Openssl: Difference between revisions

From DWIKI
mNo edit summary
 
(48 intermediate revisions by the same user not shown)
Line 1: Line 1:
==Links==
=Links=
*[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate]
*[https://scotthelme.co.uk/are-ev-certificates-worth-the-paper-theyre-written-on/ Why you don't want EV certificate]
*[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator]
*[https://mozilla.github.io/server-side-tls/ssl-config-generator/ SSL confg generator]
Line 6: Line 6:




==Tools==
*sslscan


= Tools =
*openssl
*sslscan
*sclient
*[[gnutls-cli]]


==Documentation and HOWTOs==
= Documentation and HOWTOs =
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL]
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work]
*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority]
*http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation]
*http://www.tc.umn.edu/~brams006/selfsign.html
*[https://kb.wisc.edu/middleware/page.php?id=4064 Verifying that a Private Key Matches a Certificate]
*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain]


===Dovecot and ssl===
*[http://sial.org/howto/openssl/ca/ OpenSSL Certificate Authority Setup]
*[http://www.herongyang.com/Cryptography/OpenSSL-Certificate-Path-Validation-Tests.html Validating a Certificate Path with OpenSSL]
*[http://www.techradar.com/news/software/how-ssl-and-tls-works-1047412 How SSL and TLS work]
*[https://jamielinux.com/docs/openssl-certificate-authority/index.html OpenSSL Certificate Authority]
*[http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html http://dataslinger.com/index.php?/archives/5-Configuring-SSL-certificates-for-Apache,-Dovecot,-Sendmail,-and-IIS.html]
*[http://www.eclectica.ca/howto/ssl-cert-howto.php ssl cert HOWTO]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
*[http://wiki.cacert.org/wiki/VhostTaskForce#head-f7f4c7599aef8b22de373b0922b39f4e75e95db4 1. Way: SubjectAltName Only]
*[http://www.madboa.com/geek/openssl/ OpenSSL Command-Line HOWTO]
*[http://www.digicert.com/ssl-support/pem-ssl-creation.htm How to Create a .PEM file for SSL Certificate Installation]
*[http://www.tc.umn.edu/~brams006/selfsign.html http://www.tc.umn.edu/~brams006/selfsign.html]
*[https://medium.com/@superseb/get-your-certificate-chain-right-4b117a9c0fce Getting your certificate chain right]
*[https://stackoverflow.com/questions/25482199/verify-a-certificate-chain-using-openssl-verify Verify certificate chain]
*[https://whatsmychaincert.com What is my certificate chain?]
*[https://langui.sh/2009/03/14/checking-a-remote-certificate-chain-with-openssl/ Checking A Remote Certificate Chain With OpenSSL]
 
*[https://www.howtouselinux.com/post/certificate-chain Check SSL Certificate Chain with OpenSSL Examples]
=== Dovecot and ssl ===
 
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)


Networksolutions certs:
After creating myserver.key and myserver.csr and obtaining certs:
(don't forget to insert newlines between the blocks!)
  cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
  cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem
   
   
In dovecot.conf:
In dovecot.conf:
  ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
  ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
  ssl_key_file = /usr/local/etc/myserver.key
  ssl_key_file = /usr/local/etc/myserver.key
Line 38: Line 46:
  #ssl_ca_file = /usr/local/etc/intermediate.pem
  #ssl_ca_file = /usr/local/etc/intermediate.pem


===Courier-imap and ssl===
== Courier-imap and ssl ==
*http://linsec.ca/Using_Courier-IMAP_and_SSL
*http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/


*[http://linsec.ca/Using_Courier-IMAP_and_SSL http://linsec.ca/Using_Courier-IMAP_and_SSL]
*[http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/ http://linux.seindal.dk/2005/12/04/making-a-courier-imap-ssl-sertificate/]
Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)


Networksolutions certs:
After creating myserver.key and myserver.csr and obtaining certs:
(don't forget to insert newlines between the blocks!)
  cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
  cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
  cat myserver.key >> IMAP.EXAMPLE.COM.crt
  cat myserver.key >> IMAP.EXAMPLE.COM.crt


In imapd-ssl:
In imapd-ssl:
  TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
  TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
  TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem
  TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem


===Network Solutions certificates bundle===
== Network Solutions certificates bundle ==
See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/  
 
See [http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/ http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/]


  cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt
  cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt


=== Comodo bundle order ===


===Comodo bundle order===
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )
COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )


===Generate a signing request===
=== Generate a signing request ===
 
  openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr
  openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr


The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!
The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!


==Tips&Tricks==
= HOWTO =
===Create private key (using config file)===
 
==Generate PSK ==
openssl rand -hex 32
 
==Converting certificates==
https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key
 
=== Create private key (using config file) ===
 
  openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key
  openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key


===Create CSR using config file===
== Create CSR using config file ==
 
  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr
  openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr


===Convert der to pem===
== Convert der to pem ==
 
  openssl x509 -inform der -in certificate.cer -out certificate.pem
  openssl x509 -inform der -in certificate.cer -out certificate.pem


===Creating CSR for multiple hosts===
== Creating CSR for multiple hosts ==
For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html
 
===Remove password from private key===
For example [http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html]
https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase
 
=== Remove password from private key ===
 
[https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase]
 
== Examining certificates ==
 
*[http://www.madboa.com/geek/openssl/#verify-standard http://www.madboa.com/geek/openssl/#verify-standard]


===Examining certificates===
*http://www.madboa.com/geek/openssl/#verify-standard
  openssl verify cert.pem
  openssl verify cert.pem


Line 93: Line 118:
  openssl rsa -noout -text -in ca.key
  openssl rsa -noout -text -in ca.key
  openssl x509 -noout -text -in ca.crt
  openssl x509 -noout -text -in ca.crt
with expiration date:
with expiration date:
  openssl x509 -noout -text -enddate -in ca.crt
  openssl x509 -noout -text -enddate -in ca.crt


#to check CN
#to check CN  
 
  openssl x509 -in server.crt -noout -subject
  openssl x509 -in server.crt -noout -subject


Line 102: Line 130:
  openssl pkcs12 -info -in keyStore.pfx
  openssl pkcs12 -info -in keyStore.pfx


===Checking a service===
 
#Note -CApath should point to your local collection of public CA certs
 
== Checking a service ==
 
#Note -CApath should point to your local collection of public CA certs  
 
  openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
  openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
  openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
  openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
  openssl s_client -connect imap.example.com:143 -starttls imap
  openssl s_client -connect imap.example.com:143 -starttls imap
  openssl s_client -connect web.server:443 -showcerts
  openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com
Just check expiration date:
  openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates
 


===Check your site===
== Check your site ==
*https://www.ssllabs.com/ssltest
 
*https://www.sslcheck.nl/
*[https://www.ssllabs.com/ssltest https://www.ssllabs.com/ssltest]
*[https://www.sslcheck.nl/ https://www.sslcheck.nl/]
*[https://internet.nl Internet.nl]
 
==gnutls-cli ==
echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status
 
== check if certs match ==


==check if certs match==
TODO: -clr_check too
TODO: -clr_check too


Line 119: Line 165:
  openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum  
  openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum  
  openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
  openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum
These values show match
 
Also:
These values show match Also:
 
  openssl verify -CAfile ca-bundle foo_bar.crt
  openssl verify -CAfile ca-bundle foo_bar.crt


=Creating your own CA and signing with it=
A script to do these checks: [[https://www.tuxick.net/sslcheck sslcheck]]
 
== Creating your own CA and signing with it==
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)
(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)


Line 130: Line 179:
  (perform secret rituals)
  (perform secret rituals)


=FAQ=
==error 20 at 0 depth lookup: unable to get local issuer certificate==
you probably need to provide the right -CAfile
maybe self signed?


