Dňa 24. októbra 2023 8:44:49 UTC používateľ Christof Meerwald via mailop <mailop@mailop.org> napísal: >On Tue, Oct 24, 2023 at 12:17:30PM +0800, Philip Paeps via mailop wrote:
>> crt.sh provides a handy service you can poll. >> >> They provide JSON output. > >They also provide an Atom feed you can use with your favourite >RSS/Atom feed reader. If someone is interested with my experience... I abandon the idea of running own certspotter, it consumes significant bandwitch and CPU, i was using older version (run from cron), every its run saturated my 100 Mb/s link for ~10 min (+ more at lower speed) and tooks more than 40 min (on 4 core J3455) to finish, thus pointles to run it more often than hourly. I am not willing to use more powerfull machine (nor dedicated one) for it. Then i took look on crt.sh RSS. It is better idea for my setup (small amount of domains), pooling it every hour will provide near the same result as certspotter, with mutch less bandwitch & CPU (as it provides way to exclude precerts & expired). I tried to parse it with python (feedparser lib) without any problem, i was only surprised, that one have to parse cert (included in feed entry) to get details as validity time or CN/SAN (especially the CN/SAN are not in entry title). The only downside (which i see), is that RSS URL doesn't provide Last-Modified nor ETag headers, thus no way to check without download (and parse), but download size is pretty small, thus it is not important. IMO it must be pretty simple to setup certbot hook, to be able to exclude self issued certs and alert on any other, i will play with that to get something as dedicated feed reader/alerter. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
