From 53805f07ba0c9d794e2328513341467a43630548 Mon Sep 17 00:00:00 2001
From: George Kalpakas <kalpakas.g@gmail.com>
Date: Sat, 2 May 2020 16:14:09 +0300
Subject: [PATCH] test(docs-infra): check TLS certificates as part of preview
 server's health check (#36837)

In order to ease local development, self-signed SSL/TLS certificates are
created when building the preview server Docker image. These
certificates are valid for 365 days. Thus, it is possible for an old
certificate to be re-used past its expiration date due to Docker's
caching intermediate layers.

Previously, this would lead to hard-to-debug failures in the
`aio-health-check` and `aio-verify-setup` checks. Even after finding out
that the failures were caused by an expired certificate, it was not
obvious why that would be the case.

This commit adds an additional check to the `aio-health-check` command
that checks the certificates' expiration dates. This helps surface such
errors. It also prints a more helpful message, prompting the user to
build the Docker image with the `--no-cache` option to fix the problem
with self-signed certificates.

PR Close #36837
---
 .../dockerbuild/scripts-sh/health-check.sh    | 32 +++++++++++++++++++
 1 file changed, 32 insertions(+)

diff --git a/aio/aio-builds-setup/dockerbuild/scripts-sh/health-check.sh b/aio/aio-builds-setup/dockerbuild/scripts-sh/health-check.sh
index 6a50c22175..1cb8ba0a90 100644
--- a/aio/aio-builds-setup/dockerbuild/scripts-sh/health-check.sh
+++ b/aio/aio-builds-setup/dockerbuild/scripts-sh/health-check.sh
@@ -8,10 +8,32 @@ exitCode=0
 
 
 # Helpers
+function checkCert {
+  local certPath=$1
+
+  if [[ ! -f "$certPath" ]]; then
+    echo "Certificate '$certPath' does not exist. Skipping expiration check..."
+    return
+  fi
+
+  openssl x509 -checkend 0 -in "$certPath" -noout > /dev/null
+  reportStatus "Certificate '$certPath'"
+
+  if [[ $? -ne 0 ]]; then
+    echo "  [WARN]"
+    echo "  If you did not provide the certificate explicitly, try running the"
+    echo "  'docker build' command again with the '--no-cache' option to generate"
+    echo "  a new self-signed certificate."
+  fi
+}
+
 function reportStatus {
   local lastExitCode=$?
+
   echo "$1: $([[ $lastExitCode -eq 0 ]] && echo OK || echo NOT OK)"
   [[ $lastExitCode -eq 0 ]] || exitCode=1
+
+  return $lastExitCode
 }
 
 
@@ -28,6 +50,16 @@ for s in ${services[@]}; do
 done
 
 
+# Check SSL/TLS certificates expiration
+certs=(
+  "$AIO_LOCALCERTS_DIR/$AIO_DOMAIN_NAME.crt"
+  "$TEST_AIO_LOCALCERTS_DIR/$TEST_AIO_DOMAIN_NAME.crt"
+)
+for c in ${certs[@]}; do
+  checkCert $c
+done
+
+
 # Check servers
 origins=(
   http://$AIO_PREVIEW_SERVER_HOSTNAME:$AIO_PREVIEW_SERVER_PORT