Need a bit of scripting help for LE script from Erulezz

[Richard G]

@Erulezz I'm using this script to see which sites have letsencrypt active, when activated and when it would expire:

#!/bin/bash

ledomains=0

for san in `ls -1 /usr/local/directadmin/data/users/*/domains/*.san_config`;
do
    domain=`basename ${san}`;
    dirname=`dirname ${san}`;
    domain=${domain%.san_config};
    if [ -e "${dirname}/${domain}.cert.creation_time" ] && [ -e "${dirname}/${domain}.cert" ] && [ -e "${dirname}/${domain}.key" ];
    then
        ledomains=$[ledomains + 1];

        sanconfig=`cat ${dirname}/${domain}.san_config | grep "subjectAltName"`;
        created=`cat ${dirname}/${domain}.cert.creation_time`;
        created_date=`LC_ALL=en_US.utf8 date -d @$created`;
        renewal_date=`LC_ALL=en_US.utf8 date -d "$created_date+60 days"`;
        renewal_days=$(expr '(' $created + 5184000 - $(LC_ALL=en_US.utf8 date +%s) ')' / 86400)

        echo "Lets Encrypt domain: $domain";
        echo "$sanconfig";
        echo "-- Created: $created_date - $created";
        echo "-- Renewal: $renewal_date";
        echo "-- Renewal in $renewal_days days.";
        echo "";

    fi;
done;

echo "";
echo "Lets Encrypt domains: $ledomains";
echo "";

if [ -e "/usr/local/directadmin/conf/cacert.pem.creation_time" ];
    then

        sanconfig=`cat /usr/local/directadmin/conf/ca.san_config | grep "subjectAltName"`;
        created=`cat /usr/local/directadmin/conf/cacert.pem.creation_time`;
        created_date=`LC_ALL=en_US.utf8 date -d @$created`;
        renewal_date=`LC_ALL=en_US.utf8 date -d "$created_date+60 days"`;
        renewal_days=$(expr '(' $created + 5184000 - $(LC_ALL=en_US.utf8 date +%s) ')' / 86400)

        echo "Lets Encrypt Hostname";
        echo "$sanconfig";
        echo "-- Created: $created_date - $created";
        echo "-- Renewal: $renewal_date";
        echo "-- Renewal in $renewal_days days.";
        echo "";

fi;

exit 0;

I've seen small changes on your github script, which I tried on 1 server but the issue remains.

It seems nowadays the *.san_config can't be found anymore in the users domains dir.
There is a .key and a .cert present.

Now the problem is, I just renewed a domain which succeeded, but the script won't see it.
It seems that it only sees 3 domains which was renews before february 17th.

But there are multiple domains who are working and who do have newer renewal dates. So probably something in LE is changed causing this script looking at the wrong way or wrong place?

Can I fix this soon or do you rather have me reporting this on your github site?

 

[Erulezz]

I’ll take a look at it soon. I think san_configs aren’t used anymore.

If you or someone else has an idea or fix you are welcome to create a pull request in the GitHub repo

 

[Richard G]

I don't know about which info is taken from the san_configs, but the cert.creation_time still exists and is still used.
Maybe @smtalk knows where the info previously in san_config is to be found now.

 

[smtalk]

I don't know about which info is taken from the san_configs, but the cert.creation_time still exists and is still used.
Maybe @smtalk knows where the info previously in san_config is to be found now.

Information is taken from cert file itself.

 

[Richard G]

from cert file itself.

But I don't get any output from the script anymore except for the start date when looking manually, and the *.san_config contained more information but there is no san_config anymore, because san_config is not used anymore? Why is that?

 

[factor]

Doesn't "Admin SSL" give you enough info?
What do you need this script for?

The system automatically updates now.

 

[Richard G]

We don't always use auto-ssl (in most cases yes), it has benefits and downsides (forgot what the downside is).
The script gives a bunch of info, including about the hostname certificate which I don't see anywhere else.

Doesn't "Admin SSL" give you enough info?

What is that and where can I find this? I don't have any "admin ssl" option in my admin panel, in enhanced skin, or where can I find it?

 

[factor]

"admin ssl"

Oh sorry its pro pack I think. I forgot it wasnt standard

 

[Richard G]

To give you an impression of what I saw before:

Lets Encrypt domain: domain.nl
subjectAltName=DNS:domain.nl, DNS:*.domain.nl
-- Created: Sun Jan 30 00:18:40 CET 2022 - 1643498320
-- Renewal: Thu Mar 31 01:18:40 CEST 2022
-- Renewal in 32 days.

and for the hostname:

Lets Encrypt Hostname

-- Created: Sat Feb  5 00:17:59 CET 2022 - 1644016679
-- Renewal: Wed Apr  6 01:17:59 CEST 2022
-- Renewal in 38 days.

so that is very usefull info which I don't have in DA itself, unless I go look in every domain seperately. With the script you get a list.

But the script does not work anymore because the san_config can't be found anymore. However, I think this should be a small fix, just don't search for the san_config, because it does not contain this info except for the altname:

[ req ]
default_bits            = 4096
default_keyfile         = keyfile.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
output_password         = bogus

[ req_distinguished_name ]
CN                      = domain.nl
[ req_attributes ]
[ SAN ]
subjectAltName=DNS:domain.nl, DNS:*.domain.nl

so where is this info to be found now?

 

[Richard G]

@Erulezz I don't see any AltName in there, but maybe the domain.com.csr_info file can be used? That does contain the domain like this:
NAME=domain.nl

 

[Erulezz]

@Richard G I updated the script a little bit for it to work with the newer DA versions:

directadmin-letsencrypt-show-domains/letsencrypt-show-domains.sh at master · Erulezz/directadmin-letsencrypt-show-domains

Easy to use script to show all the Let's Encrypt domains with their creation and renewal date that are managed by DirectAdmin. - Erulezz/directadmin-letsencrypt-show-domains

github.com

Info is from the csr_info file and alternative names from the certificate itself. Let me know how it works out for you, works great here on my systems

 

[Richard G]

Thank you very much! This works perfectly on at least both Centos 7 and Almalinux 8!
It's also easy to see which domains have wildcard certificates and which have certificates based on selection. It's great, thank you!

 

[Erulezz]

Nice Maybe I'll create a plugin, to display it in DirectAdmin itself. Something like the All User Cron jobs page ?

 

[Active8]

Maybe I'll create a plugin, to display it in DirectAdmin itself.

+1

 

[Erulezz]

Started with a plugin... now need to figure out why the response is empty.. manually running it works

 

[Erulezz]

Alright figured it out Probably the most basic DA plugin but hey it works and it's nice to quickly see it in DA itself. Tonight I'm cleaning the code and upload it so you guys can test it out

 

[Richard G]

That looks great! Nice you found the culprit, I will surely install the plugin!

 

[Active8]

Thank you for this plugin @Erulezz