How to test an installed SSL Certificate before a domain resolves to the server

Question

Is it posisble to test an SSL Cert through a browser that is installed on a server before the DNS has been updated to point that domain to its new server?

I am looking to do something like what the DigiCert online SSL Checker does.

I have a host "example.com" resolving to Server A.

I purchased an SSL Cert and installed it on Server B where the host will soon resolve.

Before I update the DNS to re-point example.com from Server A over to Server B, I want to know if the SSL Certificate works properly with its installed key, certificate, and bundle.

Is that possible to do?

score 5 · Answer 1 · answered Feb 10 '17 at 20:27

5

I would suggest testssl.sh for a fairly comprehensive sanity check of your TLS/SSL setup.

You can direct it to a specific IP rather than resolving the name, like so:

./testssl.sh --ip 192.0.2.1 https://www.example.com/

In addition to this, for instance if you want to do functional tests with a web browser or other software that may not have similar functionality, simply override name resolution using /etc/hosts while doing the tests.

answered Feb 10 '17 at 20:27

Håkan Lindqvist

33,741
5
65
90

1

Nice utility! – EEAA Feb 10 '17 at 20:29
looks like a great tool to use. but I get `./testssl.sh: command not found`. Do you know where it is located @HåkanLindqvist? – H. Ferrence Feb 10 '17 at 21:13
@H.Ferrence What did you do so far? – Håkan Lindqvist Feb 10 '17 at 21:23
I did `sudo ./testssl.sh --ip 112.456.789.012 https://example.com/` and got **./testssl.sh: command not found**. Then I did `sudo testssl.sh --ip 112.456.789.012 https://example.com/` and got **testssl.sh: command not found**. – H. Ferrence Feb 10 '17 at 21:32
@H.Ferrence What did you do to install / download / otherwise get `testssl.sh`? Also, there should be no need for `sudo`. – Håkan Lindqvist Feb 10 '17 at 21:35
I did nothing except assume it was part of the *nix CentOS server. Sorry -- my bad... – H. Ferrence Feb 10 '17 at 21:39

score 3 · Answer 2 · answered Feb 10 '17 at 19:58

3

Sure, just add the needed name to your /etc/hosts to override DNS.

answered Feb 10 '17 at 19:58

EEAA

108,414
18
172
242

I did that but the DigiCert tool reported the cert that was installed on Server A, not server B – H. Ferrence Feb 10 '17 at 20:00
Why do you need to use Digicert at all? Just use `openssl s_client` locally, along with testing it in your browser. – EEAA Feb 10 '17 at 20:01
I am trying to troubleshoot the inability to restart apache and the http daemon. I cannot easily diagnose if my httpd.conf directives are in error or if the SSL Cert's Key, Certificate and Bundle are not working together properly. – H. Ferrence Feb 10 '17 at 20:04
If you have issues restarting Apache, you need to study its log files. – Tero Kilkanen Feb 11 '17 at 01:12

score 1 · Answer 3 · answered Feb 10 '17 at 20:03

You could make a request with curl. Something like this perhaps. The --resolve option defines a name/ip/port mapping for that command.

curl \
     --resolve www.example.org:80:192.0.2.153 \
     --resolve www.example.org:443:192.0.2.153 \
     https://www.example.org/

How to test an installed SSL Certificate before a domain resolves to the server

3 Answers3