We must renew TLS/SSL certificates before they reach their end of life. Otherwise, our users get an unfriendly message about an unsecure web page. Why not write a Python script that checks our sites and shows how many days are remaining for our certificates?
This post is part of my journey to learn Python. You can find the other parts of this series here. You find the code for this post in my PythonFriday repository on GitHub.
The challenge
While the requests package is the go-to helper for all things related to web requests, it does not allow us to read SSL certificates. Requests checks that the connection is secure, but it does not allow us to inspect the certificate with our own code. Therefore, we need to use sockets and work on a lower level of network traffic.
Preparation
For this application we need the socket and the ssl module. Both are part of Python, so we do not need to install them. The list domains allow us to check multiple sites in one go:
|
1 2 3 4 5 6 7 8 9 10 |
import socket import ssl from datetime import datetime from typing import NamedTuple domains = [ "ImproveAndRepeat.com", "python.org", "python-err.org" ] |
To store the data from the certificate, we use a named tuple:
|
1 2 3 4 5 6 7 8 |
class CertificateInfo(NamedTuple): domain: str expiry_date: datetime expires_in: int issuer: str def expires_on(self): return self.expiry_date.strftime('%Y-%m-%d') |
Load the certificate
The main part of this application is to get the certificate. We must create an SSL context, wrap it around a socket with the host name we want to check and open the connection. From that connection we can read the certificate:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
def load_certificate(hostname): context = ssl.create_default_context() context.check_hostname = False conn = context.wrap_socket( socket.socket(socket.AF_INET), server_hostname=hostname, ) conn.settimeout(5.0) conn.connect((hostname, 443)) certificate = conn.getpeercert() return certificate |
If everything works, we get a certificate for the domain we are interested in. Otherwise, the socket or the connection throw an exception that we will handle in the main block.
Read the certificate
The certificate offers its own challenges. Some parts we can access directly, like the expiration date. Other values, like the issuer, are hidden deep down the certificate and we need to rebuild a dictionary to access the values. We can put all the parts we are interested in into the named tuple CertificateInfo and save us the trouble of repeating the logic to access the certificate values everywhere in our code.
|
1 2 3 4 5 6 7 8 9 10 |
def read_certificate(hostname, certificate): date_format = r'%b %d %H:%M:%S %Y %Z' not_after = certificate['notAfter'] expire_date = datetime.strptime(not_after, date_format) remaining = expire_date - datetime.now() issuer = dict(x[0] for x in certificate['issuer']) issued_by = issuer['organizationName'] return CertificateInfo(hostname, expire_date, remaining.days, issued_by) |
Show the result
With the main block we can create a basic report that tells us when the certificates will expire:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
if __name__ == "__main__": for value in domains: try: certificate = load_certificate(value) cert_info = read_certificate(value, certificate) print(f"{cert_info.domain}, "\ f"{cert_info.expires_on()}, "\ f"{cert_info.expires_in}, "\ f"{cert_info.issuer}" ) except Exception as e: print(f"{value} {e.strerror}") |
At the time of writing this post, I get these results:
ImproveAndRepeat.com, 2022-12-09, 80, Let’s Encrypt
python.org, 2022-10-24, 33, Let’s Encrypt
python-err.org getaddrinfo failed
I made a deliberate error with the third domain name and the error handling worked well enough to give us an error message without crashing our application.
An improved report
While the report works, it is hard to read and easy to misunderstand. Therefore, I like to use a Rich table to create a better looking report:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
if __name__ == "__main__": console = Console() table = Table(show_header=True, header_style="bold") table.add_column("Domain", style="dim") table.add_column("Expiry Date") table.add_column("Expires in (days)", justify="right") table.add_column("Issuer") for value in domains: try: certificate = load_certificate(value) cert_info = read_certificate(value, certificate) table.add_row(cert_info.domain, str(cert_info.expires_on()), str(cert_info.expires_in), cert_info.issuer) except Exception as e: table.add_row(value,"","",e.strerror) console.print(table) |
This creates a table in the console with headers and is easy to read:
Next
Working with sockets is not magic, but it needs a lot more knowledge of networking and how to establish a connection to a remote host. Luckily, working at this low level of the technology stack is most often not necessary. Next week we go to the other end of the network abstractions and look at Selenium to access the internet with a regular web browser.