How to test SSL ports HTTPS, 465, 587, 995 and 993 using openssl

Fixing certificate problems can be really hard, but not if you have the right tools. Let’s do a quick exercise for HTTPS:

Port 443

openssl s_client -connect mail.example.com:443 -servername mail.example.com | openssl x509 -noout -dates

Warning: Reading certificate from stdin since no -in or -new option is given
depth=2 C=US, O=Internet Security Research Group, CN=ISRG Root X1
verify return:1
depth=1 C=US, O=Let's Encrypt, CN=R3
verify return:1
depth=0 CN=mail.wrongdomain.com
verify return:1
notBefore=Feb 1 13:16:14 2024 GMT
notAfter=May 1 13:16:13 2024 GMT

Above is problematic:

  1. CN is wrong domain
  2. notAfter is today. It should have renewed already!

Let’s see what’s going on with Let’s Encrypt:

# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
Certificate Name: server-anchor.example.com
Domains: wrongdomain1.com anchor mail.rightdomain.com wrongdomain2.com webmail.rightdomain.com
Expiry Date: 2024-05-01 13:16:13+00:00 (VALID: 10 hour(s))
Certificate Path: /etc/letsencrypt/live/k2.vander.host/fullchain.pem
Private Key Path: /etc/letsencrypt/live/k2.vander.host/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

At least certbot is showing us similar information.

How can we remove these wrong domains and try to renew?

certbot delete –cert-name example.com

Let’s do that now:

certbot delete --cert-name mail.wrongdomain
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No certificate found with name mail.wrongdomain (expected /etc/letsencrypt/renewal/mail.wrongdomain.conf).

Well that didn’t work. Mmmm.

It turns out more complex syntax is needed when removing domains from certbot. You can’t, you have to re-issue the certificate with all the names:

certbot certonly --cert-name anchordomain -d anchordomain -d mail.example.com -d webmail.example.com

I could choose the Apache options because the server is using it.

Port 465

openssl s_client -CApath /etc/ssl/certs/ -connect mail.example.com:993 -brief

Port 465

openssl s_client -connect mail.example.co.za:465 -servername mail.example.co.za -showcerts | openssl x509 -noout -text

Share this article

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to Top