A couple of users notified me that they were receiving warning messages
regarding the security certificate on their email server when they were
checking email with
Microsoft Outlook. I checked the expiration date on the security
certificate for the email server with the
OpenSSL command
openssl s_client -connect pop3.moonpoint.com:995 (the
system is using
Dovecot, which
is an
open-sourceIMAP/POP3
software program providing users with the ability to download their email).
Dovecot listens on
TCP
port 995 for
POP3S secure
email connections for downloading email.
I could see the certificae was expired and I issued the quit
command when I saw the "OK Dovecot ready" prompt.
The email security certificate on the system is provided by
Let's Encrypt,
so I then tried renewing the certificate from the root account with the
letsencrypt renew command, but was unsuccessful.
I found the solution was to stop the
Apache web server
software running on the system, thanks to a post by JuergenAuer at
Renewing certificate getting error: Problem binding to port 80: Could not bind
to IPv4 or IPv6. After I stopped the web server software, I was able to
reissue the letsencrypt command to renew the certificate without the
"Problem binding to port 80" error message. I then restarted the Apache web
server software and Dovecot.
You can verify a website's security certificate from a command line
interface (CLI), such as a shell prompt, by using
OpenSSL, which is
available for Linux, macOS, Microsoft Windows and other operating systems
— for a Windows version, see the instructions at
How to install the most recent version of OpenSSL on Windows 10 in 64 Bit.
To check a certificate, you can issue the command openssl s_client
-connect example.com:443 -showcerts, substituting the
fully
qualified domain name (FQDN) of the site you wish to check for
example.com. The output for example.com is shown below.
$ openssl s_client -connect example.com:443 -showcerts CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
-----BEGIN CERTIFICATE-----
MIIHQDCCBiigAwIBAgIQD9B43Ujxor1NDyupa2A4/jANBgkqhkiG9w0BAQsFADBN
<text snipped>
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 907C391C745555481A141A04D65B7CD175BD5E052FF39EFD17B30848D535F0D1
Session-ID-ctx:
Master-Key: 9DC337D789BB8DB7CCE82BBC3EAD28C4A9E98016C98D35AD9A6B737C0B76AE3118881303F7E7890BEE0567FFC402B5F9
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - b1 7d 3a 56 0e 17 8f 5a-37 b0 4b 03 dd de 8d 98 .}:V...Z7.K.....
0010 - 59 36 bb 73 43 e2 95 2a-9b 2e de ef 99 5e 92 d8 Y6.sC..*.....^..
0020 - 3a 16 b6 4d 78 2b c6 a4-58 a5 5b 2e c0 8a 1f a6 :..Mx+..X.[.....
0030 - e6 35 dd 8d 77 fb 4e 09-82 94 c0 8c 6e f8 56 41 .5..w.N.....n.VA
0040 - 9a bb 82 a6 b1 30 5d bc-38 24 00 9c a6 a3 10 c5 .....0].8$......
0050 - 6f cc e8 c8 25 62 6f e0-8f 7d 1a d9 18 6a db 32 o...%bo..}...j.2
0060 - 48 07 df b0 15 fc 98 a0-5d 27 93 df 20 4c 6c ae H.......]'.. Ll.
0070 - cf 95 23 49 d0 c0 57 10-c1 8b 12 fa b0 c4 33 41 ..#I..W.......3A
0080 - 2f 21 cf df dc 9a 1f 44-68 a3 76 81 0f b8 04 ab /!.....Dh.v.....
0090 - 59 e7 c4 29 79 28 f9 45-43 82 b9 a0 5a e5 6d 5a Y..)y(.EC...Z.mZ
Start Time: 1592522720
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
$
If you wish to check on whether a particular
cipher is supported, you
can use the command openssl s_client -cipher followed by the
particular cipher for which you wish to connect and then -connect
followed by the FQDN, a colon, and then the HTTPS port, port 443, as shown
below for example.com. If you see the response "handshake failure" as in the
example below, the cipher is not supported.
$ openssl s_client -cipher 'ECDHE-ECDSA-AES256-SHA' -connect example.com:443
CONNECTED(00000003)
140497569793952:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:769:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 121 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1592522976
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
$
If the cipher is supported, you will see "connected" instead, as shown
below.
$ openssl s_client -cipher 'ECDHE-RSA-AES128-GCM-SHA256' -connect example.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
verify return:1
depth=0 C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=Los Angeles/O=Internet Corporation for Assigned Names and Numbers/OU=Technology/CN=www.example.org
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
<text snipped>
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
0000 - 27 d3 5d a3 cf ac 34 0b-92 af c6 00 17 0d 15 bc '.]...4.........
0010 - 6b be b4 92 dc 1a 01 97-98 9c f4 2b 68 f7 fd 69 k..........+h..i
0020 - 1c fd 25 16 21 ba aa f9-43 2b 1a 4b 54 d8 48 37 ..%.!...C+.KT.H7
0030 - 90 f7 2f 3f 76 d1 88 22-cf db 43 77 55 40 d2 41 ../?v.."..CwU@.A
0040 - c8 3a 8c f5 75 02 9b 88-92 92 38 f3 53 46 e7 48 .:..u.....8.SF.H
0050 - 9a bf 2d db 78 00 cd 12-2c 30 fc f8 81 20 e9 89 ..-.x...,0... ..
0060 - c0 8f 3c e3 e6 22 69 af-cb cd b0 ec dd 06 1b c9 ..<.."i.........
0070 - f3 82 cb ee 85 f1 c8 6a-27 29 5b 42 7e bb 87 60 .......j')[B~..`
0080 - c3 17 4a ff 54 41 b3 1a-8e 3b e3 30 b6 48 fa 9d ..J.TA...;.0.H..
0090 - b3 50 a5 2b 73 8d 59 16-4c fd b4 24 54 48 14 08 .P.+s.Y.L..$TH..
Start Time: 1592523392
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
closed
$
A couple of days ago, a user showed me a message she saw on her system about a
security
certificate issue. When I looked at the message, I realized it was due
to the expiration of the
Let's
Encrypt certificate on the email server used by her system. I logged into
that system and queried the server with the
openssl command to
check the expiration date. I saw it had expired that day, March 10.
You can use
OpenSSL, which is commonly installed on Mac OS X and Linux systems and which
is also available for other operating systems (the source code can be downloaded
from OpenSSL Downloads and
a Windows implementation is available at
OpenSSL for
Windows), to check the security certificate of a website using an
openssl command in the
form openssl s_client -showcerts -connect fqdn:port where
fqdn is the
fully qualified domain name (FQDN) of the website and
port is the
port that the website is listening on for
HTTPS
connections, which is usually
well-known port 443, though it may sometimes be another port, such as the
registered port 8443. The showcerts option instructs openssl
to show all certificates in the
public key certificate chain.
The X.509
standard is used to manage
digital certificates used for
public key encryption. One of the
filename extensions used for X.509 certificates is .pem,
which stands for
"Privacy
Enhanced Mail". These certificates are
Base64
encoded DER certificates. If you have a .pem certificate and want to
view information about the contents of the certificate, you can do so with
OpenSSL
software, which is commonly found on Linux and Mac OS X systems, but is
available for other operating systems as well. If you just want to view the
expiration date for a certificate you can use an
openssl command like the one
below:
You can use an
OpenSSL
s_client -connect command to check a certificate on a remote server by
specifying the remote system in the form x.x.x.x:port
where x.x.x.x is the IP address of the remote system and port is
the relevant port or you can use the
fully qualified domain name (FQDN) in place of the IP
address. E.g., I used the command below to check the status of a certificate I
obtained from Let's Encrypt, a
"certificate authority that
launched on April 12, 2016 that provides free
X.509
certificates for
Transport Layer Security (TLS) encryption via an automated
process designed to eliminate the current complex process of manual
creation, validation,
signing, installation, and renewal of certificates for secure websites."
