try.directtry.direct
+(373) 60 775 719

Dashboard

/

Home

/

Blog

/

Let’s Encrypt and Certbot | How to check SSL

Article preview image

Let’s Encrypt and Certbot | How to check SSL

By try.direct

SSL certificates have become a modern necessity. Organizations operating online need to add them to their websites for secure transactions and user information protection. They are also effective at mitigating cyberattacks.

However, not many people are familiar with the ways to obtain an SSL certificate. Those who are aware often do not know how to check their SSL certificate’s validity. These small problems can lead to major inconveniences.

This article aims to explain Let’s Encrypt and Certbot, as well as the most efficient methods for checking SSL certificate installation and validity.


Let’s Encrypt

Let’s Encrypt is a free and automated certificate authority that provides TLS/SSL certificates to compatible clients. You can use them to encrypt data and communications for your website users.

Let’s Encrypt is developed by the Internet Security Research Group (ISRG). The main purpose of these digital certificates is to enable HTTPS for websites at no cost. The paid certificates market is quite vast, but Let’s Encrypt offers a free alternative.


Let’s Encrypt offers two types of certificates:

  1. Standard Single Domain SSL
  2. Wildcard SSL

Both types of certificates are issued for 90 days and are automatically renewed after installation.


Benefits of Let’s Encrypt Certificates

  • These certificates are domain-validated and do not require a dedicated IP address.
  • Let’s Encrypt provides a straightforward way to obtain certificates. The process is free, does not require email verification, and is fully automated.
  • Enrollment is easy to start and manage.

Certbot

Certbot is a command-line client application that fetches certificates from Let’s Encrypt, an open certificate authority. It deploys the certificates to a web server after obtaining them. It is an easy-to-use client that works in five simple steps:

  1. Install Certbot, which is available in most Linux distro repositories or as a snap package.
  2. Run Certbot.
  3. Post-configure your web server if needed.
  4. Enable automatic certificate renewal.
  5. Restart the web server after renewal.

These SSL/TLS certificates are deployed to your web server automatically. You can also use certbot-auto to always fetch the latest version.

Another related term is the Webroot plugin for Certbot. It works by placing a file in a web-accessible directory and using the HTTP-01 challenge to prove domain ownership. You must specify the web server's root directory during the process.

All issued certificates can be found in: /etc/letsencrypt/live/$domain


Benefits of Certbot

  • It is free.
  • It provides a command-line interface, compatible with HTTP websites with port 80 open.
  • You can choose from various server types, including virtual private servers, dedicated servers, and cloud-hosted servers, accessible via SSH.
  • All Certbot certificates are auto-renewable every 90 days, with renewal recommended every 60 days for continuous coverage.

The Best Ways to Check if an SSL Certificate is Installed and Valid


Unix/Linux Users


Method 1:

1. Open a terminal and use the following command to check the SSL certificate installation and validity:

openssl s_client -connect www.yourwebsite.tld:443

2. This command will display details about the SSL certificate. Look for the verification status code. A status code of "0" indicates successful verification. If the status is "20," the certificate is not configured correctly, and you will see an error: "unable to get local issuer certificate."


3. Check your certificate’s path:

$ openssl s_client -connect www.yourwebsite.tld:443 -CApath /etc/ssl/certs/

If you have a single file, use:

openssl s_client -connect www.yourwebsite.tld:443 -CAfile /etc/ssl/certs/ca-certificates.crt

4. Verify the hostname. A status code of "0" means the verification was successful. If there's an error, you will see a return code "62" and the error "Hostname Mismatch."


5. To verify a certificate issued to an IP address instead of a hostname, use the -verify_ip switch:


$ openssl s_client -connect your_ip_address:443 -verify_ip your_ip_address

Windows Users


Method 2: Using Certificates MMC Snap-in

  1. Press Win + R to open the Run dialog.
  2. Type certlm.msc and press Enter.
  3. In the Certificates - Local Computer console, navigate through the certificates to see which ones are installed.

Method 3: Using Sigcheck

  1. Download Sigcheck from the official Microsoft website.
  2. After downloading, extract and install the application.
  3. Open a command prompt and enter the following command:
sigcheck -tv

4. This command downloads the trusted Microsoft root certificate list and displays the valid certificates.

These methods are widely trusted. However, the most preferred way is to use the Linux command line for quick and accurate results.


Did not find the solution? Join our discord channel and consult with our developers
Still don't know how to check? Get system administration help from our partners



Check SSL certificates online


https://www.sslshopper.com/ssl-checker.html

https://www.digicert.com/help/


More info


https://serverfault.com/questions/589590/understanding-the-output-of-openssl-s-client

https://stackoverflow.com/questions/24992976/openssl-telling-certificate-has-expired-when-it-has-not

https://community.letsencrypt.org/t/problem-with-certificate-has-expired/161013/2

Certbot

Letsencrypt

Check ssl

Openssl

Check certificates