Skip to content

Instantly share code, notes, and snippets.

@renato-zannon

renato-zannon/README.md

Last active October 1, 2021 21:05
Star
Embed
What would you like to do?
Learn more about clone URLs
Download ZIP
Verify if host will have Let's encrypt certificate validation problems
Raw
README.md

Running the script inside a docker container

If you wish to test whether your docker container won't have issues when the old Root certificate expires, you can run the script inside the container itself.

In order to do this, follow these steps:

  1. Download the verify-lets-encrypt.sh script from the gist
  2. Bring up your application container as you usually do - with docker-compose up, docker run, via VS Code etc
  3. Run docker ps, and look for any application containers that are up; the NAMES column is the easiest for that
  4. From the same folder where you've downloaded the script, run docker exec -i <CONTAINER_NAME_OR_ID> /bin/sh < verify-lets-encrypt.sh; this will run the script inside the container
  5. Then, you should be able to see the script output in the same terminal
Raw
verify-lets-encrypt.sh
#!/bin/sh
set -eu
CERTS_DIR="$(openssl version -d | sed -E 's/OPENSSLDIR: "([^"]*)"/\1/')"
CERTS_FIFO="$(mktemp -u)"
mkfifo "$CERTS_FIFO"
trap 'rm -f $CERTS_FIFO' EXIT
(
[ -r "${CERTS_DIR}/cert.pem" ] && echo "${CERTS_DIR}/cert.pem"
[ -d "${CERTS_DIR}/certs" ] && find -L "${CERTS_DIR}/certs" -type f -name '*.pem'
) | \
xargs sed \
-n \
-e '/^-*BEGIN CERTIFICATE-*$/{:I; N; /END CERTIFICATE-*$/!bI; s/\n/\\n/g; p}' \
>"$CERTS_FIFO" &
NEW_ROOT_PRESENT=false
OLD_ROOT_PRESENT=false
while IFS= read -r cert; do
if [ -z "$cert" ]; then
continue
fi
FINGERPRINT="$(printf "%b" "$cert" | openssl x509 -fingerprint -sha1 -noout | sed -e 's/SHA1 Fingerprint=//')"
if [ "$FINGERPRINT" = "CA:BD:2A:79:A1:07:6A:31:F2:1D:25:36:35:CB:03:9D:43:29:A5:E8" ]; then
NEW_ROOT_PRESENT=true
fi
if [ "$FINGERPRINT" = "DA:C9:02:4F:54:D8:F6:DF:94:93:5F:B1:73:26:38:CA:6A:D7:7C:13" ]; then
OLD_ROOT_PRESENT=true
fi
done < "$CERTS_FIFO"
OPENSSL_VERSION="$(openssl version | sed -e 's/OpenSSL \([0-9]*\)\.\([0-9]*\)\.\([0-9]*\)[^0-9].*/\1:\2:\3/')"
OPENSSL_MAJOR="$(echo "$OPENSSL_VERSION" | cut -d ':' -f 1)"
OPENSSL_MINOR="$(echo "$OPENSSL_VERSION" | cut -d ':' -f 2)"
OPENSSL_PATCH="$(echo "$OPENSSL_VERSION" | cut -d ':' -f 3)"
OLD_OPENSSL=false
if [ "$OPENSSL_MAJOR" -eq 0 ] || [ "$OPENSSL_MINOR" -eq 0 ] && [ "$OPENSSL_PATCH" -le 2 ]; then
OLD_OPENSSL=true
fi
if [ "$NEW_ROOT_PRESENT" = "true" ]; then
echo "New ISRG Root X1 already present ✓"
else
echo "New ISRG Root X1 not present ❌"
echo " -> Try updating the ca-certifiates package"
fi
echo
if [ "$OLD_ROOT_PRESENT" = "true" ] && [ "$OLD_OPENSSL" = "true" ]; then
echo "Old OpenSSL version, and IdentTrust DST Root CA X3 is present ❌"
echo " -> Manual removal of old IdentTrust root is required"
else
if [ "$OLD_OPENSSL" = "false" ]; then
echo "OpenSSL newer than 1.0.2 ✓"
fi
if [ "$OLD_ROOT_PRESENT" = "false" ]; then
echo "Old IdentTrust DST Root CA X3 is not present ✓"
fi
fi
@fkoner
Copy link

fkoner commented Sep 29, 2021
edited

Great script @renato-zannon.
We can also run directly the script in our pod (for example in dev or staging environments)

Retrieving pod names:
kubectl -n <application-name> get pods

Example:
kubectl -n ninjas get pods

Running script:
kubectl -n <application-name> exec -it <podname> -- /bin/sh < verify-lets-encrypt.sh

Example:
kubectl -n ninjas exec -it ni-r-62be-web-68b4878bf5-qw9rh -- /bin/sh < verify-lets-encrypt.sh

Output:

New ISRG Root X1 already present ✓
OpenSSL newer than 1.0.2 ✓

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment