sahsanu / lectl Goto Github PK

View Code? Open in Web Editor NEW

238.0 8.0 46.0 93 KB

Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh

License: GNU General Public License v3.0

Shell 100.00%

lectl's Introduction

lectl

Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh

Note: crt.sh is property of Sectigo Limited 2015-2020

Usage

lectl [-h|--help] [-v|--version] [-l|--extraline] [-s|--sans] [-e|--expired] [-u|--utc] [-m] [-p|--pre] [-f|--final] domain

Options

 -h | --help      [Default: false] shows the help file.

 -v | --version   shows the script version.

 -l | --extraline [Default: false] adds extra line separator between found
                  certificates (when there are several certs with several
                  sans adding this extra line it's easier to read the output).

 -s | --sans      [Default: false] shows all domains included in the
                  certificate as SANs. If you don't use this option you will
                  only see the Common Name.

 -e | --expired   [Default: false] shows all certs issued for the specified
                  domain, including the certs that are already expired.

 -u | --utc       [Default: false] shows the dates in UTC (GMT) instead of
                  your machine time zone.

 -m               [Default: 100] searchs for more or less than 100 certificates
                  per domain OR subdomain. It means that if for example you use
                  option -m25 you could receive an output of max 50 certs (25 for
                  the domain and 25 for *.domain).
                  If this option is not used, lectl searchs only for last 100
                  certificates. If the option is used it searches by default
                  for last 1000 certificates.
                  If you want to search for more or less certificates, append
                  the number after the option with no spaces (Ex: -m500). If
                  you specify a number, then the option must be specified
                  independently.
                  Wrong: lectl -seulm500 domain.tld
                  Good: lectl -seul -m500 domain.tld

 -p | --pre       [Default: true] shows only logged pre certs.

 -f | --final     [Default: true] shows only logged final certs.

Examples

lectl letsencryt.org
lectl -s -e -u -l -p letsencryt.org
lectl -seulmf letsencryt.org
lectl -lumsep letsencryt.org
lectl -su --extraline letsencryt.org
lectl -u letsencryt.org -esm --final
lectl -seulp -m500 letsencryt.org
...and so on

lectl's People

Contributors

Stargazers

Watchers

lectl's Issues

invalide date

When I call it fails with next errors:

./lectl connectivegames.com
lectl 0.6 (2016-April-04)
2016/Июнь/04 09:26:58 - Checking certs for connectivegames.com
date: invalid date '\321\201\320\265\320\275 01 17:34 KRAT 2016'
date: invalid date '\321\201\320\265\320\275 01 17:34 KRAT 2016'
...

I've replaced "LANG=C;" with "LANG=en_US;" and it works for me. Output is below.
Please check if it's possible to apply this fix.

./lectl_en_US connectivegames.com
lectl 0.6 (2016-April-04)
2016/June/04 09:41:03 - Checking certs for connectivegames.com

I have found 45 non expired certificates for domain connectivegames.com and its subdomains *.connectivegames.com

Differentiate between new and renewed certificate

Hello,

This is not really an issue, more a question on how to interpret the program output.
I am being blocked by a rate limit for a large university domain (I manage a sub-sub domain).
I am looking at the results of running lectl, and I see that in fact there are a lot of certificates being issued related to various subdomains of the university. However, it seems that what is getting through (if I filter on the pre certs) is quite a bit above the 20 limit per week.

Does the output include renewed certificates, that should/do not count towards the rate limit? In this case, is it possible that the advice the program gives ("You could issue next certificate on xxx") is overly conservative, counting in renewals, and in fact I can try to request a cert earlier than that?

This may not be the right platform for this question, in which case I offer my apologies.

Thanks in advance.

renewals do not count against your Certificate per Registered Domain anymore

From the documentation of rate limits:

Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore.

So their are now two distinct rate limits to calculate now.

Feature request: print key algorithm and size

Some of my domains have couples of RSA and ECC certificates, it would be interesting to me to see that they are indeed not the same certificate ;)

Does not seem to work in MacOs

./lectl letsencryt.org
lectl 0.10 (2017-September-15)

2017/September/28 10:37:18 - Checking certs for letsencryt.org

Info: I've not found any certificate for the domain letsencryt.org

Use Tagged Releases

what

Add tagged releases

why

We would like to distribute lectl as part of our cloudposse/packages distribution and would like to pin to a release
The current releases page is empty

Let's Encrypt certificate rate limit increased to 50

Likely since August 1.

The main limit is Certificates per Registered Domain, (50 per week).

https://letsencrypt.org/docs/rate-limits/

So this should probably be increased.

ratelimit='20'

lectl doesnt seem to work anymore

lectl letsencrypt.org
lectl 0.17 (2018-August-23)

2020/January/22 12:19:14 - Checking all certs for letsencrypt.org

Info: I've not found any certificate for the domain letsencrypt.org

Support 100+ active domains

crt.sh pages when there are more than 100 certificates in the list.

Example: https://crt.sh/?Identity=%25.fridayengineering.net&iCAID=16418

Change error message?

Hi @sahsanu! Thank you so much for this tool, it has been a huge help!

We just had someone who requested a rate limit adjustment put their domain in and it said they still had a 50 certs/registered domain/week rate limit (which is typically correct except for those who have a rate limit adjustment - which I know we don't have a publicly accessible API to see the changes for and there's no way you could get these changes).

Is there a way we could change the error message from this:

Sorry, you can't issue any certificate, you already issued 50 certificates on last 7 days
You could issue next certificate on DATE TIME UTC

Note 1: Keep in mind that if <> is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: Right now Let's Encrypt is implementing a new feature so if you renew the exact cert (with the same FQDNs) the rate limit could not apply to your domain if you try to renew it.

To (something like) this:

Sorry, you can't issue any certificate, you already issued 50 certificates on last 7 days
You could issue next certificate on DATE TIME UTC

Note 1: Keep in mind that if <> is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: If you requested a rate limit adjustment for your domain or ACME account ID via https://letsencrypt.org/docs/rate-limits/ that change is not reflected here.
Note 2: Let's Encrypt has a renewal exemption for the certificates/registered domain/week rate limit. More information can be found at: https://letsencrypt.org/docs/rate-limits/

Let me know if that works at all or if I can be of any further help! And thanks for doing this!

-Jenessa at Let's Encrypt

sahsanu / lectl Goto Github PK

lectl's Introduction

lectl

lectl's People

Contributors

Stargazers

Watchers

Forkers

lectl's Issues

what

why

Recommend Projects

Recommend Topics

Recommend Org