sahsanu / lectl Goto Github PK
View Code? Open in Web Editor NEWScript to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh
License: GNU General Public License v3.0
Script to check issued certificates by Let's Encrypt on CTL (Certificate Transparency Log) using https://crt.sh
License: GNU General Public License v3.0
./lectl letsencryt.org
lectl 0.10 (2017-September-15)
2017/September/28 10:37:18 - Checking certs for letsencryt.org
Info: I've not found any certificate for the domain letsencryt.org
Hello,
This is not really an issue, more a question on how to interpret the program output.
I am being blocked by a rate limit for a large university domain (I manage a sub-sub domain).
I am looking at the results of running lectl
, and I see that in fact there are a lot of certificates being issued related to various subdomains of the university. However, it seems that what is getting through (if I filter on the pre certs) is quite a bit above the 20 limit per week.
Does the output include renewed certificates, that should/do not count towards the rate limit? In this case, is it possible that the advice the program gives ("You could issue next certificate on xxx") is overly conservative, counting in renewals, and in fact I can try to request a cert earlier than that?
This may not be the right platform for this question, in which case I offer my apologies.
Thanks in advance.
When I call it fails with next errors:
./lectl connectivegames.com
lectl 0.6 (2016-April-04)
2016/Июнь/04 09:26:58 - Checking certs for connectivegames.com
date: invalid date '\321\201\320\265\320\275 01 17:34 KRAT 2016'
date: invalid date '\321\201\320\265\320\275 01 17:34 KRAT 2016'
...
I've replaced "LANG=C;" with "LANG=en_US;" and it works for me. Output is below.
Please check if it's possible to apply this fix.
./lectl_en_US connectivegames.com
lectl 0.6 (2016-April-04)
2016/June/04 09:41:03 - Checking certs for connectivegames.com
I have found 45 non expired certificates for domain connectivegames.com and its subdomains *.connectivegames.com
From the documentation of rate limits:
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Note: renewals used to count against your Certificate per Registered Domain limit until March 2019, but they don’t anymore.
So their are now two distinct rate limits to calculate now.
Likely since August 1.
The main limit is Certificates per Registered Domain, (50 per week).
https://letsencrypt.org/docs/rate-limits/
So this should probably be increased.
ratelimit='20'
Hi @sahsanu! Thank you so much for this tool, it has been a huge help!
We just had someone who requested a rate limit adjustment put their domain in and it said they still had a 50 certs/registered domain/week rate limit (which is typically correct except for those who have a rate limit adjustment - which I know we don't have a publicly accessible API to see the changes for and there's no way you could get these changes).
Is there a way we could change the error message from this:
Sorry, you can't issue any certificate, you already issued 50 certificates on last 7 days
You could issue next certificate on DATE TIME UTCNote 1: Keep in mind that if <> is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: Right now Let's Encrypt is implementing a new feature so if you renew the exact cert (with the same FQDNs) the rate limit could not apply to your domain if you try to renew it.
To (something like) this:
Sorry, you can't issue any certificate, you already issued 50 certificates on last 7 days
You could issue next certificate on DATE TIME UTCNote 1: Keep in mind that if <> is included in PSL (Public Suffix List) the rate limit could only be applied to your subdomain instead of your domain.
Note 2: If you requested a rate limit adjustment for your domain or ACME account ID via https://letsencrypt.org/docs/rate-limits/ that change is not reflected here.
Note 2: Let's Encrypt has a renewal exemption for the certificates/registered domain/week rate limit. More information can be found at: https://letsencrypt.org/docs/rate-limits/
Let me know if that works at all or if I can be of any further help! And thanks for doing this!
-Jenessa at Let's Encrypt
lectl letsencrypt.org
lectl 0.17 (2018-August-23)
2020/January/22 12:19:14 - Checking all certs for letsencrypt.org
Info: I've not found any certificate for the domain letsencrypt.org
lectl
as part of our cloudposse/packages
distribution and would like to pin to a releasecrt.sh pages when there are more than 100 certificates in the list.
Example: https://crt.sh/?Identity=%25.fridayengineering.net&iCAID=16418
Some of my domains have couples of RSA and ECC certificates, it would be interesting to me to see that they are indeed not the same certificate ;)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.