The server I checked functions as a
POP3S server using port 995, so that was the port I
specified.
If you have an SSL certificate on a Linux or Unix system, you can check it
using the openssl command with openssl verify
/path_to_certificate/certificate, e.g., as below:
# openssl verify /etc/ssl/certs/example.crt
/etc/ssl/certs/example.crt: /C=US/CN=example.com
error 18 at 0 depth lookup:self signed certificate
OK
In the case above, the country specified with the domain is the
United States as shown by /C=US and the common name
specified for the domain when the certificate was created and for which the certificate should be valid is example.com
as shown by /CN=example.com.
The certificate is self-signed, which results in the error 18
message.
The dates for which the certificate is valid can be specified with
openssl x509 -in /path_to_certificate/certificate -text | grep Not
as shown below:
# openssl x509 -in /etc/ssl/certs/example.crt -text | grep Not
Not Before: Oct 11 21:06:30 2013 GMT
Not After : Oct 11 21:06:30 2014 GMT
In the case above, the certificate is valid from October 11, 2013
through October 11, 2014. After October 11, 2014, anyone visiting the
website for which the certificate was used for HTTPS connections will
be warned by his/her browser that there is a problem with the certificate
because it will have expired.
X.509 specifies
standard formats for public key certificates, certificate revocation
lists, attribute certificates, and a certification path validation
algorithm.
The md5sum
command can be used to calculate an
MD5 message digest (MD5
is an abbreviation for "Message-Digest algorithm 5"), which is a
cryptographic hash function. The md5sum program is commonly
found on Linux systems and programs which the provide the same
functionality are also available for Microsoft Windows systems, e.g.
digestIT 2004. But, if such a program isn't present on a system, e.g.
an OS X system, but
OpenSSL is present,
you can use the openssl command to obtain message digests,
which can allow you to verify that a file, such as an executable file,
was not changed since it was released by the originator.
If you issue the command openssl dgst filename,
openssl will, by default, provide the MD5 checksum for the file. You can
also use other cryptographic hash functions, such as
SHA,
SHA1,
MD2, or you
can specify MD5.
You can use the command openssl s_client -connect xxx.xxx.xxx.xxx:yyyyy
command, where xxx.xxx.xxx.xxx is the IP address of the
server and yyyyy is the port number on the server used for
HTTPS. The port is usually
443, but does not have to be that port. You can, of course, also use
a fully qualified domain name
(FQDN), such as paypal.com, instead of an IP address.
By using the command, one can determine if a system is responding
correctly using the HTTPS protocol. E.g. below is an example of a query
issued against paypal.com:
$ openssl s_client -connect paypal.com:443
CONNECTED(00000003)
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
---
Certificate chain
0 s:/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
i:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
1 s:/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
i:/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority - G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Network
