I have an apache web server, with mod_ssl & SSL certificates from letsencrypt. certbot reports they are fine and not expiring. A few different (of my many users) report that they get invalid/expired SSL certs from the server (and I have see output from wget from them to prove that).
To debug this, I want to log lots of details of each SSL connection. I would like to log, for each SSL connection the remote IP, and details about the SSL connection (e.g. protocol), the client provided SNI (server name identification) value, and then what SSL certificate/chain/key on the server was used. I want to
With ErrorLog ssl:traceN (for various N) I can get some of these details. But I cannot see what SSL certificate the server is using for each connection. How can I do this?
Best Answer
mod_sslexports a bunch of environment variables (see the list here), which can be used to log info about the certificate, for example, in aLogFormatdirective like this:However, before you start logging, be sure you check this article about expiring the DST Root CA X3 certificate. It is the one which signed the root CA of Let's Encrypt, and it has expired in September. However, the root CA of Let's Encrypt is accepted as a trusted CA in itself by virtually every system. For this, the expiration is not a problem, and the issued certificates continue to work, except for older systems using
opensslversion < 1.1.0, which does not stop the validation when a trusted CA found, but insists to check the whole chain (and fails).If the system in question has an older
openssl, you can do nothing about the problem on the server side,opensslshould be upgraded on the client. If that is not an option, blacklisting the expired certificate helps.