New Certificates Not Displayed

[Lukas]

Hello, I noticed crt.sh isn't showing certificates issued within the past 7 days across several domains using Let's Encrypt.

Is there a known outage or technical issue?

[r...@sectigo.com]

Hi Lukas.

Please see https://groups.google.com/g/crtsh/c/sgYa8RBaY1k/m/AwQcCn3-AAAJ.

As part of coping with the current infrastructure issues outlined in that thread, it has been necessary on several occasions over the past month or so to temporarily stop crt.sh's log ingestion process.  This has meant delays in certificates appearing in crt.sh even when those certificates have been included in logs for which crt.sh's ingestion backlog is relatively small.

[r...@sectigo.com]

Also, due to the combination of the current infrastructure issues and the volume of user requests hammering crt.sh:5432, replication from the crt.sh primary database to the crt.sh:5432 database replicas is lagging by several days at the moment.

[Soledad Guerra Decono]

Hello everyone,

This issue hasn't been resolved yet, right? I noticed that some certificates issued 20 days ago (or even further) are still missing from crt.sh:5432

 Is there a way to retrieve those that haven't been logged in that particular database?  

thanks

[r...@sectigo.com]

It's not yet resolved, but we are making progress towards a resolution.

The primary database has been migrated to the new storage array, and the log entry ingestion process is now performing well and chewing through the backlog.

The read-only replicas are currently struggling to keep up with the primary, but we expect this will be resolved once the read-only replicas have also been migrated to the new storage array.  This migration is in progress.

[Soledad Guerra Decono]

Thank you so much, Rob, for taking the time to help me understand. I really appreciate it!

 In the meantime I was wondering if you know a way for me to search and retrieve all the certificates that weren t logged into the replicas? otherwise i´d have to go back and perform a new whole  search once  the migration is over. 

 Thanks in advance

[Rob Stradling]

> In the meantime I was wondering if you know a way for me to search and retrieve all the certificates that weren t logged into the replicas?

Only the read-only replica DBs are accessible to the general public (via crt.sh:5432 and crt.sh:443).

> otherwise i´d have to go back and perform a new whole  search once  the migration is over. 

Newly added certificates always have larger ID values on the "certificate" table than certificates that were already present in the database.  So if you're using crt.sh:5432 and you keep track of the largest certificate ID value you processed in your original search, then you can add a "WHERE certificate.ID >" clause to your next search in order to avoid reprocessing the same data.

By the way, this is the approach taken by https://github.com/robstradling/CeRTSearcH.

---

From: cr...@googlegroups.com <cr...@googlegroups.com> on behalf of Soledad Guerra Decono <soled...@gmail.com>
Sent: 12 March 2025 19:00
To: crt.sh <cr...@googlegroups.com>
Subject: Re: New Certificates Not Displayed

 

This Message Is From an Untrusted Sender

You have not previously corresponded with this sender.

Report Suspicious

 

--
You received this message because you are subscribed to the Google Groups "crt.sh" group.
To unsubscribe from this group and stop receiving emails from it, send an email to crtsh+un...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/crtsh/3184e896-0db3-4d53-9034-996694decfcfn%40googlegroups.com.

[Soledad Guerra Decono]

Thank you so much Rob. 

I look forward to hearing from you once you have completed the migration. 

 Sincerely, Soledad