crypt-expiry-check: if cert is a chain, give the *oldest* expiry date

1 files changed, 5 insertions, 3 deletions

diff --git a/crypt-expiry-check.in b/crypt-expiry-check.in
index 22f0eba..624d801 100755
--- a/crypt-expiry-check.in
+++ b/crypt-expiry-check.in
@@ -410,6 +410,7 @@ check_file_status() {
         # Extract the expiration date from the certificate
         CERTDATE=$(${OPENSSL} x509 -in ${CERT_TMP} -enddate -noout | \
                  ${SED} 's/notAfter\=//')
+        CERTDATE=$(date +%s -d "${CERTDATE}")
 
         # Extract the issuer from the certificate
         CERTISSUER=$(${OPENSSL} x509 -in ${CERT_TMP} -issuer -noout | \
@@ -426,8 +427,9 @@ check_file_status() {
                    ${SED} -e 's/serial=//')
     else
         # Extract the expiration date from the ceriticate
-        CERTDATE=$(${OPENSSL} x509 -in ${CERTFILE} -enddate -noout -inform ${CERTTYPE} | \
-                 ${SED} 's/notAfter\=//')
+        CERTDATE=$(while ${OPENSSL} x509 -enddate -noout -inform ${CERTTYPE} 2>/dev/null; do :; done <${CERTFILE} | \
+                 ${SED} 's/notAfter\=//' | \
+                 xargs -rI __ date +%s -d "__")
 
         # Extract the issuer from the certificate
         CERTISSUER=$(${OPENSSL} x509 -in ${CERTFILE} -issuer -noout -inform ${CERTTYPE} | \
@@ -443,7 +445,7 @@ check_file_status() {
     fi
 
     # Convert the date to seconds, and get the diff between NOW and the expiration date
-    CERTDIFF=$[$(date +%s -d "${CERTDATE}") - $(date +%s)]
+    CERTDIFF=$[${CERTDATE} - $(date +%s)]
     if [ ${CERTDIFF} -lt 0 ]
     then
         CERTDIFF=$[$[${CERTDIFF}+1]/3600/24-1]