From 9f71b4b296298f2a8832dffc6257c4d0df327ee7 Mon Sep 17 00:00:00 2001
From: Dan Mick <dmick@redhat.com>
Date: Wed, 13 Mar 2024 12:33:50 -0700
Subject: [PATCH] checkcerts.py: certificate errors were not noted

When a certificate is already expired, its expiry was not noted
(loop exited early).  This stills doesn't explain the lack of early
warning, but at least it'll fix the "no email on actual errors" issue.

Signed-off-by: Dan Mick <dmick@redhat.com>
---
 tools/checkcerts.py | 28 ++++++++++++++++------------
 1 file changed, 16 insertions(+), 12 deletions(-)

diff --git a/tools/checkcerts.py b/tools/checkcerts.py
index e0d3efc..f195074 100755
--- a/tools/checkcerts.py
+++ b/tools/checkcerts.py
@@ -85,25 +85,29 @@ def main():
 
     warned = False
     for domain in domains:
+        errstr = None
+        certerr = False
         warn = datetime.timedelta(days=DAYS_BEFORE_WARN)
         try:
             with socket.create_connection((domain, 443)) as sock:
                 with context.wrap_socket(sock, server_hostname=domain) as ssock:
                     cert = ssock.getpeercert()
         except (ssl.CertificateError, ssl.SSLError) as e:
-            print(f'{domain} cert error: {e}', file=sys.stderr)
-            continue
-        expire = datetime.datetime.strptime(cert['notAfter'], 
-            '%b %d %H:%M:%S %Y %Z')
-        now = datetime.datetime.utcnow()
-        left = expire - now
-
-        leftstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires'
+            certerr = True
+            errstr = f'{domain} cert error: {e}'
+
+        if not certerr:
+            expire = datetime.datetime.strptime(cert['notAfter'], 
+                '%b %d %H:%M:%S %Y %Z')
+            now = datetime.datetime.utcnow()
+            left = expire - now
+
+            errstr = f'{domain:30s} cert: {str(left).rsplit(".",1)[0]} left until it expires'
         if not args.quiet:
-            print(leftstr, file=sys.stderr)
-        if left < warn and args.email:
-            subject = f'{domain}\'s SSL Cert is expiring soon.'
-            body = leftstr
+            print(errstr, file=sys.stderr)
+        if (certerr or (left < warn)) and args.email:
+            subject = f'Certificate problem with {domain}'
+            body = errstr
             email = args.email
             if email == []:
                 email = DEFAULT_EMAIL
-- 
2.39.5