Server certificate information fetched from remote server?
Hi! I asked a question on the forum and was directed here: https://community.cloudflare.com/t/getting-remote-server-certificate-information/574946
Basically I'm trying to make a worker that can connect to a remote host/URL over HTTPS and extract some simple certificate information from the server (ie expiry date/notAfter). I don't mind if I get back some parsed fields, or the raw x509 cert for me to parse.
Is this even possible?
Cloudflare Community
Getting remote server certificate information?
Is there a way to have a worker grab certificate information from a HTTPS site/URL it connects to? Specifically looking for the expiry date, but even just the raw certificate will do and I can parse it. I haven’t been able to find a way to do it after much searching, so asking to see if I’m barking up the wrong tree!
12 Replies
Fetch wouldn't expose that natively, not sure if you have any other options
Thanks - yeh, I found fetch wouldn't do it, I guess my only other thought was the socket API - but then I'm probably looking at something like 'forge' (native JS TLS implementation) to do TLS over the socket API
@shakawaffle Did you solve it? I'm looking for something similar. To get certificate expiration date.
You can have workers call a proxy API you implement on a vps/other platform that can return it, or your other option is trying to use the TCP Socket API like they mentioned: https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/
downsides being:
You'd have to try to handle tls/etc yourself in a Worker
TCP Sockets use WARP IPs, not the normal proxy cloudflare.com/ips/
You can't connect to Cloudflare IP Ranges
TCP sockets · Cloudflare Workers docs
Use the
connect()
API to create outbound TCP connections from Workers.CF doesn't really want you to use tcp sockets for http requests it seems
proxy request failed, cannot connect to the specified address Your socket is connecting to an address that was disallowed. Examples of a disallowed address include Cloudflare IPs, localhost, and private network IPs. If you need to connect to addresses on port 80 or 443 to make HTTP requests, use fetch.
fetch doesn't have anything that would return cert. expiration date
Correct.. don't see how that applies to what I said though. If you were referring to my first suggestion of a proxy API, the idea of that is your Worker would call an endpoint you have running on your VPS or somewhere else that can get cert. information
i don't want to involve other points of failure to this setup
idea is to build uptime monitor with website cert. checking. Sometimes hosting fails to generate Lets encrypt SSL for a website
so I need to detect it few days before it expires
well then there really isn't a way to get cert info then without relying on something potentially flaky like a proxy or tcp connect which won't work with CF Websites, etc
If your project is an uptime monitor though, why not just use a proxy and check every so often? Or just have the cert part run entirely separately? It does for sure complicate things sadly, but you don't need to check for cert. expiration on every request
It would check for cert once per day eventually
fetch HEAD would run a lot more often
but as you said, it would complicate things a bit
Even if you could use TCP Sockets easily, they use their own IP Pool (WARP IPs) which would be messy for people to whitelist anyway
is your goal to have it all on Cloudflare Dev platform?
right now I'm using similar approach using PHP on some host, but it's not ideal to have monitor on the same host as monitored sites
My goal is to have it where I don't have to maintain and think about it anymore