No new let's encrypt certificates on crt.sh

Hi all,
I don’t see any new Let’s Encrypt certificates on crt.sh since May 4th?
Does anybody know why?

They’ve been having database problems for a few days - https://groups.google.com/forum/#!topic/crtsh/ZOscOEUYeHE .

1 Like

Hi @johnbaum

crt.sh is currently buggy.

Use Google

https://transparencyreport.google.com/https/certificates

crt.sh hat two interfaces - the web interface and a PostGreSql-interface. I’ve used the PostGreSql in my tool, that didn’t work (~~ 2019-04-15), later it worked some hours. Last Saturday I’ve added a fallback to the webinterface, but new certificates ( Letsencrypt error DNS problem: NXDOMAIN looking up A for etc ) aren’t listet. Google shows that certificate.

2 Likes

Thanks so much for your reply, but the google one doesn’t work so well for me. Do you know any other alternative, even paid?

Thanks again

Perhaps https://sslmate.com/certspotter/ will meet your needs? There’s also https://censys.io/

Not really. Entrust

https://www.entrust.com/ct-search/

has a search, but checking the new domain of the other thread (nodejs-ssl-deploy.code.yousshark.com), entrust and crt.sh don’t show the certificate (created 5. Mai 2019, 21:40:35 GMT).

Hope the new Letsencrypt CT log is coming. With a good API :wink:

All currently qualified CT logs offer the same API described in RFC 6962 and the LE log will be the same. If you’re looking for an easy way to search/monitor a CT log the API from RFC 6962 (and the upcoming Let’s Encrypt log) won’t help you without implementing the monitoring. You’re looking for a log monitor, not a log itself :slight_smile: We have no plans to offer a monitor.

2 Likes

Thanks.

Ok, I need a monitor. Mhm. Crt.sh has an ODBC Sql option, that’s very easy to use. And it’s possible to create a query

Where reverse(lower(ci.NAME_VALUE)) Like reverse(lower('%.example.com'))
And ci.CERTIFICATE_ID > last_id_saved_local

There is an index reverse(lower(NAME_VALUE)), so this query is amazing.

And checking a domain three times (without a new certificate) the second and third query - don’t return results, ci.CERTIFICATE_ID > last_id_saved_local blocks it.

The website crt.sh (with JSON-output) doesn’t have such a feature.

But if the website doesn’t work …

Certspotter has an API

https://sslmate.com/certspotter/api/docs-v1

1000 queries per hour are free. Perhaps I should use that.

1 Like

Drifting slightly off-topic but Certmonitor’s public stats make it easy to see why monitoring CT logs is often a paid product. To keep track of all of the CT logs that Certspotter monitors takes 6,097 GB of disk space and counting!

2 Likes

I hope crt.sh will be back soon, although I’m really not sure.

Thanks

I’ve updated my tool.

Now CertSpotter is used to fetch active certificates.

Expired certificates aren’t sent back. But one CertSpotter-check per one Domain-check is save enough.

Now it’s a fallback if crt.sh doesn’t work.

A current check shows a new certificate, created this evening.

3 Likes

Now crt.sh works.

The nodejs-ssl-deploy.code.yousshark.com (created from a user this sunday) is now listed. The PostgreSql-Interface works again.

A Letsencrypt certificate (found from my tool) not before 2019-05-08 23:16:23 isn’t visible via crt.sh, CertSpotter shows that certificate.

So crt.sh works, but isn’t up to date.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.