== Check which ciphers and tls versions your openssl supports==
openssl ciphers -v
==Check if site supports TLS v1.2==
openssl s_client -connect google.com:443 -servername google.com -tls1_2
= FAQ =
==Error messages==
===OpenSSL: error:0A000102:SSL routines::unsupported protocol===
This could becaure you're trying to an older version of TLS, check '''openssl.cnf''' for
CipherString = DEFAULT:@SECLEVEL=2
which means it enforces minimum of TLSv1.2
You might now get
===OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled===
which means add below the CipherString line:
Options = UnsafeLegacyRenegotiation
==Get issuer==
openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer
== Order of certificates in bundle==
Root CA comes last
== using s_client ==
=== no client certificate sent ===
try adding -cert
&nbsp;
=== Secure Renegotiation IS NOT supported ===
Probably using wrong TLS version
=== Can't use SSL_get_servername ===
Try using hostname instead of IP address
=== write:errno=104 ===
server reset the connection
===no peer certificate available===
Could be trying to talk tls to ssl?
== unable to load client certificate private key file ==
== Verification error: unable to verify the first certificate ==
problem missing CA cert
== error 20 at 0 depth lookup: unable to get local issuer certificate ==
you probably need to provide the right -CAfile maybe self signed?
&nbsp;
== Verify return code: 21 (unable to verify the first certificate) ==


==Verify return code: 21 (unable to verify the first certificate)==
Probably requires bundle
Probably requires bundle


==check certificate chain==
&nbsp;
 
== Bad certificate (code 42) ==
 
Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.
 
&nbsp;
 
== check certificate chain ==
 
  openssl s_client -connect www.example.com:443 -showcerts
  openssl s_client -connect www.example.com:443 -showcerts
     
&nbsp;
=== Some of the output ===
Certificate chain
0 s:CN = foo.local
  i:CN = foo.local-CA
0: first in chain
s: subject&nbsp; ( openssl x509 -noout -in foo.crt -subject )
i: issuer ( openssl x509 -noout -in foo.crt -issuer )
OR
openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'
or
openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'
== check expiration date ==


==check expiration date==
  echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates
  echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates


==139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE==
 
 
openssl x509 -enddate -noout -in file.pem
 
== 139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE ==
 
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines
i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines


==SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line==
or a file is in DER format
 
== SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line ==
 
??
??


&nbsp;
&nbsp;


== check if webserver supports old tls ==


==check if server supports old tls==
  openssl s_client -connect www.example.com:443 -tls1
  openssl s_client -connect www.example.com:443 -tls1
  openssl s_client -connect www.example.com:443 -tls1_1
  openssl s_client -connect www.example.com:443 -tls1_1
or when vhost:
or when vhost:
   openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1
   openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1


&nbsp;
== ERROR: Certificate verification: Not trusted ==


==ERROR: Certificate verification: Not trusted==
seems to be an lftp issue
seems to be an lftp issue


==ssllabs checks==
== unsupported certificate purpose ==
===Chain issues Contains anchor===
 
TODO
??
 
&nbsp;
 
== ssllabs checks ==
 
=== Chain issues: Incorrect order, Contains anchor ===
 
Could be the topmost cert in the bundle provided, try removing it
 
&nbsp;
 
=== Chain issues: Contains anchor ===
 
Seems to mean there's a root ca in the bundle
 
== check smtp submission ==
 
echo -n "username" | base64
echo -n "password" | base64
 
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
 
EHLO foo.bar
AUTH LOGIN
 
base64username
 
base64password
 
OR
 
echo -ne '\0username\0password'| base64
AUTH LOGIN output_of_that_echo
 
===Peer's Certificate issuer is not recognized.===
 
=p12 / pkcs12=
https://fileinfo.com/extension/p12
 
openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem
 




===check smtp submission===
===server certificate does NOT include an ID which matches the server name===
openssl s_client -connect mail.host.com:587 -starttls smtp -tls1_
todo

Latest revision as of 10:56, 17 June 2024

Links


Tools

Documentation and HOWTOs

Dovecot and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.pem

In dovecot.conf:

ssl_cert_file = /usr/local/etc/IMAP.EXAMPLE.COM.crt
ssl_key_file = /usr/local/etc/myserver.key
#optional, only if you want to require client to provide cert
#ssl_ca_file = /usr/local/etc/intermediate.pem

