Last active
April 19, 2023 04:43
-
-
Save YOwatari/3e268b08b9427b45941f5d3b88dbceb7 to your computer and use it in GitHub Desktop.
Get a rough list of domains from route53 and verify the certificate
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
module gist.github.com/3e268b08b9427b45941f5d3b88dbceb7 | |
go 1.20 | |
require ( | |
github.com/aws/aws-sdk-go-v2 v1.17.8 | |
github.com/aws/aws-sdk-go-v2/config v1.18.21 | |
github.com/aws/aws-sdk-go-v2/service/route53 v1.27.7 | |
golang.org/x/sync v0.1.0 | |
) | |
require ( | |
github.com/aws/aws-sdk-go-v2/credentials v1.13.20 // indirect | |
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2 // indirect | |
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32 // indirect | |
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26 // indirect | |
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.33 // indirect | |
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.26 // indirect | |
github.com/aws/aws-sdk-go-v2/service/sso v1.12.8 // indirect | |
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8 // indirect | |
github.com/aws/aws-sdk-go-v2/service/sts v1.18.9 // indirect | |
github.com/aws/smithy-go v1.13.5 // indirect | |
github.com/jmespath/go-jmespath v0.4.0 // indirect | |
) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github.com/aws/aws-sdk-go-v2 v1.17.8 h1:GMupCNNI7FARX27L7GjCJM8NgivWbRgpjNI/hOQjFS8= | |
github.com/aws/aws-sdk-go-v2 v1.17.8/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= | |
github.com/aws/aws-sdk-go-v2/config v1.18.21 h1:ENTXWKwE8b9YXgQCsruGLhvA9bhg+RqAsL9XEMEsa2c= | |
github.com/aws/aws-sdk-go-v2/config v1.18.21/go.mod h1:+jPQiVPz1diRnjj6VGqWcLK6EzNmQ42l7J3OqGTLsSY= | |
github.com/aws/aws-sdk-go-v2/credentials v1.13.20 h1:oZCEFcrMppP/CNiS8myzv9JgOzq2s0d3v3MXYil/mxQ= | |
github.com/aws/aws-sdk-go-v2/credentials v1.13.20/go.mod h1:xtZnXErtbZ8YGXC3+8WfajpMBn5Ga/3ojZdxHq6iI8o= | |
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2 h1:jOzQAesnBFDmz93feqKnsTHsXrlwWORNZMFHMV+WLFU= | |
github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.13.2/go.mod h1:cDh1p6XkSGSwSRIArWRc6+UqAQ7x4alQ0QfpVR6f+co= | |
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32 h1:dpbVNUjczQ8Ae3QKHbpHBpfvaVkRdesxpTOe9pTouhU= | |
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.32/go.mod h1:RudqOgadTWdcS3t/erPQo24pcVEoYyqj/kKW5Vya21I= | |
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26 h1:QH2kOS3Ht7x+u0gHCh06CXL/h6G8LQJFpZfFBYBNboo= | |
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.26/go.mod h1:vq86l7956VgFr0/FWQ2BWnK07QC3WYsepKzy33qqY5U= | |
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.33 h1:HbH1VjUgrCdLJ+4lnnuLI4iVNRvBbBELGaJ5f69ClA8= | |
github.com/aws/aws-sdk-go-v2/internal/ini v1.3.33/go.mod h1:zG2FcwjQarWaqXSCGpgcr3RSjZ6dHGguZSppUL0XR7Q= | |
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.26 h1:uUt4XctZLhl9wBE1L8lobU3bVN8SNUP7T+olb0bWBO4= | |
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.26/go.mod h1:Bd4C/4PkVGubtNe5iMXu5BNnaBi/9t/UsFspPt4ram8= | |
github.com/aws/aws-sdk-go-v2/service/route53 v1.27.7 h1:f/EOUu/Qw1IAMP6GJDzV50/hICt9/JOdhYAjego/8nk= | |
github.com/aws/aws-sdk-go-v2/service/route53 v1.27.7/go.mod h1:Jhu94omkrksnqX6Xs4Qo10eA1Fx+2NYKjZMU4GvZLp0= | |
github.com/aws/aws-sdk-go-v2/service/sso v1.12.8 h1:5cb3D6xb006bPTqEfCNaEA6PPEfBXxxy4NNeX/44kGk= | |
github.com/aws/aws-sdk-go-v2/service/sso v1.12.8/go.mod h1:GNIveDnP+aE3jujyUSH5aZ/rktsTM5EvtKnCqBZawdw= | |
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8 h1:NZaj0ngZMzsubWZbrEFSB4rgSQRbFq38Sd6KBxHuOIU= | |
github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.8/go.mod h1:44qFP1g7pfd+U+sQHLPalAPKnyfTZjJsYR4xIwsJy5o= | |
github.com/aws/aws-sdk-go-v2/service/sts v1.18.9 h1:Qf1aWwnsNkyAoqDqmdM3nHwN78XQjec27LjM6b9vyfI= | |
github.com/aws/aws-sdk-go-v2/service/sts v1.18.9/go.mod h1:yyW88BEPXA2fGFyI2KCcZC3dNpiT0CZAHaF+i656/tQ= | |
github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= | |
github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= | |
github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= | |
