Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic renewal when a certificate is revoked. #523

Open
rdebath opened this issue Mar 3, 2020 · 1 comment
Open

Automatic renewal when a certificate is revoked. #523

rdebath opened this issue Mar 3, 2020 · 1 comment
Assignees
@timkimber
Labels
enhancement

Comments

@rdebath
Copy link
Contributor

rdebath commented Mar 3, 2020

Is your feature request related to a problem? Please describe.
The problem is: https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864
That is, a certificate has been revoked for whatever reason and needs renewal before it's expiry.

Describe the solution you'd like
When the enddate of the last certificate is checked (and is less than 30 days away) it can also be checked to see if it has been revoked.

The easiest way to do this seems to be to check the OCSP status:
https://serverfault.com/questions/590504/how-do-i-check-if-my-ssl-certificates-have-been-revoked

From that Serverfault page ...

$ openssl x509 -noout -ocsp_uri -in /etc/letsencrypt/archive/31337.it/cert1.pem
http:https://ocsp.int-x1.letsencrypt.org/
$ openssl ocsp -issuer /etc/letsencrypt/archive/31337.it/chain4.pem -cert /etc/letsencrypt/archive/31337.it/cert4.pem -text -url http:https://ocsp.int-x1.letsencrypt.org/ -header "HOST"="ocsp.int-x1.letsencrypt.org"
....
        This Update: Oct 29 12:00:00 2015 GMT
        Next Update: Nov  5 12:00:00 2015 GMT
        Revocation Time: Oct 29 12:33:57 2015 GMT
@serverco-a
Copy link
Member

serverco-a commented Mar 3, 2020
edited
Loading

as a very quick script that runs through a server you can try;

#!/bin/bash

WORKING_DIR=~/.getssl
DOMAIN_STORAGE="${DOMAIN_STORAGE:=$WORKING_DIR}"

# read any variables from config in working directory
if [[ -s "$WORKING_DIR/getssl.cfg" ]]; then
  echo "reading config from $WORKING_DIR/getssl.cfg"
  # shellcheck source=/dev/null
  . "$WORKING_DIR/getssl.cfg"
fi

for dir in "${DOMAIN_STORAGE}"/*; do
  if [[ -d "$dir" ]]; then
    # check if $dir is a directory with a getssl.cfg in it
    if [[ -f "$dir/getssl.cfg" ]]; then
      domain=$(basename "$dir")
      cert="${dir}/${domain}.crt"
      chain="${dir}/chain.crt"
      ocsp_uri=$(openssl x509 -noout -ocsp_uri -in $cert 2>/dev/null)
      ocsp=${ocsp_uri##*/}
      result=$(openssl ocsp -issuer $chain -cert $cert -text -url $ocsp_uri -header "HOST" "$ocsp" 2>/dev/null)
      if [[ $(echo $result | grep -c "${cert}: good") -ge 1 ]]; then
        echo "$domain is OK"
      else
        echo "$domain may be a revoked cert"
      fi
    fi
  fi
done

exit

I'd like to double check all the failure cases before I'd add something into the main code. I't may be safe to autorun getssl with a force if "Revocation Time" is in the response I suspect

@timkimber timkimber self-assigned this Jul 28, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timkimber timkimber

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@rdebath @timkimber @serverco-a