If you’re running multiple sites on a single server (using Server Name Indication), you might be running into issues using openssl s_client to validate your SSL certificate. Make sure you’re using the -servername
flag, otherwise your verification may fail.
For example, when checking my blog, I needed to make sure I included everything here:
openssl s_client -showcerts -servername introvertedengineer.com -connect introvertedengineer.com:443
Why is SSL Verification Failing?
Since you most likely have multiple SSL certificates on your server, the openssl s_client tool doesn’t know which certificate to use, and instead uses a default certificate (which isn’t valid).
If you’re running into errors with your security or PCI compliance scans related to your SSL certificate, chances are this could be it. Some common errors you’ll get on those scans include:
- 38173 – SSL Certificate – Signature Verification Failed Vulnerability
- 38167 – SSL Certificate – Expired
Both of these issues are high severity and will cause your scan to fail, but don’t worry! Nothing is wrong with your certificates (if they are indeed valid). You just need to make sure to request an exception and make sure the scan is adding in the proper -servername
in the request.
I hope this helps save you the hours it took me to realize this!
Reference: https://community.letsencrypt.org/t/testing-with-openssl-and-s-client-cloudflare-proxying/35003/5
Credit: Feature image by Vecteezy.com