In a linux system how do I check if the certificate from a webserver is valid? |
This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers. There are several tools to test this. If native Linux tools are preferred use curl or wget if a 3rd party tool such as HttpTestClient can be installed use this one instead for remedy related issued https://communities.bmc.com/docs/DOC-129733 For SUSE you can check the following link: -v flag is recommended This is the output if the server certificate is not trusted
* STATE: INIT => CONNECT handle 0x800083148; line 1491 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x800083148; line 1532 (connection #0)
* Trying ::1:8443...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x800083148; line 1611 (connection #0)
* Connected to localhost (::1) port 8443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800083148; line 1667 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x800083148; line 1682 (connection #0)
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate in certificate chain
* Marked for [closure]: Failed HTTPS connection
* multi_done
* Closing connection 0
* The cache now contains 0 members
* Expire cleared (transfer 0x800083148)
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
In contrast when certificate is trusted
* STATE: INIT => CONNECT handle 0x800083148; line 1491 (connection #-5000)
* Added connection 0. The cache now contains 1 members
* STATE: CONNECT => WAITRESOLVE handle 0x800083148; line 1532 (connection #0)
* Trying 74.201.172.176:443...
* TCP_NODELAY set
* STATE: WAITRESOLVE => WAITCONNECT handle 0x800083148; line 1611 (connection #0)
* Connected to communities.bmc.com (74.201.172.176) port 443 (#0)
* STATE: WAITCONNECT => SENDPROTOCONNECT handle 0x800083148; line 1667 (connection #0)
* Marked for [keep alive]: HTTP default
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* STATE: SENDPROTOCONNECT => PROTOCONNECT handle 0x800083148; line 1682 (connection #0)
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: C=US; ST=Texas; L=Houston; O=BMC Software, Inc.; OU=Sales Operations - Worldwide Field Infrastructure; CN=communities.bmc.com
* start date: Jan 14 00:00:00 2020 GMT
* expire date: Feb 19 12:00:00 2021 GMT
* subjectAltName: host "communities.bmc.com" matched cert's "communities.bmc.com"
* issuer: C=US; O=DigiCert Inc; CN=DigiCert SHA2 Secure Server CA
* SSL certificate verify ok.
wget https://localhost:8443 |