Troubleshooting SSL certificates with openssl

Picture of an unlocked padlockA big chunk of the problems I tackle every day surround SSL connections. I’ve written a few articles on SSL that cover off its main tasks which are encryption and non-repudiation and some ways to determine if your SSL certificate is non-functioning. The tool I use 99% of the time to diagnose SSL problems is openssl so that is the topic of this post.

I am a Linux guy, if you’re using Windows you may find a binary here you can use.

An SSL connection needs two things: a private key which you likely won’t have for websites you don’t own and a public certificate which is necessarily available to the whole world. It’s the certificate we’re interested in and here’s how to get it:

This spits out a lot of info and you can pipe the output into openssl again to extract specific data like the valid date range:

Or the name the certificate is made out for:

Or both!

Most of your SSL problems will fall into two categories: the subject name of the certificate does not match the domain name or the certificate is expired.

Note in my output above that it looks like I asked for the certificate for slumpedoverkeyboarddead.com but I ended up with the certificate for .sucuri.net. This is kind of misleading. I didn’t *ask for the slumpedoverkeyboarddead.com certificate, rather I told openssl to connect to slumpedoverkeyboarddead.com. It did and since I did not supply a domain name, the server responded with its default certificate. This will happen on any server that is configured to serve more than one domain which includes things like my firewall or any shared hosting server. To get a specific certificate you must supply the servername directive:

If your domain name does not resolve directly to your web host as is the case with slumpedoverkeyboarddead.com, you can specify the real hosting IP address in the connect directive to get the certificate from that host, instead of the intermediate proxy or firewall:

Note that I have used the same IP address that slumpedoverkeyboarddead.com resolves to instead of my real hosting IP because I don’t want to divulge that. But, it works the same way.

This is usually enough to diagnose SSL connection issue and resolving them should be obvious. Either renew it if the certificate is expired, or replace it with a valid certificate if the domain name does not match.