Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Check multiple domains for LetsEncrypt CAA Rechecking Bug on Nginx servers

On 29th February 2020, LetsEncrypt found a bug "CAA rechecking". https://community.letsencrypt.org/t/revoking-certain-certificates-on-march-4/114864

This script has been made to help admins to check multiple domains on their Nginx web servers.

All my domains where fine, so I didn't bother to automate renewals. However, it can be added in the script.

Quick Usage:

wget -O - https://gist.githubusercontent.com/sashareds/98095b8b7b322c8283dc7afbec658690/raw/019fcc59f92ada15ae6eebd80d544db6828caeb0/checkforcaa.sh | bash

Fair wairning tho, double check the url(click on ROW and copy url from the address bar) to avoid tampered url.

#!/bin/bash
#some debugging. feel free to delete that
#exec 7> debug_output.txt
#BASH_XTRACEFD=7
#PS4='$LINENO: '
#set -x
#looking for the list domains in the nginx config
for d in `nginx -T | grep "server_name " | sed 's/.*server_name \(.*\);/\1/' | sed 's/ /\n/'`; do
#requesting domain status from the site that LetsEncrypt provided.
echo checking $d with LetsEncrypt...
RESULT=`curl -s -XPOST -d "fqdn=$d" https://checkhost.unboundtest.com/checkhost`
if echo "$RESULT" | grep -q "needs renewal"; then
echo $d is $(tput setaf 1)vulnerable$(tput sgr0).
echo $d >> $HOME/vulnerable_domains.txt #save vulnerable domains into a file
else echo $d is $(tput setaf 2)grand!$(tput sgr0)
fi
done
echo "List of your vulnerable domains(if you have any) saved in $HOME/vulnerable_domains.txt"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.