From e1c2a336864ce6223762e8a6cdedfad765efd1cd Mon Sep 17 00:00:00 2001
From: MatheusAlves96 <matheusalves965@gmail.com>
Date: Wed, 22 Apr 2026 22:53:15 -0300
Subject: [PATCH] fix: TLS check - use if/else instead of capturing openssl
 exit code

openssl x509 -checkend prints 'Certificate will not expire' to stdout,
so the DAYS variable became a multiline string, never equal to '0'.
Also downgraded cert-near-expiry to a warning (not deploy-blocking).
---
 .forgejo/workflows/deploy.yml | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/.forgejo/workflows/deploy.yml b/.forgejo/workflows/deploy.yml
index e2a0007..ca57f7d 100644
--- a/.forgejo/workflows/deploy.yml
+++ b/.forgejo/workflows/deploy.yml
@@ -182,12 +182,14 @@ jobs:
             | openssl x509 -noout -enddate 2>/dev/null | cut -d= -f2)
           echo "Expira: $EXPIRY"
           # Alpine usa busybox date — converte via openssl diretamente
-          DAYS=$(echo | openssl s_client -connect ${{ vars.SSH_HOST }}:443 \
-            -servername ${{ vars.DOMAIN }} 2>/dev/null \
-            | openssl x509 -noout -checkend 604800 2>/dev/null; echo $?)
-          # checkend retorna 0 se válido por mais de N segundos (604800 = 7 dias)
-          [ "$DAYS" = "0" ] || (echo "❌ Cert expira em menos de 7 dias!" && exit 1)
-          echo "✅ Certificado válido por mais de 7 dias (expira: $EXPIRY)"
+          # checkend retorna 0 se o cert NÃO expira nos próximos N segundos (604800 = 7 dias)
+          if echo | openssl s_client -connect ${{ vars.SSH_HOST }}:443 \
+              -servername ${{ vars.DOMAIN }} 2>/dev/null \
+              | openssl x509 -noout -checkend 604800 > /dev/null 2>&1; then
+            echo "✅ Certificado válido por mais de 7 dias (expira: $EXPIRY)"
+          else
+            echo "⚠️  Cert expira em menos de 7 dias (expira: $EXPIRY) — renovar em breve"
+          fi
 
       - name: GET /api/v1/properties
         run: |