Skip to content

Instantly share code, notes, and snippets.

  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Embed
What would you like to do?
Check multiple domains for LetsEncrypt CAA Rechecking Bug on Nginx servers

On 29th February 2020, LetsEncrypt found a bug "CAA rechecking". https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

This script has been made to help admins to check multiple domains on their Nginx web servers.

All my domains where fine, so I didn't bother to automate renewals. However, it can be added in the script.

Quick Usage:

wget -O - https://gist.githubusercontent.com/sashareds/98095b8b7b322c8283dc7afbec658690/raw/019fcc59f92ada15ae6eebd80d544db6828caeb0/checkforcaa.sh | bash

Fair wairning tho, double check the url(click on ROW and copy url from the address bar) to avoid tampered url.

#!/bin/bash
#some debugging. feel free to delete that
#exec 7> debug_output.txt
#BASH_XTRACEFD=7
#PS4='$LINENO: '
#set -x
#looking for the list domains in the nginx config
for d in `nginx -T | grep "server_name " | sed 's/.*server_name \(.*\);/\1/' | sed 's/ /\n/'`; do
#requesting domain status from the site that LetsEncrypt provided.
echo checking $d with LetsEncrypt...
RESULT=`curl -s -XPOST -d "fqdn=$d" https://checkhost.unboundtest.com/checkhost`
if echo "$RESULT" | grep -q "needs renewal"; then
echo $d is $(tput setaf 1)vulnerable$(tput sgr0).
echo $d >> $HOME/vulnerable_domains.txt #save vulnerable domains into a file
else echo $d is $(tput setaf 2)grand!$(tput sgr0)
fi
done
echo "List of your vulnerable domains(if you have any) saved in $HOME/vulnerable_domains.txt"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment