Incorrect validation period of the certificate is shown via openssl

Created:

2017-02-17 12:25:41 UTC

Modified:

2017-08-08 13:43:34 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Incorrect validation period of the certificate is shown via openssl

Applicable to:

  • Plesk for Linux

Symptoms

  • Incorrect validation period of the certificate issued for example.com is shown via openssl:
    # echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates
    notBefore=Apr 23 12:09:37 2013 GMT
    notAfter=Apr 23 12:09:37 2014 GMT
  • The following errors are shown during connection checking:
    # openssl s_client -connect example.com:443
    CONNECTED(00000003)
    depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = info@parallels.com
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = info@parallels.com
    verify error:num=10:certificate has expired
    notAfter=Apr 23 12:09:37 2014 GMT
    verify return:1
    depth=0 C = US, ST = Virginia, L = Herndon, O = Parallels, OU = Parallels Panel, CN = Parallels Panel, emailAddress = info@parallels.com
    notAfter=Apr 23 12:09:37 2014 GMT
    verify return:1
    ...
  • Browser shows that certificate is not expired yet.
  • Server has SNI support.

Cause

Incorrect usage of the command.

Resolution

By default openssl does not check if SNI is enabled on the server. So the following command is checking the certificate of the server where the domain is hosted:

# echo | openssl s_client -connect example.com:443 2>/dev/null | openssl x509 -noout -dates

In order to check the certificate of the domain, use servername option:

# echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -dates
notBefore=Feb 14 00:00:00 2017 GMT
notAfter=Feb 14 23:59:59 2018 GMT
Have more questions? Submit a request
Please sign in to leave a comment.