Closed cipisek9 closed 4 months ago
Hi there, thanks for creating the issue.
The first thing I noticed is you use wss://
locally. Are you actually using certificates? Otherwise just use ws://
You seem to be using the domains-only endpoint (which is good when you only need domains).
certstream.listen_for_events(print_callback, url='wss://192.168.1.101/domains-only/')
But at the same time in your first example you try to fetch the certs from the json path data.leaf_cert.all_domains
, which does not exist for domains-only! See here for the code that generates the domains-only json.
all_domains = message['data']['leaf_cert']['all_domains']
You can always fetch an example cert from certstream-server-go to inspect the json format by using http and appending /example.json
to the endpoint's name. In your case it would be http://192.168.1.101/domains-only/example.json
. Or for debugging you can also check on my hosted instance:
https://certstream.rico-j.de/domains-only/example.json (this hosted instance might go offline at any time. It is just there for debugging and testing purposes.)
The json looks like this:
{
"data": [
"*.oleksandrtsvietkov.direct.quickconnect.to",
"oleksandrtsvietkov.direct.quickconnect.to"
],
"message_type": "dns_entries"
}
So you should access the domains like this:
all_domains = message['data']
Also please check the server's log for indicators that your client is too slow. Python is quite a slow language and my server processes around 300-400 certificates per second (!). People noticed in other issues (https://github.com/d-Rickyy-b/certstream-server-go/issues/28) that their code was simply too slow to process all of the certificates (although they processed the whole certificates, not the domains only). I highly suggest using multiple threads.
Please let me know if any of this helped.
Hi, thank you very much for your reply.
1.) Yes, I am using certificate.
2.) I am sorry, you are right. There is the mistake in code which I have posted here. However it happens, when I was writing examples of my code to this post. Actually in my code that line is correct, similar as in second example:
def print_callback(message, context):
....
all_domains = message['data']
...
3.) I have attached log file from certstream server, where are last 150 lines. There are a lot of
GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body)
Maybe this could be reson? There is also sometimes bigger number in Queue length. I have seen 62 max. Unfortunately I have also discovered some lines with message "buffer is full", same as mentioned in another issue. :( I wil try to make my client faster.
Thank you for your any other hints :)
I just noticed there is also newer version (1.5.0), so I will also try to update.
I have tought the update has sloved the problem with error messages, but I was wrong...
Jan 10 14:29:01 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:29:01 ct-watcher.go:238: Processed 383000 entries | Queue length: 0 Jan 10 14:29:06 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:29:06 ct-watcher.go:238: Processed 384000 entries | Queue length: 0 Jan 10 14:29:13 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:29:13 ct-watcher.go:238: Processed 385000 entries | Queue length: 3 Jan 10 14:29:22 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:29:22 ct-watcher.go:238: Processed 386000 entries | Queue length: 0 Jan 10 14:29:46 crt CERTSTREAM_SERVER[387211]: E0110 14:29:46.685359 387211 fetcher.go:292] https://oak.ct.letsencrypt.org/2024h1: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:29:48 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:29:48 ct-watcher.go:238: Processed 387000 entries | Queue length: 5 Jan 10 14:29:52 crt CERTSTREAM_SERVER[387211]: E0110 14:29:52.715965 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:12 crt CERTSTREAM_SERVER[387211]: E0110 14:30:12.522125 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:13 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:30:13 ct-watcher.go:238: Processed 388000 entries | Queue length: 4 Jan 10 14:30:22 crt CERTSTREAM_SERVER[387211]: E0110 14:30:22.716922 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:34 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:30:34 ct-watcher.go:238: Processed 389000 entries | Queue length: 0 Jan 10 14:30:42 crt CERTSTREAM_SERVER[387211]: E0110 14:30:42.523710 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:44 crt CERTSTREAM_SERVER[387211]: E0110 14:30:44.110960 387211 fetcher.go:292] https://oak.ct.letsencrypt.org/2024h1: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:46 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:30:46 ct-watcher.go:238: Processed 390000 entries | Queue length: 0 Jan 10 14:30:52 crt CERTSTREAM_SERVER[387211]: E0110 14:30:52.718161 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:30:58 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:30:58 ct-watcher.go:238: Processed 391000 entries | Queue length: 0 Jan 10 14:31:11 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:31:11 ct-watcher.go:238: Processed 392000 entries | Queue length: 0 Jan 10 14:31:12 crt CERTSTREAM_SERVER[387211]: E0110 14:31:12.524351 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:31:22 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:31:22 ct-watcher.go:238: Processed 393000 entries | Queue length: 0 Jan 10 14:31:22 crt CERTSTREAM_SERVER[387211]: E0110 14:31:22.718850 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:31:33 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:31:33 ct-watcher.go:238: Processed 394000 entries | Queue length: 0 Jan 10 14:31:42 crt CERTSTREAM_SERVER[387211]: E0110 14:31:42.525488 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:31:46 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:31:46 ct-watcher.go:238: Processed 395000 entries | Queue length: 0 Jan 10 14:31:52 crt CERTSTREAM_SERVER[387211]: E0110 14:31:52.719477 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:31:59 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:31:59 ct-watcher.go:238: Processed 396000 entries | Queue length: 0 Jan 10 14:32:09 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:32:09 ct-watcher.go:238: Processed 397000 entries | Queue length: 0 Jan 10 14:32:12 crt CERTSTREAM_SERVER[387211]: E0110 14:32:12.526065 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:32:18 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:32:18 ct-watcher.go:238: Processed 398000 entries | Queue length: 0 Jan 10 14:32:22 crt CERTSTREAM_SERVER[387211]: E0110 14:32:22.720408 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:32:31 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:32:31 ct-watcher.go:238: Processed 399000 entries | Queue length: 2 Jan 10 14:32:42 crt CERTSTREAM_SERVER[387211]: E0110 14:32:42.527962 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:32:43 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:32:43 ct-watcher.go:238: Processed 400000 entries | Queue length: 0 Jan 10 14:32:52 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:32:52 ct-watcher.go:238: Processed 401000 entries | Queue length: 0 Jan 10 14:32:52 crt CERTSTREAM_SERVER[387211]: E0110 14:32:52.721367 387211 fetcher.go:292] https://yeti2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:33:00 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:33:00 ct-watcher.go:238: Processed 402000 entries | Queue length: 12 Jan 10 14:33:12 crt CERTSTREAM_SERVER[387211]: E0110 14:33:12.528405 387211 fetcher.go:292] https://yeti2024.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body) Jan 10 14:33:15 crt CERTSTREAM_SERVER[387211]: 2024/01/10 14:33:15 ct-watcher.go:238: Processed 403000 entries | Queue length: 3 Jan 10 14:33:18 crt CERTSTREAM_SERVER[387211]: E0110 14:33:18.957504 387211 fetcher.go:292] https://oak.ct.letsencrypt.org/2024h1: GetRawEntries() failed: failed to read response body: context deadline exceeded (Client.Timeout or context cancellation while reading body)
I think, update to latest version has solved problem with missing certs. I didn't even have to make client with using threads and I am using code from my first post. I will be testing few more days, and I will write the result.
Ok, here is the result after few days testing... In compare to calidog certstream, still some certificates are missing. Calidog found 14 certificates, my stream found only 11.
I don't have buffer full errors in log anymore. However I found there only som
Internal server errors
Jan 15 06:30:34 crt CERTSTREAM_SERVER[387211]: E0115 06:30:34.624163 387211 fetcher.go:292] https://sabre.ct.comodo.com: GetRawEntries() failed: got HTTP Status "500 Internal Server Error"
408 Request Timeout
Jan 15 07:52:47 crt CERTSTREAM_SERVER[387211]: E0115 07:52:47.939214 387211 fetcher.go:292] https://sabre.ct.comodo.com: GetRawEntries() failed: got HTTP Status "408 Request Timeout"
Failed to read response body
Jan 15 07:53:16 crt CERTSTREAM_SERVER[387211]: E0115 07:53:16.124375 387211 fetcher.go:292] https://nessie2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: http2: server sent GOAWAY and closed the connection; LastStreamID=527, ErrCode=NO_ERROR, debug=""
Is there any chance that endpoint domains-only does not contain all domains?
Calidog found 14 certificates, my stream found only 11.
Are you definitely talking about unique certificates? Also could you please monitor on which ct-log the certificate was found?
Internal server errors
Jan 15 06:30:34 crt CERTSTREAM_SERVER[387211]: E0115 06:30:34.624163 387211 fetcher.go:292] https://sabre.ct.comodo.com: GetRawEntries() failed: got HTTP Status "500 Internal Server Error"
That is okay. Some ct logs sometimes don't answer, are broken or under maintenance. This is nothing we can fix. The log operator is responsible for this.
408 Request Timeout
Jan 15 07:52:47 crt CERTSTREAM_SERVER[387211]: E0115 07:52:47.939214 387211 fetcher.go:292] https://sabre.ct.comodo.com: GetRawEntries() failed: got HTTP Status "408 Request Timeout"
I will have a look at this, but the fact that it's again comodo - their logs are terrible imho - just makes me guess that it's again an issue with their log. The server closes the connection due to a timeout. certstream-server-go should automatically reconnect if that happens.
Failed to read response body
Jan 15 07:53:16 crt CERTSTREAM_SERVER[387211]: E0115 07:53:16.124375 387211 fetcher.go:292] https://nessie2025.ct.digicert.com/log: GetRawEntries() failed: failed to read response body: http2: server sent GOAWAY and closed the connection; LastStreamID=527, ErrCode=NO_ERROR, debug=""
Similar to the 408 error - the server closes the connection. This might be due to various reasons. certstream-server-go should automatically reconnect if that happens.
If these things only happen to certain logs, that's not a general issue but most likely an issue with their log or an issue with the connection to their server.
Is there any chance that endpoint domains-only does not contain all domains?
As long as your client does not skip any certificates, no certificate should be skipped by the certstream-server-go either. If your client is fast enough to process everything, you'll receive everything that the server receives from the ct logs.
Hi there, since I haven't heard back from you, I assume you're no longer needing assistance. Feel free to reopen or create another issue if you're still having problems.
Hello, I have started using your certstream server, but I have the problem. I have python script which is reading stream (endpoint domain-only) and looking for domains from my defined list. Unfortunately a lot of domains are missing in compare to list of catched domains from calidog certstream.
I have two solutions, but neither of them works:
First solution is the same script, as I am using for calidog certstream. With their stream works fine, with my own (your solution) not very well
Second solution - same results as with previous script, domains are missing
Could someone help me, how to find where is the problem, and how can I fix this? Thank you in advance.