How to query what domains are contained within a certificate

Thanks for your help

I’ve been using let’s encrypt for a while without issue, however I’m trying to implement some of the basic functions within a script (either bash or python).

I have a certificate for example name - domain. com. Within this certificate I have following domains specified:
domain.com
nextcloud.domain.com
unifi.domain.com
xo.domain.com
pfsense.domain.com

Each of the domains is directed toward a specific server running the respective service (ie nextcloud, unifi controller, xo=xen orchestra, pfsense) through pfsense’s local DNS host override .

Is there a way for certbot or any other client (for example acme) to query the certificate name to discover the names of the domains contained within the certificate? This capability would be helpful after renewal of certificates. Once the master node employs certbot to renew the keys, identification of the individual domains would be help ansible distribute the keys to their respective servers.

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.39.0

Try:
certbot certificates

Or you could get individual certs or one single wildcard cert (for all).

Thanks for suggestion

This code almost works:
certbot certificates | grep Domains | cut -d’:’ -f2

However everytime the certbot certificates command is run I get:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
followed by the list of the domains.

I don’t find a manual entry for certbot

If your objective is to enable some logic in your configuration management, then you might just consider directly extracting the certificate info within your Ansible runbook:

e.g. https://docs.ansible.com/ansible/latest/modules/openssl_certificate_info_module.html will expose any certificate’s subject_alt_name list to you.

2 Likes

Really new at writing the playbooks. I like ansible a lot however from a lot of the posts I’ve submitted to ansible sub-reddit, they keep telling me that if you want to do a lot of logic within ansible, then perhaps ansible isn’t the language you want to use. I have no idea if this statement is accurate, since I’ve created a dictionary of dictionaries within ansible dynamically and read and modify individual dictionaries accordingly. Perhaps pure python may be a better tool, however I really like some of the pre-written modules within ansible.

Anyway back to the matter I posted about:
What I was complaining about before isn’t an issue. I was able to read the domains into a list within bash with code similar to this:

#!/usr/bin/env bash

domains=$(/usr/local/bin/certbot certificates | grep Domains | cut -d':' -f2)

for domain in ${domain[@]}; do
  echo $domain
done

I guess my last question is the -deploy hook script. Is there anyway to test this script? certbot --dry-run skips running the --deploy-hook script (with obvious reasons). Within the --deploy-hook script however I have variables such as $RENEWED_LINEAGE and $RENEWED_DOMAINS. I suppose I could define these variables within the script for testing and then later undefine these, however is there a better method?

1 Like

I don't know of a better method, really. When I've had to test my own deploy hooks in the past, I've just set the environment variables on the shell and called the script directly.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.