Feat: Use keylog event to obtain TLS certificate for better reliability [1.23.X] (#4630)

Co-authored-by: Frank Elsinga <frank@elsinga.de>

server/model/monitor.js

@@ -512,6 +512,12 @@ class Monitor extends BeanModel {
                         }
                     }
 
+                    let tlsInfo;
+                    // Store tlsInfo when key material is received
+                    options.httpsAgent.on("keylog", (line, tlsSocket) => {
+                        tlsInfo = checkCertificate(tlsSocket);
+                    });
+
                     log.debug("monitor", `[${this.name}] Axios Options: ${JSON.stringify(options)}`);
                     log.debug("monitor", `[${this.name}] Axios Request`);
 
@@ -521,29 +527,20 @@ class Monitor extends BeanModel {
                     bean.msg = `${res.status} - ${res.statusText}`;
                     bean.ping = dayjs().valueOf() - startTime;
 
-                    // Check certificate if https is used
+                    // Store certificate and check for expiry if https is used
-                    let certInfoStartTime = dayjs().valueOf();
                     if (this.getUrl()?.protocol === "https:") {
-                        log.debug("monitor", `[${this.name}] Check cert`);
+                        // No way to listen for the `secureConnection` event, so we do it here
-                        try {
+                        const tlssocket = res.request.res.socket;
-                            let tlsInfoObject = checkCertificate(res);
-                            tlsInfo = await this.updateTlsInfo(tlsInfoObject);
 
+                        if (tlssocket) {
+                            tlsInfo.valid = tlssocket.authorized || false;
+                        }
+
+                        await this.updateTlsInfo(tlsInfo);
                         if (!this.getIgnoreTls() && this.isEnabledExpiryNotification()) {
                             log.debug("monitor", `[${this.name}] call checkCertExpiryNotifications`);
-                                await this.checkCertExpiryNotifications(tlsInfoObject);
+                            await this.checkCertExpiryNotifications(tlsInfo);
                         }
-
-                        } catch (e) {
-                            if (e.message !== "No TLS certificate in response") {
-                                log.error("monitor", "Caught error");
-                                log.error("monitor", e.message);
-                            }
-                        }
-                    }
-
-                    if (process.env.TIMELOGGER === "1") {
-                        log.debug("monitor", "Cert Info Query Time: " + (dayjs().valueOf() - certInfoStartTime) + "ms");
                     }
 
                     if (process.env.UPTIME_KUMA_LOG_RESPONSE_BODY_MONITOR_ID === this.id) {

server/util-server.js

@@ -716,20 +716,27 @@ const parseCertificateInfo = function (info) {
 
 /**
  * Check if certificate is valid
- * @param {Object} res Response object from axios
+ * @param {tls.TLSSocket} socket TLSSocket, which may or may not be connected
  * @returns {Object} Object containing certificate information
  */
-exports.checkCertificate = function (res) {
+exports.checkCertificate = function (socket) {
-    if (!res.request.res.socket) {
+    let certInfoStartTime = dayjs().valueOf();
-        throw new Error("No socket found");
+
+    // Return null if there is no socket
+    if (socket === undefined || socket == null) {
+        return null;
     }
 
-    const info = res.request.res.socket.getPeerCertificate(true);
+    const info = socket.getPeerCertificate(true);
-    const valid = res.request.res.socket.authorized || false;
+    const valid = socket.authorized || false;
 
     log.debug("cert", "Parsing Certificate Info");
     const parsedInfo = parseCertificateInfo(info);
 
+    if (process.env.TIMELOGGER === "1") {
+        log.debug("monitor", "Cert Info Query Time: " + (dayjs().valueOf() - certInfoStartTime) + "ms");
+    }
+
     return {
         valid: valid,
         certInfo: parsedInfo