github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= | |
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg= | |
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= | |
github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= | |
github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= | |
github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= | |
github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= | |
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= | |
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= | |
github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= | |
golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o= | |
golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= | |
gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= | |
gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= | |
gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
package main | |
import ( | |
"context" | |
"crypto/tls" | |
"fmt" | |
"log" | |
"net" | |
"os" | |
"strings" | |
"sync" | |
"time" | |
"golang.org/x/sync/semaphore" | |
"github.com/aws/aws-sdk-go-v2/aws" | |
"github.com/aws/aws-sdk-go-v2/config" | |
"github.com/aws/aws-sdk-go-v2/service/route53" | |
"github.com/aws/aws-sdk-go-v2/service/route53/types" | |
) | |
func main() { | |
if len(os.Args) < 2 { | |
log.Fatalf("usage: %s <zone id>", os.Args[0]) | |
} | |
zoneID := os.Args[1] | |
run(zoneID) | |
} | |
func run(zoneID string) { | |
domains := list(zoneID) | |
var wg sync.WaitGroup | |
sem := semaphore.NewWeighted(10) | |
for _, domain := range domains { | |
wg.Add(1) | |
_ = sem.Acquire(context.Background(), 1) | |
domain := domain // captured | |
go func() { | |
defer sem.Release(1) | |
defer wg.Done() | |
err := check(domain) | |
if err != nil { | |
log.Print(err) | |
} | |
}() | |
} | |
wg.Wait() | |
} | |
func list(zoneID string) []string { | |
log.Printf("listing resource record sets for %s", zoneID) | |
cfg, err := config.LoadDefaultConfig(context.Background()) | |
if err != nil { | |
panic(err) | |
} | |
r53 := route53.NewFromConfig(cfg) | |
input := &route53.ListResourceRecordSetsInput{ | |
HostedZoneId: aws.String(zoneID), | |
} | |
output, err := r53.ListResourceRecordSets(context.Background(), input) | |
if err != nil { | |
log.Fatalf("failed to list resource record sets: %v", err) | |
return nil | |
} | |
ret := make([]string, 0) | |
for _, record := range output.ResourceRecordSets { | |
rt := record.Type | |
if rt == types.RRTypeNs || rt == types.RRTypeA { | |
name := aws.ToString(record.Name) | |
name = strings.Replace(name, "\\052.", "", 1) | |
name = name[:len(name)-1] | |
ret = append(ret, name) | |
} | |
} | |
return ret | |
} | |
func check(domain string) error { | |
log.Printf("checking %s", domain) | |
conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:443", domain), time.Second*5) | |
if err != nil { | |
if strings.Contains(err.Error(), "no such host") { | |
return nil | |
} | |
return err | |
} | |
defer conn.Close() | |
tlsConf := &tls.Config{ | |
InsecureSkipVerify: true, | |
ServerName: domain, | |
} | |
tlsConn := tls.Client(conn, tlsConf) | |
if err := tlsConn.Handshake(); err != nil { | |
return fmt.Errorf("failed to handshake: domain:%s, err:%v", domain, err) | |
} | |
defer tlsConn.Close() | |
certs := tlsConn.ConnectionState().PeerCertificates | |
if len(certs) > 0 { | |
cert := certs[0] | |
currentTime := time.Now().Add(14 * 24 * time.Hour) | |
if currentTime.Compare(cert.NotBefore) <= 0 || currentTime.Compare(cert.NotAfter) >= 0 { | |
return fmt.Errorf("certificate is about to expire or not yet valid: domain:%s, before:%s, after:%s", domain, cert.NotBefore, cert.NotAfter) | |
} | |
switch cert.Issuer.Organization[0] { | |
case "Amazon", "Google Trust Services LLC": | |
return nil | |
default: | |
return fmt.Errorf("invalid certificate issuer: domain:%s, issuer:%s", domain, cert.Issuer.Organization[0]) | |
} | |
} | |
return fmt.Errorf("no certificate") | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment