[SOLVED] Trouble specifying host as variable to OpenSSL in Bash

Thomas Groman · 12-22-2016, 01:43 PM

I have been at this for hours trying all kinds of different syntax and structures. The documentation says this should work but for some reason its not liking it. i tried trimming the output from the domain list with xargs with no different effect.

Code:

cat domains.lst | sort | uniq | while IFS= read -r HOST ; do
#       sanip=$(echo -n "$ip" | xargs)
#       echo $sanip
#       echo -n $ip | xargs | export $HOST
        echo "$HOST"
        echo "x" | openssl s_client -connect "$HOST":443 2>/dev/null | openssl x509 -noout -dates
done

Does anybody have any idea why this doesn't work?
it keeps giving me lib errors saying it expected a trusted certificate. i tried manually specifying my CA dir. what is weird is that it runs fine if you just put the host name in their statically

grail · 12-23-2016, 12:22 AM

Have you tried putting set -xv prior to the loop and see what bash thinks it is using?

astrogeek · 12-23-2016, 01:43 AM

I am not entirely sure what you are expecting, but I suspect the error is not due to specifying the host as a variable, but rather due to having a host name in the file which does not return a certificate or is not listening on port 443.

I set up a domains.lst with two host names - one with a certificate and one without, and received this result (domain names chanaged to protect the innocent):

Code:

nocertificate.com
unable to load certificate 
3073422984:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:696:Expecting: TRUSTED CERTIFICATE
goodcertificate.com
notBefore=Jan 30 21:47:43 2015 GMT
notAfter=Jan 31 21:47:43 2025 GMT

Is this the error that you are seeing? If not, please post the exact error message you are seeing.

This error results because you do not test whether the openssl s_client... command actually returns a certificate, but blindly pipe it through to openssl x509..., which generates the error if no certificate is received.