Server certificate information fetched from remote server?

Hi! I asked a question on the forum and was directed here: https://community.cloudflare.com/t/getting-remote-server-certificate-information/574946 Basically I'm trying to make a worker that can connect to a remote host/URL over HTTPS and extract some simple certificate information from the server (ie expiry date/notAfter). I don't mind if I get back some parsed fields, or the raw x509 cert for me to parse. Is this even possible?
Cloudflare Community
Getting remote server certificate information?
Is there a way to have a worker grab certificate information from a HTTPS site/URL it connects to? Specifically looking for the expiry date, but even just the raw certificate will do and I can parse it. I haven’t been able to find a way to do it after much searching, so asking to see if I’m barking up the wrong tree!
12 Replies
Chaika
Chaika14mo ago
Fetch wouldn't expose that natively, not sure if you have any other options
shakawaffle
shakawaffleOP14mo ago
Thanks - yeh, I found fetch wouldn't do it, I guess my only other thought was the socket API - but then I'm probably looking at something like 'forge' (native JS TLS implementation) to do TLS over the socket API
zabatonni
zabatonni13mo ago
@shakawaffle Did you solve it? I'm looking for something similar. To get certificate expiration date.
Chaika
Chaika13mo ago
You can have workers call a proxy API you implement on a vps/other platform that can return it, or your other option is trying to use the TCP Socket API like they mentioned: https://developers.cloudflare.com/workers/runtime-apis/tcp-sockets/ downsides being: You'd have to try to handle tls/etc yourself in a Worker TCP Sockets use WARP IPs, not the normal proxy cloudflare.com/ips/ You can't connect to Cloudflare IP Ranges
TCP sockets · Cloudflare Workers docs
Use the connect() API to create outbound TCP connections from Workers.
Chaika
Chaika13mo ago
CF doesn't really want you to use tcp sockets for http requests it seems
proxy request failed, cannot connect to the specified address Your socket is connecting to an address that was disallowed. Examples of a disallowed address include Cloudflare IPs, localhost, and private network IPs. If you need to connect to addresses on port 80 or 443 to make HTTP requests, use fetch.
zabatonni
zabatonni13mo ago
fetch doesn't have anything that would return cert. expiration date
Chaika
Chaika13mo ago
Correct.. don't see how that applies to what I said though. If you were referring to my first suggestion of a proxy API, the idea of that is your Worker would call an endpoint you have running on your VPS or somewhere else that can get cert. information
zabatonni
zabatonni13mo ago
i don't want to involve other points of failure to this setup idea is to build uptime monitor with website cert. checking. Sometimes hosting fails to generate Lets encrypt SSL for a website so I need to detect it few days before it expires
Chaika
Chaika13mo ago
well then there really isn't a way to get cert info then without relying on something potentially flaky like a proxy or tcp connect which won't work with CF Websites, etc If your project is an uptime monitor though, why not just use a proxy and check every so often? Or just have the cert part run entirely separately? It does for sure complicate things sadly, but you don't need to check for cert. expiration on every request
zabatonni
zabatonni13mo ago
It would check for cert once per day eventually fetch HEAD would run a lot more often but as you said, it would complicate things a bit
Chaika
Chaika13mo ago
Even if you could use TCP Sockets easily, they use their own IP Pool (WARP IPs) which would be messy for people to whitelist anyway is your goal to have it all on Cloudflare Dev platform?
zabatonni
zabatonni13mo ago
right now I'm using similar approach using PHP on some host, but it's not ideal to have monitor on the same host as monitored sites My goal is to have it where I don't have to maintain and think about it anymore
Want results from more Discord servers?
Add your server