Get domains whose SSL has expired

harshshah8996 · November 8, 2021, 6:34am

Hello Team,

As certbot certificates command is useful to get all domains with an expiration date. Now, our application is white-label. So there are hundreds of domains that are linked to our server and each domain has a separate NGinx file and we generate SSL for each of them.

Now, I want to get a list of domains whose SSL has expired. How to get this data?

Thanks

My domain is: We have white label product. So there are hundreds of domains that link to our server.

I ran this command: certbot certificates

It produced this output: Get all domains with an expiration date

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version):Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

Osiris · November 8, 2021, 6:53am

You can't. Currently, certbot doesn't have a filtering method for such things. I have coded a very initial piece to support filtering, including filtering out expired or non-expired (leaving just the expired) certificates: Add `--cert-filter` option to filter out certain certificates when running `certbot certificates` by osirisinferi · Pull Request #8975 · certbot/certbot · GitHub But it's still early, haven't looked at it for a time and it's unknown if the certbot team even wants such a feature.

Also, another method would be parsing the certbot output, but its current output is highly unsuitable for parsing.. I've also made a pull request (Add JSON output to `certbot certificates` by osirisinferi · Pull Request #8437 · certbot/certbot · GitHub) for JSON output for easy parsing, but that too is rather stale, waiting on input from the team.

orangepizza · November 8, 2021, 7:37am

while it doesn't use certbot as you should have list of domains should point you your server. (because you don't have reason to host non-paying customer) you could write a script that curl it for all of its domain and filter out which errored.

harshshah8996 · November 8, 2021, 9:44am

Sorry, but did not get you. Can you please explain in detail?

orangepizza · November 8, 2021, 10:18am

a pythonish psudocode :

certerrdomains = []

for domain in customer_domains
	try request.get(f"https://{domain}")
		pass
	except BaseException as error: //if it errors you should check them  sslerror or not
		certerrdomains = certerrdomains.append(domain)
print certerrdomains

jvanasco · November 8, 2021, 3:04pm

IMHO, it would make more sense to iterate all the nginx configuration files looking for SSL Certificate lines, then inspect all those certificates on disk.

system · December 8, 2021, 3:05pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Certificate is expired Help	5	566	June 25, 2020
Expired certificate Help	11	3577	February 26, 2022
Certificate error (expired) but certbot reports everything is ok Help	3	631	February 18, 2022
Website is down because ssl is expired Help	13	1187	June 18, 2020
My ssl cert has been expired Help	2	454	December 17, 2020

Get domains whose SSL has expired

Related topics