Server certificate information fetched from remote server?

Hi! I asked a question on the forum and was directed here: https://community.cloudflare.com/t/getting-remote-server-certificate-information/574946

Basically I'm trying to make a worker that can connect to a remote host/URL over HTTPS and extract some simple certificate information from the server (ie expiry date/notAfter). I don't mind if I get back some parsed fields, or the raw x509 cert for me to parse.

Is this even possible?

Cloudflare Community

Getting remote server certificate information?

Is there a way to have a worker grab certificate information from a HTTPS site/URL it connects to? Specifically looking for the expiry date, but even just the raw certificate will do and I can parse it. I haven’t been able to find a way to do it after much searching, so asking to see if I’m barking up the wrong tree!

Chaika•11/3/23, 1:29 PM

Fetch wouldn't expose that natively, not sure if you have any other options

shakawaffleOP•11/3/23, 1:53 PM

Thanks - yeh, I found fetch wouldn't do it, I guess my only other thought was the socket API - but then I'm probably looking at something like 'forge' (native JS TLS implementation) to do TLS over the socket API

zabatonni•12/13/23, 9:22 PM

@shakawaffle Did you solve it? I'm looking for something similar. To get certificate expiration date.

Zzabatonni @shakawaffle Did you solve it? I'm looking for something similar. To get certifi...

Chaika•12/13/23, 9:28 PM

You can have workers call a proxy API you implement on a vps/other platform that can return it, or your other option is trying to use the TCP Socket API like they mentioned: https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/
downsides being:
You'd have to try to handle tls/etc yourself in a Worker
TCP Sockets use WARP IPs, not the normal proxy cloudflare.com/ips/
You can't connect to Cloudflare IP Ranges

TCP sockets · Cloudflare Workers docs

Use the

connect()

connect()

API to create outbound TCP connections from Workers.

Chaika•12/13/23, 9:29 PM

CF doesn't really want you to use tcp sockets for http requests it seems

proxy request failed, cannot connect to the specified address

Your socket is connecting to an address that was disallowed. Examples of a disallowed address include Cloudflare IPs, localhost, and private network IPs.

If you need to connect to addresses on port 80 or 443 to make HTTP requests, use fetch.

zabatonni•12/13/23, 9:33 PM

fetch doesn't have anything that would return cert. expiration date

Zzabatonni fetch doesn't have anything that would return cert. expiration date

Chaika•12/13/23, 9:34 PM

Correct.. don't see how that applies to what I said though. If you were referring to my first suggestion of a proxy API, the idea of that is your Worker would call an endpoint you have running on your VPS or somewhere else that can get cert. information

zabatonni•12/13/23, 9:35 PM

i don't want to involve other points of failure to this setup

zabatonni•12/13/23, 9:36 PM

idea is to build uptime monitor with website cert. checking. Sometimes hosting fails to generate Lets encrypt SSL for a website

zabatonni•12/13/23, 9:36 PM

so I need to detect it few days before it expires

Zzabatonni i don't want to involve other points of failure to this setup

Chaika•12/13/23, 9:36 PM

well then there really isn't a way to get cert info then without relying on something potentially flaky like a proxy or tcp connect which won't work with CF Websites, etc

Chaika•12/13/23, 9:38 PM

If your project is an uptime monitor though, why not just use a proxy and check every so often? Or just have the cert part run entirely separately? It does for sure complicate things sadly, but you don't need to check for cert. expiration on every request

zabatonni•12/13/23, 9:39 PM

It would check for cert once per day eventually

zabatonni•12/13/23, 9:40 PM

fetch HEAD would run a lot more often

zabatonni•12/13/23, 9:40 PM

but as you said, it would complicate things a bit

Chaika•12/13/23, 9:41 PM

Even if you could use TCP Sockets easily, they use their own IP Pool (WARP IPs) which would be messy for people to whitelist anyway

Chaika•12/13/23, 9:41 PM

is your goal to have it all on Cloudflare Dev platform?

zabatonni•12/13/23, 9:41 PM

right now I'm using similar approach using PHP on some host, but it's not ideal to have monitor on the same host as monitored sites

zabatonni•12/13/23, 9:42 PM

My goal is to have it where I don't have to maintain and think about it anymore