背景
云平台https的域名服务器如果超过上百条,如果都分布在不同的服务器或者负载均衡上,如果即将过期, 做完替换SSL证书动作后,如何批量检查域名的SSL证书是否替换网站,可通过如下脚本实现。
Python脚本
保存domain-ssl-check.py文件内容如下:
- #!/usr/bin/env python3
- import ssl, socket
- import requests
- from dateutil import parser
- import pytz
- requests.packages.urllib3.disable_warnings()
- try:
- _create_unverified_https_context = ssl._create_unverified_context
- except AttributeError:
- # Legacy Python that doesn't verify HTTPS certificates by default
- pass
- else:
- # Handle target environment that doesn't support HTTPS verification
- ssl._create_default_https_context = _create_unverified_https_context
- def get_domain_content(domain):
- requests.packages.urllib3.disable_warnings()
- url = 'https://' + domain
- response = requests.get(url, verify=False).headers
- print(response)
- def get_my_domain(mydomain):
- try:
- socket.setdefaulttimeout(5)
- my_addr = socket.getaddrinfo(mydomain, None)
- c = ssl.create_default_context()
- s = c.wrap_socket(socket.socket(), server_hostname=mydomain)
- s.connect((mydomain, 443))
- my_cert = s.getpeercert()
- get_my_cert_dated(mydomain, my_cert, my_addr)
- except ssl.CertificateError and socket.gaierror as e:
- pass
- def get_my_cert_dated(domain, certs, my_addr):
- cert_beginning_time = parser.parse(certs['notBefore']).astimezone(pytz.utc)
- cert_end_time = parser.parse(certs['notAfter']).astimezone(pytz.utc)
- print('域名:(%s) 证书失效时间: %s' % (domain, cert_end_time))
- def read_domain_files():
- with open('./domain.txt', 'r',
- encoding="utf-8") as file:
- for domain in file:
- try:
- get_my_domain(domain.strip())
- except Exception as e:
- print('域名: (%s)-%s' %(domain.strip(), e))
- if __name__ == "__main__":
- read_domain_files()
使用方法
准备domain.txt一个域名一行,可从DNS导出记录
- cat > domain.txt << EOF
- linuxeye.com
- www.linuxeye.com
- oneinstack.com
- www.linuxeye.com
- EOF
执行:
- python3 domain-ssl-check.py