2

I have a cloud setup with 6 front end computers using Apache. I installed a new SSL certificate. Now I want to verify that all the machines have the certificate.

The problem is if I just use https://www.example.com/ the IP address is going to be randomly assigned and I will be able to verify one of the computers. The DNS returns one of the 6 IP addresses in a simple form of round robins.

I know how to force the IP address on my computer using the /etc/hosts file, but I am hoping that there could be an easier way to do that. Like using curl and specifying the IP address along the domain name?

I prefer to have it as command line (wget, curl, open_ssl...) so that way I can write a script and verify the date of the certificate in an automated way and make sure all the computers present the correct certificate. The command should download the certificate so it can be checked on my client computer.

Alexis Wilke
  • 2,697
  • 2
  • 19
  • 42
  • Your apache should respond also if you go directly to an IP address like `https:///`. Then you can go through all IPs and check for certificate on all of them with the help of this answer https://serverfault.com/questions/661978/displaying-a-remote-ssl-certificate-details-using-cli-tools. Certificate will not match the hostname from https request, but you are interested in correctness of certificate not the fact that it must match the hostname. – nobody Jul 23 '20 at 18:11
  • 2
    @nobody: If you access a HTTPS site by IP only you often don't get the certificate you expect (or you get even an error) since the site is expecting the hostname inside the TLS SNI extension. – Steffen Ullrich Jul 23 '20 at 19:46

1 Answers1

6

You can given an explicit IP address to curl for the site in question, i.e.

$ curl --resolve example.com:443:192.0.2.4 https://example.com

You can also use openssl s_client with the IP and give an explicit hostname for SNI:

$ openssl s_client -connect 192.0.2.4:443 -servername example.com
Patrick Mevzek
  • 3,130
  • 2
  • 20
  • 30
Steffen Ullrich
  • 2,500
  • 15
  • 16
  • Excellent. I actually found this command starting with your info `echo | openssl s_client -servername example.com -connect 1.2.3.4:443 2>/dev/null | openssl x509 -noout -dates` and that gives me the dates exactly, dead easy. (Source [OpenSSL: Check SSL Certificate Expiration Date and More](https://www.shellhacks.com/openssl-check-ssl-certificate-expiration-date/)) – Alexis Wilke Jul 24 '20 at 08:00