What is this article about?

This article provides a guide on debugging common SSL/TLS certificate errors encountered when accessing HTTPS services. It demonstrates practical techniques using command-line tools such as "curl" and "openssl" to identify the root cause of certificate validation failures.

Who would find this guide useful?

This guide is useful for developers, system administrators, and anyone who frequently interacts with HTTPS services and needs to diagnose SSL/TLS certificate issues. It targets users comfortable with command-line tools and concepts.

When should I refer to this guide?

You should refer to this guide whenever you encounter SSL certificate errors like "certificate has expired" or "no alternative certificate subject name matches" when trying to access an HTTPS service. It provides structured steps to pinpoint the exact problem beyond generic error messages.

How can I check a certificate's expiration date using command-line tools?

To check a certificate's expiration date, you can use "openssl s_client -connect :443 2>/dev/null | openssl x509 -noout -dates". This command will output the "notBefore" and "notAfter" dates directly from the certificate, helping to confirm if it has expired or is not yet valid.

What common certificate name matching issues does the guide address?

The guide addresses issues such as wrong hostnames, incorrect wildcard usage, and discrepancies caused by CNAME records. It explains how "curl" and "openssl" can help diagnose problems related to Subject Common Name (CN), Subject Alternative Names (SANs), and Server Name Indication (SNI).

netmeister.org · 23 JAN '23

Debugging Certificate Errors

Item: Debugging Certificate Errors
Rating: 5
Author: Simon Frey

This is a concise guide on how to debug common SSL/TLS certificate errors using standard command-line tools like "curl" and "openssl". It covers expired certificates, name mismatches, wildcards, and CNAMEs, offering practical commands.

Visit netmeister.org →

Questions & Answers

What is this article about?: This article provides a guide on debugging common SSL/TLS certificate errors encountered when accessing HTTPS services. It demonstrates practical techniques using command-line tools such as "curl" and "openssl" to identify the root cause of certificate validation failures.
Who would find this guide useful?: This guide is useful for developers, system administrators, and anyone who frequently interacts with HTTPS services and needs to diagnose SSL/TLS certificate issues. It targets users comfortable with command-line tools and concepts.
When should I refer to this guide?: You should refer to this guide whenever you encounter SSL certificate errors like "certificate has expired" or "no alternative certificate subject name matches" when trying to access an HTTPS service. It provides structured steps to pinpoint the exact problem beyond generic error messages.
How can I check a certificate's expiration date using command-line tools?: To check a certificate's expiration date, you can use "openssl s_client -connect <hostname>:443 2>/dev/null | openssl x509 -noout -dates". This command will output the "notBefore" and "notAfter" dates directly from the certificate, helping to confirm if it has expired or is not yet valid.
What common certificate name matching issues does the guide address?: The guide addresses issues such as wrong hostnames, incorrect wildcard usage, and discrepancies caused by CNAME records. It explains how "curl" and "openssl" can help diagnose problems related to Subject Common Name (CN), Subject Alternative Names (SANs), and Server Name Indication (SNI).