Fix CheckCommand misbehaviour with self-signed certs

application/clicommands/CheckCommand.php

@@ -93,7 +93,8 @@ public function hostAction()
             ->columns([new Expression('MAX(GREATEST(%s, %s))', ['valid_from', 'issuer_certificate.valid_from'])])
             ->getSelectBase()
             ->resetWhere()
-            ->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'));
+            ->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'))
+            ->where(new Expression("sub_certificate.self_signed != 'y'"));
 
         // Sub query for `valid_to` column
         $validTo = $targets->createSubQuery(new X509Certificate(), 'chain.certificate');
@@ -102,16 +103,22 @@ public function hostAction()
             ->getSelectBase()
             // Reset the where clause generated within the createSubQuery() method.
             ->resetWhere()
-            ->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'));
+            ->where(new Expression('sub_certificate_link.certificate_chain_id = target_chain.id'))
+            ->where(new Expression("sub_certificate.self_signed != 'y'"));
 
         list($validFromSelect, $_) = $validFrom->dump();
         list($validToSelect, $_) = $validTo->dump();
         $targets
             ->withColumns([
-                'valid_from' => new Expression($validFromSelect),
-                'valid_to'   => new Expression($validToSelect)
+                'valid_from' => new Expression(
+                    sprintf('COALESCE((%s), target_chain_certificate.valid_from)', $validFromSelect)
+                ),
+                'valid_to'   => new Expression(
+                    sprintf('COALESCE((%s), target_chain_certificate.valid_to)', $validToSelect)
+                )
             ])
             ->getSelectBase()
+            ->distinct()
             ->where(new Expression('target_chain_link.order = 0'));
 
         if ($ip !== null) {