4 Replies Latest reply on Dec 15, 2016 2:20 PM by Jamo

    Get remote servers SSL expiration date

    mischa.suemnig Level 1

      We have many clients that all have multiple web sites.  The majority of the web sites, we do not host.  If I wanted to look up when their SSL certificate was going to expire and proactively notify them, does anyone know any way to do this through CF9?

       

      I've done the following, but I don't get the information from the header that I'm looking for:

      <cfhttp url="https://www.amazon.com" result="out"></cfhttp>

       

      <cfdump var="#out#" />

       

      However, in PHP, I simply set the following options before calling curl:

      curl_setopt($ch[$i], CURLOPT_VERBOSE, true);

      curl_setopt($ch[$i], CURLOPT_CERTINFO, true);

       

      VERBOSE enables more info

      CERTINFO enables the certificate information to pass in the header

       

      then curl_getinfo() on my curl handler and it's in an array.

       

      I ended up using PHP for this task, but it seems there ought to be a way to do it in CF.

       

      Thanks for any thoughts anyone might have!

        • 1. Re: Get remote servers SSL expiration date
          mischa.suemnig Level 1

          Any Adobe folks out there know if there is a way to do this, or if perhaps, this may be slated for a future enhancement?

           

          Thanks!

          • 2. Re: Get remote servers SSL expiration date
            pete_freitag Adobe Community Professional

            Sure you can do this in CF using Java:

             

            <cfset factory = CreateObject("java", "javax.net.ssl.HttpsURLConnection").getDefaultSSLSocketFactory()>

            <cfset socket = factory.createSocket("foundeo.com", JavaCast("int",443))>

            <cfset socket.startHandshake()>

            <cfset certs = socket.getSession().getPeerCertificates()>

            <cfif IsArray(certs)>

              <cfloop from="1" to="#ArrayLen(certs)#" index="i">

                                <cfset cert = certs[i]>

                                <cfoutput>#cert.getSubjectDN().getName()# - Valid Until #DateFormat(cert.getNotAfter())#</cfoutput><br />

              </cfloop> 

            </cfif>

            <cfset socket.close()>

            2 people found this helpful
            • 3. Re: Get remote servers SSL expiration date
              Jamo Level 2

              This works on some SSL certificates, but not on everything.  I get a "sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path." error when trying to test any certificates from LetsEncrypt.org (using CF10).  I've hit other strange java limitations before and am going to research some non-Java (.Net/Commandline/API) methods.

              sun.security.validator.ValidatorException: PKIX path building failed: java.security.cert.CertPathBuilderException: Could not build a validated path.

              • 4. Re: Get remote servers SSL expiration date
                Jamo Level 2

                We already use "PRTG Network Monitor" to monitor all our services internally & externally. I discovered that they have a "SSL Certificate Sensor" that can show "Days to expiration (with predefined lower warning and error limits)" in addition to seven (7) other metrics.

                https://www.paessler.com/manuals/prtg/ssl_certificate_sensor

                NOTE:  Their free version of PRTG allows 100 sensors "free forever".