crt.sh & Steampipe
166 views
Skip to first unread message
Andrew Dean
Feb 7, 2025, 10:35:48 AMFeb 7
to certificate-transparency
Hi!
I've made an internal app for my organization to help give visibility into our certificate ecosystem, along with email subscriptions to get notified when certificates will expire within a given period and a given subdomain/hostname. It relies on Steampipe's crtsh connection/plugin as the primary data source, and caches responses in a local DB for ~24h so that there is only 1 query per day, per subdomain to the public DB.
However, our root domain has ~16,000 total subdomains/hostnames (which crt.sh will never load), and at least a couple of our subdomains have ~800 related hostnames (many of which are registered to two different Let's Encrypt CNs simultaneously, doubling the amount of certificates compared to hostnames) which also fail fairly consistently.
In both cases, I receive errors like:
I've made an internal app for my organization to help give visibility into our certificate ecosystem, along with email subscriptions to get notified when certificates will expire within a given period and a given subdomain/hostname. It relies on Steampipe's crtsh connection/plugin as the primary data source, and caches responses in a local DB for ~24h so that there is only 1 query per day, per subdomain to the public DB.
However, our root domain has ~16,000 total subdomains/hostnames (which crt.sh will never load), and at least a couple of our subdomains have ~800 related hostnames (many of which are registered to two different Let's Encrypt CNs simultaneously, doubling the amount of certificates compared to hostnames) which also fail fairly consistently.
In both cases, I receive errors like:
- Error: crtsh: pq: canceling statement due to statement timeout (SQLSTATE HV000)
- Error: crtsh: pq: unexpected message 'E'; expected ReadyForQuery (SQLSTATE HV000)
- Error: crtsh: pq: canceling statement due to conflict with recovery (SQLSTATE HV000)
- no error, but an empty table as a return (headers/column names only) when there are definitely certificates.
Some of our subdomains have ~500 hostnames/certificates, and those generally get responses without issue, but I'm worried if they continue to grow.
I understand that there is no SLA for crt.sh/responses are "best effort", but is there any way to get better results from crt.sh?
Would connecting directly with the DB(i.e. with Psycopg2), rather than using Steampipe as an intermediary, potentially solve some issues here?
I understand that there is no SLA for crt.sh/responses are "best effort", but is there any way to get better results from crt.sh?
Would connecting directly with the DB(i.e. with Psycopg2), rather than using Steampipe as an intermediary, potentially solve some issues here?
Roger Ng
Feb 7, 2025, 10:44:27 AMFeb 7
to certificate-...@googlegroups.com
--
You received this message because you are subscribed to the Google Groups "certificate-transparency" group.
To unsubscribe from this group and stop receiving emails from it, send an email to certificate-transp...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/certificate-transparency/e92f9017-8385-493a-839e-e9deebe43d6fn%40googlegroups.com.
hablu...@gmail.com
Feb 7, 2025, 11:13:40 AMFeb 7
to certificate-...@googlegroups.com, certificate-transparency
Have you tried a Certificate Transparency log monitor?
From what I understand, something as simple as https://github.com/SSLMate/certspotter might help you (other options at https://github.com/google/certificate-transparency-community-site/blob/master/docs/google/fetch-logs.md#self-hosted-tools).
On 7 Feb 2025, at 10:35, 'Andrew Dean' via certificate-transparency <certificate-...@googlegroups.com> wrote:
Hi!
--
Reply all
Reply to author
Forward
0 new messages