LetsEncrpyt, crt.sh and fingerprints

This is probably something I have not fully understood yet:

In Apache, I want to add “check” html links for certificates in the status page and started with crt.sh/?q=. This works nice for older/ACMEv1 certificates (this one for greenbytes for example), but another domain on ACMEv2 got a new cert on Friday and that one is not found.

However, when I query the domain, it lists this cert from Friday - which looks fine, but has another fingerprint!?

Is this some bug on my site, missing grasp, pre-cert logging magic or oak introduction side effect? Any help appreciated!

Hi @icing

there are two things:

  • crt.sh lists pre- and leaf certificates. A precertificate doesn’t work with a webserver, only leaf certificates can be used. The CA sends a precertificate, the CT log sends a timestamp back, that timestamp is used in the leaf certificate. So a precertificate has another fingerprint, but the same issuer and the same serial number as the leaf certificate.
  • crt.sh is sometimes very slow. That’s the reason I’ve added a certspotter - check ( https://check-your-website.server-daten.de/ ).

There are sometimes domains - certspotter shows a new certificate, crt.sh not.

That’s

https://crt.sh/?id=1530351060

a precertificate, not the leaf certificate.

It has nothing to do with your site. It’s a problem of the sometimes slow crt.sh.

2 Likes

You might have better luck using the certificate serial rather than the fingerprint, since that does not differ between the certificate with the CT poison and the real one.

This will allow you to not be so adversely affected by CT log crawling delays.

Or just link to https://censys.io/certificates/1ff3bfd2c7c199489ed04df6e29a9b4ea6c015fe8a1b0ce3deb88afc751e352d instead of crt.sh.

2 Likes

Thanks, Jürgen, for the quick reply. That explains the differences. I could, as _az points helpfully out, use the serial number of the cert to circumvent that.

However, to let an admin assess his certificates status precisely, looking at a log monitor several days behind is not always helpful. Which makes me thinking that building such links into Apache may not be a good idea. Given that releases have a lifetime of years with only security patches, such links might age rather fast.

Or I need to make an url template configurable. Hmm…

Anyway, thanks for the quick response and useful links!

Cheers, Stefan

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.