This is probably something I have not fully understood yet:
In Apache, I want to add “check” html links for certificates in the status page and started with crt.sh/?q=. This works nice for older/ACMEv1 certificates (this one for greenbytes for example), but another domain on ACMEv2 got a new cert on Friday and that one is not found.
crt.sh lists pre- and leaf certificates. A precertificate doesn't work with a webserver, only leaf certificates can be used. The CA sends a precertificate, the CT log sends a timestamp back, that timestamp is used in the leaf certificate. So a precertificate has another fingerprint, but the same issuer and the same serial number as the leaf certificate.
You might have better luck using the certificate serial rather than the fingerprint, since that does not differ between the certificate with the CT poison and the real one.
This will allow you to not be so adversely affected by CT log crawling delays.
Thanks, Jürgen, for the quick reply. That explains the differences. I could, as _az points helpfully out, use the serial number of the cert to circumvent that.
However, to let an admin assess his certificates status precisely, looking at a log monitor several days behind is not always helpful. Which makes me thinking that building such links into Apache may not be a good idea. Given that releases have a lifetime of years with only security patches, such links might age rather fast.
Or I need to make an url template configurable. Hmm…
Anyway, thanks for the quick response and useful links!