TransWikia.com

Checking HTTPS setup on Apache/Nginx before using

Server Fault Asked on February 20, 2021

You have just got a new HTTPS (SSL/TLS) Certificate, and what you hope is the correct Intermediate Certificates.

This is setup in Apache with:

SSLCertificateKeyFile /etc/ssl/www.example.com.key
SSLCertificateChainFile /etc/ssl/www.example.com.chn
SSLCertificateFile /etc/ssl/www.example.com.crt

Or in Nginx with:

ssl_certificate_key /etc/apache2/ssl/www.example.com.key;
ssl_certificate /etc/apache2/ssl/www.example.com.pem;

Remembering apachectl configtest only checks that these files exist; and nginx -t “will fail if the website certificate is not first in the crt file, and also if the key is wrong” (thanks Drifter104).

So, how can you check everything before restarting?


Possible issues

  1. You have the wrong Intermediates (e.g. GeoTrust lists all of their Intermediates on one page).

  2. You accidentally mixed the Intermediate Certificate file with your websites Certificate file.

  3. You included the Root Certificate (effecting performance, as this sends unnecessary data).

  4. You are missing one or more Intermediate Certificates.

  5. The Certificate is for the wrong key.

  6. You have left these files as readable by anyone on the server (e.g. chmod 644).

  7. You are using the wrong certificate (domain is not in CN or SAN)


Some starting points

Extracting Information about the Key, CSR, or Certificate files:

openssl rsa -check -in "www.example.com.key";
openssl req -text -noout -verify -in "www.example.com.csr";
openssl x509 -text -noout -in "www.example.com.crt";

Getting the Public Key hash with sha256 (e.g. for setting up HPKP):

openssl rsa  -in "www.example.com.key"                             -pubout -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl x509 -in "www.example.com.chn" -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl req  -in "www.example.com.csr" -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

openssl s_client -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It’s possible to validate via SSL Labs, but only when you have started using that configuration.

2 Answers

You could make a copy of the config files and edit the ports. From there you could start a second instance of the webserver (nginx/apache) and check for valid configuration.
Instead of accessing https://www.your-domain.com (port 443) you change to https://www.your-domain.com:8443 (port 8443).
With a running instance you can check with external tools and check the logs for errors. This minimizes the risk that your website gets unavailable after config and certificate changes.
Depending on the size of your config and amount of vhosts this might be a very time consuming solution.

Solution also metioned in the comments by @symcbean.

Answered by unNamed on February 20, 2021

There is a good Linux command line script testssl.sh you can use for this purpose. I've used this for other protocols as well (e.g. FTPS).

As as final check I will still use the SSL Server Test. It generates a pretty test result you can forward to customers ;-) .

Answered by Jens Bradler on February 20, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP