From 7905a8003bc95c876d7e53f288e0aadcb6649a1e Mon Sep 17 00:00:00 2001
From: M1 <m1-pro@M1s-MacBook-Pro.local>
Date: Wed, 18 Mar 2026 12:40:03 +0400
Subject: [PATCH] fix: clean up cert check - only runs after successful
 response, no more borrow errors

---
 apps/monitor/src/runner.rs | 27 +++++----------------------
 1 file changed, 5 insertions(+), 22 deletions(-)

diff --git a/apps/monitor/src/runner.rs b/apps/monitor/src/runner.rs
index a95707c..880b5a3 100644
--- a/apps/monitor/src/runner.rs
+++ b/apps/monitor/src/runner.rs
@@ -91,20 +91,7 @@ async fn run_check(client: &reqwest::Client, monitor: &Monitor, scheduled_at: Op
     }
 
     let is_https = monitor.url.starts_with("https://");
-    let url_clone = monitor.url.clone();
-
-    // Wrap request + body read in a hard timeout.
-    // Cert check runs as a background task with a shorter cap so it never blocks
-    // the main check — if the cert TLS connect hangs (e.g. site totally down),
-    // we still report the result from the HTTP side within the configured timeout.
-    let cert_handle = if is_https {
-        Some(tokio::spawn(tokio::time::timeout(
-            std::time::Duration::from_secs(10),
-            async move { check_cert_expiry(&url_clone).await },
-        )))
-    } else {
-        None
-    };
+    let url_for_cert = monitor.url.clone();
 
     let timed = tokio::time::timeout(timeout, async {
         let resp = req.send().await?;
@@ -127,10 +114,6 @@ async fn run_check(client: &reqwest::Client, monitor: &Monitor, scheduled_at: Op
         Ok::<_, reqwest::Error>((status, headers, body))
     }).await;
 
-    // Cert check runs after the main request completes — only if the site responded.
-    // This prevents a separate TCP SYN to a hung host from blocking the timeout.
-    let cert_expiry_days: Option<i64> = None; // populated below after successful response
-
     let latency_ms = start.elapsed().as_millis() as u64;
 
     // Flatten timeout + reqwest errors into a single result
@@ -155,18 +138,18 @@ async fn run_check(client: &reqwest::Client, monitor: &Monitor, scheduled_at: Op
         Ok((status_raw, headers, body)) => {
             let status = status_raw.as_u16();
 
-            // Only attempt cert check if the site actually responded — avoids a second
-            // hung TCP connect to a down host.
+            // Only attempt cert check after a successful response — avoids opening
+            // a second TCP connection to a host that's already timing out.
             let cert_expiry_days = if is_https {
                 match tokio::time::timeout(
                     std::time::Duration::from_secs(5),
-                    check_cert_expiry(&url_clone),
+                    check_cert_expiry(&url_for_cert),
                 ).await {
                     Ok(Ok(days)) => days,
                     _ => None,
                 }
             } else {
-                cert_expiry_days
+                None
             };
 
             // Evaluate query if present