenewPass do={
- /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value;
+ :local Result [ /certificate/import file-name=$CertFileName passphrase=$PassPhrase as-value ];
+ :if ($Result->"decryption-failures" = 0) do={
+ :set DecryptionFailed false;
+ }
}
/file/remove [ find where name=$CertFileName ];
+ :if ($DecryptionFailed = true) do={
+ $LogPrintExit2 warning $0 ("Decryption failed for certificate file " . $CertFileName) false;
+ }
+
:foreach CertInChain in=[ /certificate/find where name~("^" . $CertFileName . "_[0-9]+\$") common-name!=($CertVal->"common-name") ] do={
$CertificateNameByCN [ /certificate/get $CertInChain common-name ];
}