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFDjCCA/agAwIBAgIQPma+WJDWF71INO8b3EN2LDANBgkqhkiG9w0BAQUFADCB
tTELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2Ug
YXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwOTEvMC0GA1UEAxMm
VmVyaVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzIwHhcNMDkwNjEx
MDAwMDAwWhcNMTAwNjExMjM1OTU5WjB/MQswCQYDVQQGEwJVUzETMBEGA1UECBMK
Q2FsaWZvcm5pYTERMA8GA1UEBxQIU2FuIEpvc2UxFTATBgNVBAoUDFBheVBhbCwg
SW5jLjEcMBoGA1UECxQTSW5mb3JtYXRpb24gU3lzdGVtczETMBEGA1UEAxQKcGF5
cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqCjJNlLuv02o0lG7
YPO3vreiUl5ptCTgbLD7TkYRrYivoZQUQZh0whOchbh3kabbPnqyVULcq4dGZeNx
eQLppc0n/YhxJnsPqoBoyg45/Xpc5HWKVuMsDMBRtTLwyjcfH7GVljUiDH/YoKL7
OCtpdJ+mgmLyqTWj+d8DpYWiDA0CAwEAAaOCAdEwggHNMAkGA1UdEwQCMAAwCwYD
VR0PBAQDAgWgMEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHA6Ly9TVlJTZWN1cmUtRzIt
Y3JsLnZlcmlzaWduLmNvbS9TVlJTZWN1cmVHMi5jcmwwRAYDVR0gBD0wOzA5Bgtg
hkgBhvhFAQcXAzAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy52ZXJpc2lnbi5j
b20vcnBhMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAfBgNVHSMEGDAW
gBSl7wsRzsBBA6NKZZBIshzgVy19RzB2BggrBgEFBQcBAQRqMGgwJAYIKwYBBQUH
MAGGGGh0dHA6Ly9vY3NwLnZlcmlzaWduLmNvbTBABggrBgEFBQcwAoY0aHR0cDov
L1NWUlNlY3VyZS1HMi1haWEudmVyaXNpZ24uY29tL1NWUlNlY3VyZUcyLmNlcjBu
BggrBgEFBQcBDARiMGChXqBcMFowWDBWFglpbWFnZS9naWYwITAfMAcGBSsOAwIa
BBRLa7kolgYMu9BSOJsprEsHiyEFGDAmFiRodHRwOi8vbG9nby52ZXJpc2lnbi5j
b20vdnNsb2dvMS5naWYwDQYJKoZIhvcNAQEFBQADggEBAA9sBxK8/hfHF6iKghED
jNTMpTLHT3lx8rdHnHD1UN5/lA0H8oMbjt6uzQVp9h9Xv/pOop/ItNNitdffTOnW
fVds+nMb56WSuX1d0fPn5KGGQcTMzTpA5Uxn3qnWXQc92O47qGEZSZ/aEYZjaHn2
VX5MFf2JXX1FQOyL288vCalmGAPLggjo3Hn0tWgK4Dd69l8JPm51FtEyijor/svw
FoxF7cJ6g92mgmu3JC10xhIXYDHiIAiTIzA3KCdAZikM4waZU8quRjgAIGrS0rRa
ohw0aAvy7gUrMWaws7+de3H0y/zQxfEbAsVzZ0+QA2WrGsa6EVKjcwW+VCJSLNZq
NeU=
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
issuer=/C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
---
No client certificate CA names sent
---
SSL handshake has read 3029 bytes and written 308 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID: E24FE41E08BCBB5246EE5EAC08E7E4ACBB4708F0CD0089E9EF602E4F3C435922
Session-ID-ctx:
Master-Key: FFF8BF97F79796457EE44860212C5F887FFE8F62F4A6FC908DB1A382489BE5C2963C2D5F84BC526911FA5EB096634603
Key-Arg : None
Krb5 Principal: None
Start Time: 1262641575
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
You can check the expiration date of an SSL certificate by first retrieving
the certificate using commands such as in the first line below. You can then
check the expiration date with a command such as the one on the next line,
which shows that the current certificate for
PayPal expires at midnight
Greenwich Mean Time (GMT) on
June 11, 2010.
$ echo "" | openssl s_client -connect paypal.com:443 > certificate
depth=2 /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
- G2/OU=(c) 1998 VeriSign, Inc. - For authorized use only/OU=VeriSign Trust Net
work
verify return:1
depth=1 /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)09/CN=VeriSign Class 3 Secure Server CA - G2
verify return:1
depth=0 /C=US/ST=California/L=San Jose/O=PayPal, Inc./OU=Information Systems/CN=paypal.com
verify return:1
DONE
$ openssl x509 -in certificate -noout -enddate
notAfter=Jun 11 23:59:59 2010 GMT
Another example below shows the results returned for a self-signed
certificate:
