May 8, 2018

Verify and troubleshoot SSL certificates

Test SSL handshake

From a Linux host, you can use the openssl tool to check you certificates and see what is passed to the client during handshake:
openssl s_client -connect example.com:443 -ssl3
So for this site, I would use:
cat /dev/null | openssl s_client -showcerts -servername jonathonwiebe.me -connect jonathonwiebe.me:443

Output should show a valid certificate in the console.

Combined (full chain) certificates

Example combined certificate layout:

-----BEGIN CERTIFICATE----- 
(Your Primary SSL certificate: your_domain_name.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Intermediate certificate: DigiCertCA.crt) 
-----END CERTIFICATE----- 
-----BEGIN CERTIFICATE----- 
(Your Root certificate: TrustedRoot.crt) 
-----END CERTIFICATE-----

Certificate default locations

Apache web servers on Ubuntu

sudo cp server.crt /etc/ssl/certs sudo cp server.key /etc/ssl/private

nginx web servers on Ubuntu

sudo cp server.crt /etc/nginx/ssl sudo cp server.key /etc/nginx/ssl

Check listening servers using netstat

Netstat is also helpful when check for network/site issues:
netstat -ltunap
Should show a server listening on 80 & 443
If not the server is not running, or mapped to a different port

Verify communication using netcat

Is a firewall blocking traffic? Is the port open?

On the web server

nc -l 443

On the client

nc server.ip 443 -v

They should be able to communicate.

Permissions

.crt is sent to every machine, needs to be public.
Correct possible permission issues using:
chown root:root /path/to/key.crt
and
chmod 644 /path/to/key.crt
on the .crt file (NOT the private key)

Private keys should never be posted, permissions are also important, secure it using:
chown root:ssl-cert /path/to/privatekey.crt
and
chmod 640 /path/to/privatekey.crt