Get domains whose SSL has expired

Hello Team,

As certbot certificates command is useful to get all domains with an expiration date. Now, our application is white-label. So there are hundreds of domains that are linked to our server and each domain has a separate NGinx file and we generate SSL for each of them.

Now, I want to get a list of domains whose SSL has expired. How to get this data?


My domain is: We have white label product. So there are hundreds of domains that link to our server.

I ran this command: certbot certificates

It produced this output: Get all domains with an expiration date

My web server is (include version): nginx/1.18.0

The operating system my web server runs on is (include version):Ubuntu 20.04.1 LTS

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): 0.40.0

You can't. Currently, certbot doesn't have a filtering method for such things. I have coded a very initial piece to support filtering, including filtering out expired or non-expired (leaving just the expired) certificates: Add `--cert-filter` option to filter out certain certificates when running `certbot certificates` by osirisinferi · Pull Request #8975 · certbot/certbot · GitHub But it's still early, haven't looked at it for a time and it's unknown if the certbot team even wants such a feature.

Also, another method would be parsing the certbot output, but its current output is highly unsuitable for parsing.. I've also made a pull request (Add JSON output to `certbot certificates` by osirisinferi · Pull Request #8437 · certbot/certbot · GitHub) for JSON output for easy parsing, but that too is rather stale, waiting on input from the team.


while it doesn't use certbot as you should have list of domains should point you your server. (because you don't have reason to host non-paying customer) you could write a script that curl it for all of its domain and filter out which errored.


Sorry, but did not get you. Can you please explain in detail?

a pythonish psudocode :

certerrdomains = []

for domain in customer_domains
	try request.get(f"https://{domain}")
	except BaseException as error: //if it errors you should check them  sslerror or not
		certerrdomains = certerrdomains.append(domain)
print certerrdomains

IMHO, it would make more sense to iterate all the nginx configuration files looking for SSL Certificate lines, then inspect all those certificates on disk.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.