Anjanesh

Bulk Domains Certificates Data Check

Bulk Domains Certificates Data Check

Bash script to check domain certificates' data

Anjanesh Lekshminarayanan's photo
Anjanesh Lekshminarayanan
·

2 min read

I am on Ubuntu 22.04 and I got this while trying to execute :

echo | openssl s_client -showcerts -servername somewhere.some-domain.com -connect somewhere.some-domain.com:443

CONNECTED(00000003)
804BEB97177F0000:error:0A000152:SSL routines:final_renegotiate:unsafe legacy renegotiation disabled:../ssl/statem/extensions.c:879:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 79 bytes and written 323 bytes
Verification: OK
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : 0000
    Session-ID: 444B4801123BC7B1F514AC456251FE627A0C3E03385A651AC6D52B8347B25285
    Session-ID-ctx:
    Master-Key:
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1678785503
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
    Extended master secret: no
---

sudo vi /usr/lib/ssl/openssl.cnf

At the end insert Options = UnsafeLegacyRenegotiation so that it looks like this :

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=2
Options = UnsafeLegacyRenegotiation

Now you can run this script on any ubuntu machine :

https://gist.github.com/apankrat/062efc40f8f2dafeca8d8561b87374e7

Code here, incase its deleted on GitHub :

sites="
reddit.com
google.com
microsoft.com
news.ycombinator.com
twitter.com
anjanesh.com
anjanesh.dev
anjanesh.digital
"

tmp=/tmp/cert-check.out
now=`date -d "$now" +%s`

echo "site,match,subject,expires,left,issuer"

for site in $sites
do
        if [[ $site == \#* ]]; then continue; fi

        printf "$site,"

        echo | openssl s_client -showcerts -servername $site -connect $site:443 2>/dev/null | openssl x509 -inform pem -noout -text > $tmp
        issuer=`grep 'Issuer:' $tmp`
        issuer=${issuer##*O=}
        issuer=${issuer%%,*}

        subject=`grep 'Subject:' $tmp`
        subject=${subject##*CN=}
        subject=${subject%%,*}

        if [[ $site == $subject ]] || [[ ".$site" == $subject ]]; then match='Yes'; else match='!'; fi

        expires=`grep 'Not After' $tmp`
        expires=`date '+%Y-%m-%d' -d "${expires#*:}"`
        epoch=`date -d "$expires" +%s`

        if [ $epoch -lt $now ]
        then
                left='EXPIRED'
        else
                days=$(( ($epoch - $now) / 86400 ))
                left="$days days"
        fi

        printf "$match,"
        printf "$subject,"
        printf "$expires,"
        printf "$left,"
        echo "$issuer"
done
SSL#domainsBashbash scriptUbuntu