SSL/TLS Certificates
Manage certificates, diagnose SSL issues, and handle renewals.
Instructions
- •Identify the issue type (expiring, invalid, chain problem)
- •Use appropriate diagnostic commands
- •Determine root cause
- •Provide remediation steps
Check certificate expiry
bash
# Local certificate file
openssl x509 -enddate -noout -in cert.pem
# Remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
# Check all certs expiring within 30 days
find /etc/letsencrypt/live -name "*.pem" -exec sh -c 'echo "{}:"; openssl x509 -enddate -noout -in "{}"' \;
Certificate information
bash
# Full certificate details openssl x509 -text -noout -in cert.pem # Subject and issuer openssl x509 -subject -issuer -noout -in cert.pem # SANs (Subject Alternative Names) openssl x509 -noout -ext subjectAltName -in cert.pem
Diagnose SSL connection
bash
# Full connection debug openssl s_client -connect example.com:443 -servername example.com # Check specific TLS version openssl s_client -connect example.com:443 -tls1_2 openssl s_client -connect example.com:443 -tls1_3 # Verify certificate chain openssl s_client -connect example.com:443 -showcerts
Common issues
| Error | Cause | Solution |
|---|---|---|
| certificate has expired | Cert past end date | Renew certificate |
| unable to verify | Missing intermediate | Add chain certificates |
| hostname mismatch | Wrong cert or missing SAN | Get cert with correct names |
| self-signed certificate | Not from trusted CA | Use Let's Encrypt or commercial CA |
Let's Encrypt management
bash
# Check certbot certificates certbot certificates # Renew all certificates certbot renew --dry-run certbot renew # Force renewal certbot renew --force-renewal # Get new certificate certbot certonly --nginx -d example.com -d www.example.com
Verify chain
bash
# Check chain is complete
openssl verify -CAfile chain.pem cert.pem
# Download and verify chain
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > chain.pem
Rules
- •MUST check expiry date first for any cert issue
- •MUST verify the full certificate chain
- •MUST check SANs match the domain being accessed
- •Never delete certificates without backup
- •Always test with
--dry-runbefore certbot renew - •Always reload/restart web server after cert changes