No new let's encrypt certificates on crt.sh

johnbaum · May 6, 2019, 8:25am

Hi all,
I don’t see any new Let’s Encrypt certificates on crt.sh since May 4th?
Does anybody know why?

_az · May 6, 2019, 8:40am

They’ve been having database problems for a few days - https://groups.google.com/forum/#!topic/crtsh/ZOscOEUYeHE .

JuergenAuer · May 6, 2019, 8:41am

Hi @johnbaum

crt.sh is currently buggy.

Use Google

https://transparencyreport.google.com/https/certificates

--

crt.sh hat two interfaces - the web interface and a PostGreSql-interface. I've used the PostGreSql in my tool, that didn't work (~~ 2019-04-15), later it worked some hours. Last Saturday I've added a fallback to the webinterface, but new certificates ( Letsencrypt error DNS problem: NXDOMAIN looking up A for etc ) aren't listet. Google shows that certificate.

johnbaum · May 6, 2019, 5:36pm

Thanks so much for your reply, but the google one doesn’t work so well for me. Do you know any other alternative, even paid?

Thanks again

cpu · May 6, 2019, 5:46pm

Perhaps Cert Spotter - Certificate Transparency Monitor - Detect Security and Availability Problems will meet your needs? There's also https://censys.io/

JuergenAuer · May 6, 2019, 7:18pm

Not really. Entrust

https://www.entrust.com/ct-search/

has a search, but checking the new domain of the other thread (nodejs-ssl-deploy.code.yousshark.com), entrust and crt.sh don't show the certificate (created 5. Mai 2019, 21:40:35 GMT).

Hope the new Letsencrypt CT log is coming. With a good API

cpu · May 6, 2019, 7:22pm

All currently qualified CT logs offer the same API described in RFC 6962 and the LE log will be the same. If you're looking for an easy way to search/monitor a CT log the API from RFC 6962 (and the upcoming Let's Encrypt log) won't help you without implementing the monitoring. You're looking for a log monitor, not a log itself We have no plans to offer a monitor.

JuergenAuer · May 6, 2019, 7:48pm

Thanks.

Ok, I need a monitor. Mhm. Crt.sh has an ODBC Sql option, that’s very easy to use. And it’s possible to create a query

Where reverse(lower(ci.NAME_VALUE)) Like reverse(lower('%.example.com'))
And ci.CERTIFICATE_ID > last_id_saved_local

There is an index reverse(lower(NAME_VALUE)), so this query is amazing.

And checking a domain three times (without a new certificate) the second and third query - don’t return results, ci.CERTIFICATE_ID > last_id_saved_local blocks it.

The website crt.sh (with JSON-output) doesn’t have such a feature.

But if the website doesn’t work …

Certspotter has an API

https://sslmate.com/certspotter/api/docs-v1

1000 queries per hour are free. Perhaps I should use that.

cpu · May 6, 2019, 8:09pm

Drifting slightly off-topic but Certmonitor's public stats make it easy to see why monitoring CT logs is often a paid product. To keep track of all of the CT logs that Certspotter monitors takes 6,097 GB of disk space and counting!

johnbaum · May 7, 2019, 5:11am

I hope crt.sh will be back soon, although I’m really not sure.

Thanks

JuergenAuer · May 7, 2019, 9:17pm

I’ve updated my tool.

Now CertSpotter is used to fetch active certificates.

Expired certificates aren’t sent back. But one CertSpotter-check per one Domain-check is save enough.

Now it’s a fallback if crt.sh doesn’t work.

A current check shows a new certificate, created this evening.

JuergenAuer · May 9, 2019, 7:51am

Now crt.sh works.

The nodejs-ssl-deploy.code.yousshark.com (created from a user this sunday) is now listed. The PostgreSql-Interface works again.

A Letsencrypt certificate (found from my tool) not before 2019-05-08 23:16:23 isn’t visible via crt.sh, CertSpotter shows that certificate.

So crt.sh works, but isn’t up to date.

system · June 8, 2019, 7:52am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.