Courier-imap and ssl

Networksolutions certs: After creating myserver.key and myserver.csr and obtaining certs: (don't forget to insert newlines between the blocks!)

cat AddTrustExternalCARoot.crt NetworkSolutions_CA.crt > intermediate.pem
cat myserver.key >> IMAP.EXAMPLE.COM.crt

In imapd-ssl:

TLS_CERTFILE=/usr/local/etc/courier-certs/IMAP.EXAMPLE.COM.crt
TLS_TRUSTCERTS=/usr/local/etc/courier-certs/intermediate.pem

Network Solutions certificates bundle

See http://blog.irontechsolutions.com/2008/12/10/ssl-chained-certificates-explained/

cat OV_NetworkSolutionsOVServerCA2.crt OV_USERTrustRSACertificationAuthority.crt AddTrustExternalCARoot.crt > intermediate.txt

Comodo bundle order

COMODORSAOrganizationValidationSecureServerCA. + COMODO rsa add trust ca ( + addtrustexternalcaroot )

Generate a signing request

openssl req -nodes -newkey rsa:2048 -keyout my.domain.key -out my.domain.csr

The resulting csr is the signing request, my.domain.key is the private key you save not readable for anyone but root!

HOWTO

Generate PSK

openssl rand -hex 32

Converting certificates

https://stackoverflow.com/questions/13732826/convert-pem-to-crt-and-key

Create private key (using config file)

openssl req (-config /etc/pki/tls/www.example.com.cnf) -newkey rsa:2048 -nodes -keyout domain.key

Create CSR using config file

openssl req -config /etc/pki/tls/www.example.com.cnf -new -newkey rsa:2048 -nodes -keyout example.com.key -out www.example.com.csr

Convert der to pem

openssl x509 -inform der -in certificate.cer -out certificate.pem

Creating CSR for multiple hosts

For example http://blog.endpoint.com/2014/10/openssl-csr-with-alternative-names-one.html

Remove password from private key

https://wiki.apache.org/httpd/RemoveSSLCertPassPhrase

Examining certificates

openssl verify cert.pem
openssl x509 -in cacert.pem -noout -text
openssl x509 -in foo.pem  -inform pem -noout -text 
openssl rsa -noout -text -in server.key
openssl req -noout -text -in server.csr
openssl rsa -noout -text -in ca.key
openssl x509 -noout -text -in ca.crt

with expiration date:

openssl x509 -noout -text -enddate -in ca.crt
  1. to check CN
openssl x509 -in server.crt -noout -subject
openssl pkcs12 -info -in keyStore.p12
openssl pkcs12 -info -in keyStore.pfx


Checking a service

  1. Note -CApath should point to your local collection of public CA certs
openssl s_client -connect -CApath /etc/ssl/certs host:pop3 -starttls pop3
openssl s_client -port 443 -CApath /etc/ssl/certs -host webmail.example.com -prexit
openssl s_client -connect imap.example.com:143 -starttls imap
openssl s_client -connect web.server:443 -showcerts
openssl s_client -connect webmail.example.com:443 -servername vhost.example.com

Just check expiration date:

 openssl s_client -connect imap.example.com:143 -starttls imap 2>/dev/null | openssl x509 -noout -dates

 

Check your site

gnutls-cli

echo quit | gnutls-cli --starttls-proto smtp --port 25 servac.skk | grep Status
echo quit | gnutls-cli --port 465 servac.skk | grep Status

check if certs match

TODO: -clr_check too

openssl pkey -in privateKey.key -pubout -outform pem | sha256sum 
openssl x509 -in certificate.crt -pubkey -noout -outform pem | sha256sum 
openssl req -in CSR.csr -pubkey -noout -outform pem | sha256sum

These values show match Also:

openssl verify -CAfile ca-bundle foo_bar.crt

A script to do these checks: [sslcheck]

