Last active
October 6, 2021 02:02
-
-
Save gnanet/785c6c99d856893e5b6f1537ea781572 to your computer and use it in GitHub Desktop.
Check if DST Root CA X3 or self-signed ISRG Root X1 cert is present in servers chain
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # one-liner to check if the server-provided certificates include the self-signed ISRG Root X1, or not. Just declare the hostname you want to check | |
| export hostname2check=""; export port2check="443"; check_self_x1=$(openssl s_client -CApath /etc/ssl/certs -servername "${hostname2check}" -connect "${hostname2check}:${port2check}" 2>&1 </dev/null | grep -E -A1 "s:.*CN\s*=\s*ISRG Root X1$" | grep -E "i:.*CN\s*=\s*ISRG Root X1$"); if [[ "x${check_self_x1}" == "x" ]]; then echo "You need to fix your intermediate chain, to present the self-signed X1"; else echo "GOOD, you already have the self-signed X1 in the intermediate chain"; fi; unset hostname2check; unset port2check |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment