• 如何用Go写一个简单的SSL证书到期监控程序
  • 发布于 2个月前
  • 84 热度
    0 评论
实现该功能,不用借助第三方库,用go的标准库就足够了。以下程序可以获取这些域名的SSL证书的到期时间,并在证书距离现在不足7天过期时打印提示:
package main

import (
 "crypto/tls"
 "fmt"
 "net"
 "time"
)

func main() {
 domains := []string{
  "google.com",
  "github.com",
  "stackoverflow.com",
  "amazon.com",
  "microsoft.com",
  "apple.com",
  "duidaima.com",
  "netflix.com",
  "facebook.com",
  "twitter.com",
  "linkedin.com",
 }
 for _, domain := range domains {
  expirationDate, err := getCertificateExpirationDate(domain)
  if err != nil {
   fmt.Printf("Error getting certificate for %s: %v\n", domain, err)
   continue
  }

  daysUntilExpiration := int(expirationDate.Sub(time.Now()).Hours() / 24)

  if daysUntilExpiration <= 7 {
   fmt.Printf("WARNING: Certificate for %s will expire in %d days (on %s)\n", domain, daysUntilExpiration, expirationDate.Format("2006-01-02"))
  } else {
   fmt.Printf("Certificate for %s will expire in %d days (on %s)\n", domain, daysUntilExpiration, expirationDate.Format("2006-01-02"))
  }
 }
}

func getCertificateExpirationDate(domain string) (time.Time, error) {
 conn, err := tls.Dial("tcp", domain+":443", &tls.Config{
  InsecureSkipVerify: true,
 })
 if err != nil {
  return time.Time{}, err
 }
 defer conn.Close()

 cert := conn.ConnectionState().PeerCertificates[0]
 return cert.NotAfter, nil
}
执行代码,输出:
Certificate for google.com will expire in 61 days (on 2024-08-26)
Certificate for github.com will expire in 255 days (on 2025-03-07)
Certificate for stackoverflow.com will expire in 45 days (on 2024-08-09)
Certificate for amazon.com will expire in 196 days (on 2025-01-07)
Certificate for microsoft.com will expire in 354 days (on 2025-06-14)
Certificate for apple.com will expire in 63 days (on 2024-08-27)
Certificate for netflix.com will expire in 121 days (on 2024-10-24)
WARNING: Certificate for facebook.com will expire in 7 days (on 2024-07-02)
Certificate for twitter.com will expire in 157 days (on 2024-11-29)
Certificate for linkedin.com will expire in 35 days (on 2024-07-30)
对于A记录,其实都好说。但是对于CNAME, 其实是有两套证书----CNAME并不是301,访问 https://baidu.mydomain.com 时并不是跳转到 https://baidu.com/,而是https://baidu.mydomain.com的内容,和https://baidu.com/完全一样。所以对于此处, 如果我是mydomain.com的持有者和维护者, 我只需要关心 baidu.mydomain.com 的证书到期时间,而不用管baidu.com的证书到期时间 (虽然事实上,baidu .mydomain.com的证书,也可以被baidu.com的维护者一起帮忙维护,但一般是mydomain.com的持有者自己维护)

所以,检测CNAME记录时,应该关心"baidu.mydomain.com"的证书到期时间,不用管"baidu.com"---这个是baidu那边的事情。
用户评论