AgentSkillsCN

ssl-certs

管理 SSL/TLS 证书,并诊断证书相关问题。当用户说“证书即将过期”、“SSL 错误”、“证书出现问题”、“续订证书”、“检查证书”、“HTTPS 无法正常工作”,或询问有关 TLS/SSL 的问题时,即可使用此技能。

SKILL.md
--- frontmatter
name: ssl-certs
description: Manage SSL/TLS certificates and diagnose certificate issues. Use when the user says "cert expiring", "SSL error", "certificate problem", "renew certificate", "check certificate", "HTTPS not working", or asks about TLS/SSL.
allowed-tools: Bash, Read, Grep

SSL/TLS Certificates

Manage certificates, diagnose SSL issues, and handle renewals.

Instructions

  1. Identify the issue type (expiring, invalid, chain problem)
  2. Use appropriate diagnostic commands
  3. Determine root cause
  4. Provide remediation steps

Check certificate expiry

bash
# Local certificate file
openssl x509 -enddate -noout -in cert.pem

# Remote server
echo | openssl s_client -servername example.com -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

# Check all certs expiring within 30 days
find /etc/letsencrypt/live -name "*.pem" -exec sh -c 'echo "{}:"; openssl x509 -enddate -noout -in "{}"' \;

Certificate information

bash
# Full certificate details
openssl x509 -text -noout -in cert.pem

# Subject and issuer
openssl x509 -subject -issuer -noout -in cert.pem

# SANs (Subject Alternative Names)
openssl x509 -noout -ext subjectAltName -in cert.pem

Diagnose SSL connection

bash
# Full connection debug
openssl s_client -connect example.com:443 -servername example.com

# Check specific TLS version
openssl s_client -connect example.com:443 -tls1_2
openssl s_client -connect example.com:443 -tls1_3

# Verify certificate chain
openssl s_client -connect example.com:443 -showcerts

Common issues

ErrorCauseSolution
certificate has expiredCert past end dateRenew certificate
unable to verifyMissing intermediateAdd chain certificates
hostname mismatchWrong cert or missing SANGet cert with correct names
self-signed certificateNot from trusted CAUse Let's Encrypt or commercial CA

Let's Encrypt management

bash
# Check certbot certificates
certbot certificates

# Renew all certificates
certbot renew --dry-run
certbot renew

# Force renewal
certbot renew --force-renewal

# Get new certificate
certbot certonly --nginx -d example.com -d www.example.com

Verify chain

bash
# Check chain is complete
openssl verify -CAfile chain.pem cert.pem

# Download and verify chain
openssl s_client -connect example.com:443 -showcerts 2>/dev/null | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/ {print}' > chain.pem

Rules

  • MUST check expiry date first for any cert issue
  • MUST verify the full certificate chain
  • MUST check SANs match the domain being accessed
  • Never delete certificates without backup
  • Always test with --dry-run before certbot renew
  • Always reload/restart web server after cert changes