Checking SNI SSL certificate expiry in Linux/Mac
Posted December 2, 2017 by ‐ 1 min read
This is how we normally check the expiry of an SSL certificate
echo | openssl s_client -connect your-domain-name.com:443 2>/dev/null | openssl x509 -noout -dates
This is all fine and dandy if you have only one SSL domain hosted in the same IP address. If you try to check the SSL expiry of another domain in the same server, it will show the expiry of the default one and this can lead to unintended consequences. The free SSL provider Letsencrypt uses SNI and I have faced the same issue trying to check the expiry of a domain.
The solution is very simple. Just use the
-servername switch in the
openssl tool. Like this.
echo | openssl s_client -connect yourdomain.com:443 -servername yourdomain.com 2>/dev/null | openssl x509 -noout -dates