Nginx – Checking HTTPS setup on Apache/Nginx before using

apache-2.2httpsnginxssltls

You have just got a new HTTPS (SSL/TLS) Certificate, and what you hope is the correct Intermediate Certificates.

This is setup in Apache with:

SSLCertificateKeyFile /etc/ssl/www.example.com.key
SSLCertificateChainFile /etc/ssl/www.example.com.chn
SSLCertificateFile /etc/ssl/www.example.com.crt

Or in Nginx with:

ssl_certificate_key /etc/apache2/ssl/www.example.com.key;
ssl_certificate /etc/apache2/ssl/www.example.com.pem;

Remembering apachectl configtest only checks that these files exist; and nginx -t "will fail if the website certificate is not first in the crt file, and also if the key is wrong" (thanks Drifter104).

So, how can you check everything before restarting?

Possible issues

  1. You have the wrong Intermediates (e.g. GeoTrust lists all of their Intermediates on one page).

  2. You accidentally mixed the Intermediate Certificate file with your websites Certificate file.

  3. You included the Root Certificate (effecting performance, as this sends unnecessary data).

  4. You are missing one or more Intermediate Certificates.

  5. The Certificate is for the wrong key.

  6. You have left these files as readable by anyone on the server (e.g. chmod 644).

  7. You are using the wrong certificate (domain is not in CN or SAN)

Some starting points

Extracting Information about the Key, CSR, or Certificate files:

openssl rsa -check -in "www.example.com.key";
openssl req -text -noout -verify -in "www.example.com.csr";
openssl x509 -text -noout -in "www.example.com.crt";

Getting the Public Key hash with sha256 (e.g. for setting up HPKP):

openssl rsa  -in "www.example.com.key"                             -pubout -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl x509 -in "www.example.com.chn" -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64
openssl req  -in "www.example.com.csr" -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

openssl s_client -connect www.example.com:443 | openssl x509 -pubkey -noout | openssl rsa -pubin -outform der | openssl dgst -sha256 -binary | openssl enc -base64

It's possible to validate via SSL Labs, but only when you have started using that configuration.

Best Answer

There is a good Linux command line script testssl.sh you can use for this purpose. I've used this for other protocols as well (e.g. FTPS).

As as final check I will still use the SSL Server Test. It generates a pretty test result you can forward to customers ;-) .

Related Topic