Creating your own CA and signing with it

(based on http://www.eclectica.ca/howto/ssl-cert-howto.php#rootc)

cd /etc/ssl
mkdir newcerts
(perform secret rituals)


Check which ciphers and tls versions your openssl supports

openssl ciphers -v

Check if site supports TLS v1.2

openssl s_client -connect google.com:443 -servername google.com -tls1_2

FAQ

Error messages

OpenSSL: error:0A000102:SSL routines::unsupported protocol

This could becaure you're trying to an older version of TLS, check openssl.cnf for

CipherString = DEFAULT:@SECLEVEL=2

which means it enforces minimum of TLSv1.2

You might now get

OpenSSL: error:0A000152:SSL routines::unsafe legacy renegotiation disabled

which means add below the CipherString line:

Options = UnsafeLegacyRenegotiation

Get issuer

openssl s_client -showcerts -connect <YOURHOST>:443 < /dev/null 2>/dev/null |grep -i issuer

Order of certificates in bundle

Root CA comes last


using s_client

no client certificate sent

try adding -cert

 

Secure Renegotiation IS NOT supported

Probably using wrong TLS version

Can't use SSL_get_servername

Try using hostname instead of IP address

write:errno=104

server reset the connection

no peer certificate available

Could be trying to talk tls to ssl?

unable to load client certificate private key file

Verification error: unable to verify the first certificate

problem missing CA cert

error 20 at 0 depth lookup: unable to get local issuer certificate

you probably need to provide the right -CAfile maybe self signed?

 

Verify return code: 21 (unable to verify the first certificate)

Probably requires bundle

 

Bad certificate (code 42)

Means the server demands you authenticate with a certificate, and you did not do so, and that caused the handshake failure.

 

check certificate chain

openssl s_client -connect www.example.com:443 -showcerts
      

 

Some of the output

Certificate chain

0 s:CN = foo.local
  i:CN = foo.local-CA

0: first in chain

s: subject  ( openssl x509 -noout -in foo.crt -subject )

i: issuer ( openssl x509 -noout -in foo.crt -issuer )


OR

openssl s_client -showcerts -verify 5 -connect ldap.example.com:636  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}' 

or

openssl s_client -showcerts -verify 5 -connect ldap.example.com:389 starttls ldap  < /dev/null | awk '/BEGIN/,/END/{ if(/BEGIN/)    {a++}; out="bluePage-cert"a".pem"; print >out}'

check expiration date

echo | openssl s_client -servername NAME -connect HOST:PORT 2>/dev/null | openssl x509 -noout -dates


openssl x509 -enddate -noout -in file.pem

139814102202256:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:707:Expecting: TRUSTED CERTIFICATE

i've seen this happen when someone deleted the BEGIN/END CERTIFICATE lines

or a file is in DER format

SSL CTX certificate file error: error:0906D06C:PEM routines:PEM_read_bio:no start line

??

 

 

check if webserver supports old tls

openssl s_client -connect www.example.com:443 -tls1
openssl s_client -connect www.example.com:443 -tls1_1

or when vhost:

 openssl s_client -servername vhost.example.com -connect www.example.com:443 -tls1_1

 

ERROR: Certificate verification: Not trusted

seems to be an lftp issue

unsupported certificate purpose

??

 

ssllabs checks

Chain issues: Incorrect order, Contains anchor

Could be the topmost cert in the bundle provided, try removing it

 

Chain issues: Contains anchor

Seems to mean there's a root ca in the bundle

check smtp submission

echo -n "username" | base64
echo -n "password" | base64
openssl s_client -connect mail.host.com:587 -starttls smtp -crlf
EHLO foo.bar
AUTH LOGIN

base64username

base64password

OR

echo -ne '\0username\0password'| base64
AUTH LOGIN output_of_that_echo

Peer's Certificate issuer is not recognized.

p12 / pkcs12

https://fileinfo.com/extension/p12

openssl pkcs12 -in yourP12File.pfx -nocerts -out privateKey.pem
openssl pkcs12 -in yourP12File.pfx -clcerts -nokeys -out publicCert.pem


server certificate does NOT include an ID which matches the server name

todo