In a procedure to auto-renew the certificate with Let's Encrypt of a MongoDB instance, I want to know the specific certificate that the instance is serving.
Is there a way to get, for example, the expiry date or any other info?
Asked
Active
Viewed 522 times
0
-
1You can check the certificate details of your instance through your browser quite easily.please check this article for more reference https://www.globalsign.com/en/blog/how-to-view-ssl-certificate-details – asmath May 24 '21 at 12:49
-
Is a mongodb connection not a webpage. – smark91 May 24 '21 at 17:00
-
@asmath if you complete your answer in the form of an answer and not a comment I will accept – smark91 May 24 '21 at 17:30
3 Answers
4
You can check the certificate details of your instance through your browser quite easily.please check this article for more reference Check SSL certificates in your browser
You can also use this command to check the certificates serving by this mongodb instance from client side:
openssl s_client -showcerts -connect instance-name:port-no
asmath
- 319
- 1
- 6
-
1Please add more detail for getting the bounty. The answer is not complete. – smark91 May 25 '21 at 10:40
-
You probably don't want `443` on the end, you'll want the mongo port number (probably `27017`) – hardillb May 25 '21 at 15:21
-
1
There's a little python3 program that does exactly what you asked for (with OpenSSL):
$ certcheck www.example.com:443 serverfault.com
Host (SNI) | Port | Crt Issuer | Delta to expiry | Status
-----------------+------+---------------+---------------------------+--------
www.example.com | 443 | DigiCert Inc | 213 days, 23:50:03.267476 | VALID
serverfault.com | 443 | Let's Encrypt | 80 days, 13:04:26.637472 | VALID
Note that certcheck accepts a list of hosts to check, you'd need to script that with OpenSSL.
With just OpenSSL, sed and bash:
$ openssl s_client \
-servername www.example.com \
-connect www.example.com:443 2>&1 < /dev/null \
| sed -nre '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/p' \
| openssl x509 -in - -enddate -noout
notAfter=Dec 25 23:59:59 2021 GMT
From man x509:
-enddate
Prints out the expiry date of the certificate, that is the notAfter date.
-dates
Prints out the start and expiry dates of a certificate.
-checkend arg
Checks if the certificate expires within the next arg seconds and exits nonzero if yes it will expire or zero if not.
Replace www.example.com:443 with <your_mongodb_host>:27015.
fuero
- 9,591
- 1
- 35
- 40
0
You can get a list of all Let's Encrypt certificates including their expiry dates with
certbot certificates
You could also try to script an auto renewal using
certbot renew
and then concatenate the newly obtained fullchain and privkey files to one pem file and save it where mongodb expects it to be. A script for doing this can be found here: https://gist.github.com/zabirauf/bda54230ca1335c1cf00e3adba682ee7
digijay
- 1,155
- 3
- 11
- 22
-
No sorry my request is to read the actual certificate served by mongo. The way you wrote showed how to get the certificate from certbot that not necessarily is the same served by mongo. I want to check it directly from a mongo connection. – smark91 May 15 '21 at 17:16